PHP形式的连字符和下划线和字母

时间:2011-06-21 02:22:01

标签: php mysql forms

我有一个PHP表单,当提交时保存到MySQL数据库。其中一个字段是用户输入其ID的ID字段。当用户拥有只有数字的ID时,一切正常。但是,如果他们的ID看起来像这样:

m0mvtRLb3Mm9c8ZlKa8_S2J5L-J35caA7eqQHb_DQ1a4pbOMmag0Mrt_Nz72VH48PQcMmt44Yxaic_NRXQqW-b3nSGgs3VLBp21Ii942DaZIhW0PqNi1wERne1jT7to30

然后它根本不起作用。 ID字段是varchar,是否需要其他内容?

这是该页面上的代码(settings.php)

<form enctype="multipart/form-data" action="settings.php?ID=<?=$ID?>" method="POST">
Please enter your information<br><br>
ID: <input name="ID" readonly="readonly" type="text" value="<?=$ID?>" ><br>
First Name: <input type="text" name="FN" value="" ><br>
Last Name: <input type="text" name="LN" value="" ><br>
Age: <select name="AGE">
    <option></option>
    <option>10</option>
    <option>11</option>
    <option>12</option>
    <option>13</option>
    <option>14</option>
    <option>15</option>
    <option>16</option>
    <option>17</option>
    <option>18</option>
    <option>19</option>
    <option>20-25</option>
    <option>26-30</option>
    <option>31-35</option>
    <option>36-40</option>
    <option>41-50</option>
    <option>51-60</option>
    <option>61-70</option>
    <option>70-80</option>
    <option>81+</option>
</select><br />
Email: <input type="text" name="EM" value=""><br>
Phone: <input type="text" name="PN" value=""><br>
<br/>
I agree to the <a href="../privacy.htm" target="_blank">Privacy Policy</a> and the <a href="../terms.htm" target="_blank">Terms of Service</a>.<br />
<input type="radio" name="TOS" value="1" >Yes <input type="radio" name="TOS" value="2" > No<br><br>
<input type="submit" name="edit" value="edit"></form> <br>

<?

require_once('../serv_inc.php');

$conn = mysql_connect("$mysql_server","$mysql_user","$mysql_pass"); 
if (!$conn) die ("ERROR"); 
mysql_select_db($mysql_database,$conn) or die ("ERROR"); 

if(isset($_POST['edit']))
  {

$sID    =    (int)$_POST['ID'];
$sFN   =    mysql_real_escape_string($_POST['FN']);
$sLN   =    mysql_real_escape_string($_POST['LN']);
$sAGE   =    mysql_real_escape_string($_POST['AGE']);
$sEM   =    mysql_real_escape_string($_POST['EM']);
$sPN   =    mysql_real_escape_string($_POST['PN']);
$sTOS   =    mysql_real_escape_string($_POST['TOS']);

    mysql_query("UPDATE scavenger1 SET FN='".$sFN."', LN='".$sLN."', AGE='".$sAGE."', EM='".$sEM."', TOS='".$sTOS."', PN='".$sPN."' WHERE ID='".$sID."'") or die (mysql_error());

    echo '<font color="red">Registration Complete! Please Hold. </font><meta http-equiv="refresh" content="1;url=completed.php?ID=';
    echo $_GET["ID"];
    echo '&edit"><br/><br/>';
    }

$query = "select * from scavenger1 order by ID";
$result = mysql_query($query);
?>

<?
         while ($link=mysql_fetch_array($result))
         {
         echo ' ';
         }
?>

1 个答案:

答案 0 :(得分:3)

$sID = (int)$_POST['ID'];您将id转换为整数。它应该是:

$sID    =    mysql_real_escape_string($_POST['ID']);
相关问题
最新问题