我目前正在通过我创建的表单将数据库输入信息:
<form method="post" action="send.php">
<input type="text" name="firstname" id="firstname" class="yourinfo" ><br/>
<input type="text" name="lastname" id="lastname" value="Last Name" onFocus=this.value='' class="yourinfo"><br/>
<input type="text" name="email" id="email" value="Email Address" onFocus=this.value='' class="yourinfo"><br/>
<input type="text" name ="date" id="datepicker" value="Enter Your Prediction" onFocus=this.value='' class="yourinfo"><br/>
<input type="submit" value="submit" >
</form>
然后我将我的php提交到数据库:
<?php
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$email = $_POST['email'];
$datepicker = $_POST['date'];
//get the correct format
$new_date = date('Y-m-d',strtotime($_POST['date']));
mysql_connect ("localhost", "user", "pass") or die ('Error: ' . mysql_error());
mysql_select_db ("database");
$query="INSERT INTO table (id, firstname, lastname, email, date)
VALUES ('NULL', '".$firstname."', '".$lastname."', '".$email."', '".mysql_real_escape_string($new_date)."')";
mysql_query($query) or die (mysql_error());
header('Location: table.php');
?>
我已被告知我必须在向数据库提交任何内容之前验证表单,但我不完全确定如何执行此操作,我知道它与 mysql_real_escape_string()有关但是我有点不确定该怎么做
希望你能帮忙以下是错误:
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'gezzamon'@'localhost' (using password: NO) in /home/gezzamon/public_html/allymccoist/send.php on line 4
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/gezzamon/public_html/allymccoist/send.php on line 4
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'gezzamon'@'localhost' (using password: NO) in /home/gezzamon/public_html/allymccoist/send.php on line 5
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/gezzamon/public_html/allymccoist/send.php on line 5
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'gezzamon'@'localhost' (using password: NO) in /home/gezzamon/public_html/allymccoist/send.php on line 6
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/gezzamon/public_html/allymccoist/send.php on line 6
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'gezzamon'@'localhost' (using password: NO) in /home/gezzamon/public_html/allymccoist/send.php on line 7
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/gezzamon/public_html/allymccoist/send.php on line 7
Warning: Cannot modify header information - headers already sent by (output started at /home/gezzamon/public_html/allymccoist/send.php:4) in /home/gezzamon/public_html/allymccoist/send.php on line 23
答案 0 :(得分:0)
您至少可以检查它们是否为空,并使用正则表达式验证电子邮件。 也可以将PDO用于您的数据库,它将保护您免受各种形式的SQL注入。
互联网上有很多关于PDO的教程。
答案 1 :(得分:0)
对要在SQL语句中使用的所有变量调用mysql_real_escape_string()
。
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$email = mysql_real_escape_string($_POST['email']);
$datepicker = mysql_real_escape_string($_POST['date']);
具有讽刺意味的是,你不需要逃避的一件事是$new_date
,因为你已经可以确定它是有效且安全的格式Y-m-d
(或FALSE
如果日期不好)。虽然没有伤害。
$query="INSERT INTO table (id, firstname, lastname, email, date)
VALUES (NULL, '".$firstname."', '".$lastname."', '".$email."', '".mysql_real_escape_string($new_date)."')";
所有引用和连接都有点混乱。在PHP中,您可以使用字符串插值,如下所示:
$query="INSERT INTO table (id, firstname, lastname, email, date)
VALUES (NULL, '$firstname', '$lastname', '$email', '".mysql_real_escape_string($new_date)."')";