文本未提交到数据库

时间:2011-08-31 00:01:37

标签: php mysql forms

我有一个简单的脚本问题,它似乎只是在INESERTING进入数据库。

我有一个表单,它也将图像上传到服务器,并将上传文件名放入数据库中。似乎如果使用了撇号,或者抛出了UTF8格式的引号,并且没有提交数据。

我尝试过使用mysql_real_escape_string和addslashes,但它具有相同的效果,或者不会发布输入数据库的任何信息。

这是表单数据(我已经将HTML编码条纹化以节省此帖子的空间)

<form method="post" action="inc/process-report.php" enctype="multipart/form-data">
<input name="Title" type="text" class="NormalTextBox" />
<input name="ShortTitle" type="text" class="NormalTextBox" maxlength="50" />
<select name="date_d" class="NoSetWidthSelectBox">
        <option value'<? echo"$day"; ?>' selected><? echo"$day"; ?></option>
        <option value='01'>01</option>
        <option value='02'>02</option>
        <option value='03'>03</option>
        <option value='04'>04</option>
        <option value='05'>05</option>
        <option value='06'>06</option>
        <option value='07'>07</option>
        <option value='08'>08</option>
        <option value='09'>09</option>
        <option value='10'>10</option>
        <option value='11'>11</option>
        <option value='12'>12</option>
        <option value='13'>13</option>
        <option value='14'>14</option>
        <option value='15'>15</option>
        <option value='16'>16</option>
        <option value='17'>17</option>
        <option value='18'>18</option>
        <option value='19'>19</option>
        <option value='20'>20</option>
        <option value='21'>21</option>
        <option value='22'>22</option>
        <option value='23'>23</option>
        <option value='24'>24</option>
        <option value='25'>25</option>
        <option value='26'>26</option>
        <option value='27'>27</option>
        <option value='28'>28</option>
        <option value='29'>29</option>
        <option value='30'>30</option>
        <option value='31'>31</option>
        </select>
        </select>
          &nbsp;/&nbsp;
          <select name="date_m" class="NoSetWidthSelectBox">
          <option value'<? echo"$month"; ?>' selected><? echo"$month"; ?></option>
        <option value='01'>01</option>
        <option value='02'>02</option>
        <option value='03'>03</option>
        <option value='04'>04</option>
        <option value='05'>05</option>
        <option value='06'>06</option>
        <option value='07'>07</option>
        <option value='08'>08</option>
        <option value='09'>09</option>
        <option value='10'>10</option>
        <option value='11'>11</option>
        <option value='12'>12</option>
          </select>
          &nbsp;/&nbsp;
          <select name="date_y" class="NoSetWidthSelectBox">
        <option value='11' selected>2011</option>
        <option value='12'>2012</option>
        <option value='13'>2013</option>
        <option value='14'>2014</option>
        <option value='15'>2015</option>
        <option value='16'>2016</option>
        <option value='17'>2017</option>
        <option value='18'>2018</option>
        <option value='19'>2019</option>
        <option value='20'>2020</option>
          </select>
<select name="Category" class="NormalSelectBox">
          <option selected="selected" value="">Please Select</option>
          <?php $SQL = "SELECT * FROM " . $match_reports_cats_table . " WHERE active = 'y' ORDER BY name"; 
$result = @mysql_query($SQL) or die("Error Getting Catergories 1"); 
while($row = @mysql_fetch_array($result)) {
$ID = $row["ID"];
$name = $row["name"]; ?>
          <option value="<?php echo stripslashes($row['name']); ?>"><?php echo stripslashes($row['name']); ?></option>
          <? } ?>
        </select>
<textarea name="Story" class="NormalTextArea"></textarea>
<input name="image" type="file" class="UploadTextBox">
        <input type="hidden" name="size" value="2048">
<select name="FrontPage" class="NoSetWidthSelectBox">
          <option selected='No' value='No'>No</option>
          <option value='Yes'>Yes</option>
        </select>
<input type="submit" name="btnSubmit" id="btnSubmit" value="Publish" class="publish_button" />
   <input type="submit" name="btnSubmit" id="btnSubmit" value="Save draft" class="NormalButton" />
    <input type="reset" value="Discard" class="NormalButton" />

这是流程

if($_POST['btnSubmit'] == 'Save draft'){
//This gets all the other information from the form
    $target = "../../../images/matchreports/uploaded/";
    $target = $target . time() . '-' . basename( $_FILES['image']['name']);
    if(move_uploaded_file($_FILES['image']['tmp_name'], $target)){  
    $Title=$_POST['Title'];
    $ShortTitle=$_POST['ShortTitle'];       
    $Story=$_POST['Story'];
    $Category=$_POST['Category'];
    $FrontPage=$_POST['FrontPage'];
    $image=time() . '-' . basename( $_FILES['image']['name']);  
    $newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
    $user_ip=$_POST['user_ip']; 

//Writes the information to the database        
    mysql_query("INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,Category,FrontPage,active,image,date,user_ip)VALUES ('$Title', '$ShortTitle', '$Story', '$Category', '$FrontPage', 'n', '$image', '$newdate', '" . addslashes($_SERVER['REMOTE_ADDR']) . "')") ;

    header("Location: /cms/matchreports/index.php?message=6");  
    exit;
 } else {

//This gets all the other information from the form
    $Title=$_POST['Title'];
    $ShortTitle=$_POST['ShortTitle'];       
    $Story=$_POST['Story'];
    $Category=$_POST['Category'];
    $FrontPage=$_POST['FrontPage'];
    $newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
    $user_ip=$_POST['user_ip'];
//Writes the information to the database        
    mysql_query("INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,Category,FrontPage,active,date,user_ip)VALUES ('$Title', '$ShortTitle', '$Story', '$Category', '$FrontPage', 'n', '$newdate', '" . addslashes($_SERVER['REMOTE_ADDR']) . "')") ;

    header("Location: /cms/matchreports/index.php?message=7");  
    exit;}}

已编辑 - 这是否更好

$target = "../../../images/matchreports/uploaded/";
    $target = $target . time() . '-' . basename( $_FILES['image']['name']);
    if(move_uploaded_file($_FILES['image']['tmp_name'], $target)){
    $image=time() . '-' . basename( $_FILES['image']['name']);      
    $newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,image,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(y) . "','$image','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
    $result = @mysql_query($SQL) or die("Error Publishing 1");

1 个答案:

答案 0 :(得分:1)

正如评论中所指出的,圣洁的sql注射蝙蝠侠。无论如何,你需要做的是重新创建问题,并回显出生成的SQL并传递给mysql,看看它是什么样的。显然存在语法错误,如果打印出查询,您可能会看到它。

编辑:

改变这个:

mysql_query("INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,Category,FrontPage,active,image,date,user_ip)VALUES ('$Title', '$ShortTitle', '$Story', '$Category', '$FrontPage', 'n', '$image', '$newdate', '" . addslashes($_SERVER['REMOTE_ADDR']) . "')") ;

对此:

$sql="INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,Category,FrontPage,active,image,date,user_ip)VALUES ('$Title', '$ShortTitle', '$Story', '$Category', '$FrontPage', 'n', '$image', '$newdate', '" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
mysql_query($sql) ;
echo $sql;