我将以下表单插入到一个名为index的主键的数据库中,以便为它们提供所有数值。我做错了什么,它不会添加它?它根本不会给我一个错误消息。谢谢你的帮助!
FORM:
<form action = "addissue.php" METHOD = "POST">
<table>
<tr>
<td>Date Issue Occurred:</td>
<!--http://www.dynamicdrive.com/dynamicindex7/jasoncalendar.htm-->
<td><script>DateInput('orderdate', true, 'DD-MON-YYYY')</script></td>
</tr>
<tr>
<td>Please select the application affected:</td>
<td><select name = "application">
<option value = "default1">1</option>
<option value = "2">2</option>
</select></td>
</tr>
<tr>
<td>Start Time:</td>
<td><input type = "text" name = "start" /></td>
</tr>
<tr>
<td>End Time:</td>
<td><input type = "text" name = "end" /></td>
</tr>
<tr>
<td>Duration:</td>
<td><input type = "text" name = "dur" /></td>
</tr>
<tr>
<td>Service Level Affecting?</td>
<td><input type = "radio" name = "sla" value = "Yes" />Yes
<input type = "radio" name = "sla" value = "No" />No</td>
</tr>
<tr>
<td>System State:</td>
<td><select name = "state">
<option value = "down">Down</option>
<option value = "degradated">Degradated</option>
<option value = "feature">Feature Broken</option>
</select></td>
</tr>
<tr>
<td>Issue Description:</td>
<td><textarea name = "issuedesc"rows = "5" cols = "90">Enter Issue Description Here.</textarea></td>
</tr>
<tr>
<td>Resolution Description:</td>
<td><textarea name = "resdesc" rows = "5" cols = "90">Enter Resolution Description Here.</textarea></td>
</tr>
<tr>
<td>Group Issue Is Assigned To:</td>
<td><select name = "group">
<option value = "default1">1</option>
<option value = "2">2</option>
</select></td>
</tr>
<tr>
<td><input type = "submit" value = "Submit"></td>
</tr>
</table>
</form>
Addissue.php
<?php
include('db_loginreport.php');
$con = mysql_connect($db_host, $db_username, $db_password);
if(!$con)
{
die('Could not connect: ' . mysql_error());
}
$db_select = mysql_select_db($db_database);
if(!$db_select)
{
die("Could not select the database. <br />".mysql_error());
}
$date = $_POST["orderdate"];
$app = $_POST["application"];
$starttime = $_POST["start"];
$endtime = $_POST["end"];
$duration = $_POST["dur"];
$sysstate = $_POST["state"];
$issdesc = $_POST["issuedesc"];
$resdesc = $_POST["resdesc"];
$assigned = $_POST["group"];
$query = "Insert INTO issuetrack (date, app, starttime, endtime, duration, sla, sysstate,issdesc, resdesc, assigned)
VALUES ($date, $app,$starttime,$endtime,$duration,$sysstate,$issdesc,$resdesc,$assigned)";
$result = mysql_query($query);
if(!$result)
{
die("Could not query the database: <br />".mysql_error());
}
?>
db格式:
# Column Type
1 index int(11)
2 date varchar(11)
3 app varchar(50)
4 starttime varchar(16)
5 endtime varchar(16)
6 duration varchar(5)
7 sla varchar(3)
8 sysstate varchar(20)
9 issdesc varchar(2048)
10 resdesc varchar(2048)
11 assigned varchar(30)
答案 0 :(得分:4)
你有两个问题。插入失败,因为您的变量未包含在引号中,如'$date'
:
$query = "Insert INTO issuetrack (date, app, starttime, endtime, duration, sla, sysstate,issdesc, resdesc, assigned)
VALUES ('$date', '$app','$starttime','$endtime','$duration','$sla','$sysstate','$issdesc','$resdesc','$assigned')";
另请注意,您在查询中遗漏了$sla
的条目。我在上面添加了它。
您的第二个问题是您的脚本通过SQL注入擅自篡改。
至少,您必须使用mysql_real_escape_string()
转义所有这些变量,即使它仅用于内部应用程序。
$date = mysql_real_escape_string($_POST["orderdate"]);
$app = mysql_real_escape_string($_POST["application"]);
$starttime = mysql_real_escape_string($_POST["start"]);
...
...
$resdesc = mysql_real_escape_string($_POST["resdesc"]);
$assigned = mysql_real_escape_string($_POST["group"]);
答案 1 :(得分:1)
这是不正确的
$query = "Insert INTO issuetrack (date, app, starttime, endtime, duration, sla, sysstate,issdesc, resdesc, assigned)
VALUES ($date, $app,$starttime,$endtime,$duration,$sysstate,$issdesc,$resdesc,$assigned)";
这是正确的
$query = "Insert INTO issuetrack (date, app, starttime, endtime, duration, sysstate,issdesc, resdesc, assigned)
VALUES ('$date', '$app', '$starttime','$endtime','$duration','$sysstate','$issdesc','$resdesc','$assigned')";
问题在于您尝试将$sysstate
添加到sla
,将$issdesc
添加到sysstate
,将$resdesc
添加到issdesc
$assigned
和resdesc
进入assigned
,{{1}}为空。
编辑:更新以包含引号