堆栈内存溢出
  简体   繁体   English

如果文本之间有单引号,我的php表单提交给mysql将不起作用

[英]My php form submit to mysql doesn't work if there a single quotation in between text

 原文  2013-12-18 11:44:43       php/ mysql/ forms/ syntax/ form-submit

问题描述

Here is my html page: 这是我的html页面: 

<form method="post">
<input type="hidden" name="user" readonly="readonly" value="<?php echo $session->username;?>">
<input placeholder="TAS Code" class="input-text" type="text" name="customerCode" id="name" />
<textarea type="text" placeholder="Comments" style="width: 500px;" wrap="hard" class="input-text" name="comments" id="email"/></textarea>
<input type="submit" value="Submit" class="btn-u btn-u-small" name="submit" id="comment-submit" />
</form>

Here is Java script to run web.php on submit 这是在提交时运行web.php的Java脚本 

$(document).ready(function() {
$('form').submit(function(msg) {  
    $.post("web.php",$(this).serialize(),function(data){       
    });
    $( 'form' ).each(function(){
this.reset();
});
return false;

and finally here is my web.php to process the form content. 最后是我的web.php,用于处理表单内容。 

$mysqli =mysqli_connect("localhost","pf_sales","pfsal3s","pf_sales");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}
$webbox = $_POST['web'];
 $codebox=$_POST['customerCode'];
 $commentbox=$_POST['comments'];
 $discount=$_POST['discount'];
 $task=$_POST['taskbox'];
 $clear=$_POST['clearbox'];
  $user=$_POST['user'];


if ($codebox !="" && $commentbox !="" && $webbox!="" && $discount!="")
{
$query  = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET web = ('$_POST[web]'),discount=('$_POST[discount]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
if ($codebox !="" && $commentbox !="" && $webbox!="")
{
$query  = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET web = ('$_POST[web]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
if ($codebox !="" && $commentbox !="" && $task!="")
{
$query  = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET taskFor=('$_POST[taskbox]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
else if ($codebox!="" && $commentbox!="" && $user!="")
 {
    $query ="INSERT INTO commentstable (user, customerCode, comments) VALUES ('$_POST[user]', '$_POST[customerCode]', '$_POST[comments]');";
    if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());

}
 $mysqli->close();
 }

 else if ($codebox!="" && $webbox!="" )
 {
    $query ="UPDATE webdiscount SET web = ('$_POST[web]') where customerCode = ('$_POST[customerCode]');";
    if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());

}
 $mysqli->close();
 }
 else if ($codebox!="" && $discount!="" )
 {
    $query ="UPDATE webdiscount SET discount=('$_POST[discount]') where customerCode = ('$_POST[customerCode]'); ";
    if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());

}
 $mysqli->close();
 }
else if ($codebox !="" && $task!="")
{

$query = "UPDATE webdiscount SET taskFor=('$_POST[taskbox]') where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();
}
else if ($codebox !="" && $clear=="done")
{

$query = "UPDATE webdiscount SET taskFor='' where customerCode = ('$_POST[customerCode]');";

/* execute multi query */
if ($mysqli->multi_query($query)) {
    do {
        /* store first result set */
        if ($result = $mysqli->store_result()) {
            while ($row = $result->fetch_row()) {
                printf("%s\n", $row[0]);
            }
            $result->free();
        }
        /* print divider */
        if ($mysqli->more_results()) {
            printf("-----------------\n");
        }
    } while ($mysqli->next_result());
}

/* close connection */
 $mysqli->close();

So when we put TAScode and comments it should update the comments table. 因此,当我们放置TAScode和注释时,它应该更新注释表。 It is working fine as long we don't use single quotation ' in text. 只要我们在文本中不使用单引号',它就可以正常工作。 ie if we write "We didn't do this" then form doesn't update database. 即,如果我们写“我们没有这样做”,那么表格不会更新数据库。

Any help will be much appreciated. 任何帮助都感激不尽。 Thanks 谢谢

3 个解决方案

解决方案1
 2  2013-12-18 12:03:49

The problem is because you pass unescaped single quotes to your SQL query. 问题是因为您将未转义的单引号传递给SQL查询。 For instance, if $_POST['customerCode'] contains We didn't do this your query will look like: 例如,如果$_POST['customerCode']包含We didn't do this您的查询将如下所示: 

INSERT INTO commentstable (customerCode, comments) VALUES ('We didn't do this', '…')

You see the extra quote that mangles your SQL statement? 您看到会使SQL语句混乱的多余引号吗? You can prevent this by using mysqli::real_escape_string or better, by switching to prepared statements. 您可以通过使用mysqli::real_escape_string或更好的方法(切换到准备好的语句)来防止这种情况。 Your query will look like this: 您的查询将如下所示: 

$query = "INSERT INTO commentstable (customerCode, comments) VALUES (?, ?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param('is', $_POST['customerCode'], $_POST['comments']);
$stmt->execute();

BTW, you should really check if those POST-variables are present using isset or empty , otherwise you'll get an error if those are not passed. 顺便说一句,您应该使用issetempty真正检查那些POST变量是否存在,否则,如果未传递这些变量,则会出现错误。

解决方案2
 0 已采纳  2013-12-18 11:49:09

Use mysqli_real_escape_string() 使用mysqli_real_escape_string() 

$comments = mysqli_real_escape_string($mysqli, $_POST['comments']);
$customerCode = mysqli_real_escape_string($mysqli, $_POST['customerCode']);
$query  = "INSERT INTO commentstable (customerCode, comments) VALUES ('$customerCode', '$comments');";

$web = mysqli_real_escape_string($mysqli, $_POST['web']);
$discount = mysqli_real_escape_string($mysqli, $_POST['discount']);
$query .= "UPDATE webdiscount SET web = ('$web'),discount=('$discount') where customerCode = ('$customerCode');";

解决方案3
 -1  2013-12-18 11:46:45

Use mysqli_real_escape_string() Read this 使用mysqli_real_escape_string()阅读

So the code would be 所以代码是 

$codebox=mysqli_real_escape_string($con, $_POST['customerCode']);

etc... 等等...

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 text-transform不适用于post form submit php - text-transform doesn't work with post form submit php 表单提交在PHP中不起作用 - form submit doesn't work in php PHP / MySQL:登录表单不起作用 - PHP / MySQL: Login form doesn't work PHP脚本不适用于我的表单 - PHP Script doesn't work on my form 我的PHP / HTML表格不起作用 - My PHP/HTML form doesn't work Symfony3 / PHP7表单提交不起作用 - Symfony3/PHP7 Form submit doesn't work PHP &amp; AJAX - 由于 AJAX,提交表单不起作用 - PHP & AJAX - Submit form doesn't work because of AJAX PHP的登录表格提交按钮不起作用 - php login form submit button doesn't work 单击提交按钮时,php会话无法与表单一起使用 - php sessions doesn't work with form when submit button is clicked ajax将php表单提交到数据库,ajax部分不起作用 - ajax to submit php form to database, ajax part doesn't work
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM