将html select form的值插入mysql数据库
[英]insert value of html select form into mysql database
问题描述
I want to insert the value of a selected 'select form' into my mysql database. 
我想将选定的“选择表单”的值插入到我的mysql数据库中。
How can i get the right value of this? 我怎样才能获得正确的价值?
<form action='' method='post'>
<select name="myselectbox">
<option name="myoption1" value="myoption1">myoption1</option>
<option name="myoption2" value="myoption2">myoption2</option>
<option name="myoption3" value="myoption3">myoption3</option>
<option name="myoption4" value="myoption4">myoption4</option>
</select>
<input type='submit' value='submit'/>
</form>
something like that? 这样的事情? (this one didn't work obviously..) (这个显然不起作用..)
$sql = "INSERT INTO Entries (myoption1) VALUES ('$_POST[myselectbox]')";
4 个解决方案
解决方案1
5 已采纳 2014-02-25 10:51:40
you have to wrap your select tag into a form tag . 您必须将select标签包装到表单标签中。
<form action='' method='post'>
<select name="myselectbox">
<option name="myoption1" value="myoption1">myoption1</option>
<option name="myoption2" value="myoption2">myoption2</option>
<option name="myoption3" value="myoption3">myoption3</option>
<option name="myoption4" value="myoption4">myoption4</option>
</select>
<input type='submit' value='submit'/>
</form>
once you submit the form, you will get the post variable as $_POST['myselectbox'] that could be appended into a mysql query as you have already did. 一旦你提交了表单,你就会得到post变量$_POST['myselectbox'] ,它可以被添加到你已经做过的mysql查询中。 but for a better way dont just append it like that but check the form is submitted and post variables are available or not before appending. 但是为了更好的方式,不要只是这样添加它,但检查表单是否已提交,并且在附加之前是否可以使用后期变量。 eg: 例如:
if(!empty($_POST['myselectbox'])){
/*.. do your query section... */
}
解决方案2
1 2014-02-25 10:47:02
you have error in your SQL command, $_POST needs html names to be wrapped in quotes like => $_POST['some_name'] : 你的SQL命令有错误, $_POST需要将html名称包含在引号中,如=> $_POST['some_name'] :
$sql = "INSERT INTO Entries (myoption1) VALUES ('$_POST[myselectbox]')"; /* ^^ missing quotes here*/
try it this way : 试试这样:
$sql = "INSERT INTO Entries (myoption1) VALUES (".$_POST['myselectbox'].")";
解决方案3
1 2014-02-25 11:14:04
Assuming that your form is correct and it is posting the values that you want to your script. 假设您的表单是正确的,并且它将您想要的值发布到您的脚本中。
(You have sprinkled your code with echo to ensure this is the case?) (你已经用echo你的代码以确保是这种情况?)
The simplest reliable way of sending the data into a SQL statement and therefore into mysql is to use prepared statements. 将数据发送到SQL语句并因此发送到mysql的最简单可靠的方法是使用预准备语句。
Take a look here: http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php 看看这里: http : //www.php.net/manual/en/mysqli.quickstart.prepared-statements.php
Basically you write the SQL statement without your variables in it (replaced with ? ) and then tell mysql to execute the statements with your variables later. 基本上你编写没有变量的SQL语句(替换为? )然后告诉mysql稍后用你的变量执行语句。 It avoids the need to escape strings and worry about how to build things up. 它避免了逃避字符串的需要,并担心如何构建。
As an example, you might have: 例如,您可能有:
// Connect to mysql
$mysqli = new mysqli('where your server is', 'my_user', 'my_password', 'world');
// Build the initial statement - easier to read as you don't have your string concatenation here
$stmt = $mysqli->prepare( "INSERT INTO Entries (myoption1) VALUES (?)" );
// Tell mysql that the '?' should be replaced with the value in your post array
$stmt->bind_param( "s", $POST['myselectbox'] );
// Execute the statement
$stmt->execute()
Obviously you should add error handling too, but the documentation covers the basics of this. 显然你也应该添加错误处理,但是文档涵盖了这个的基础知识。
SQL Injection SQL注入
The main reason why the use of prepared statements is a good idea is that it avoids SQL injection attacks. 使用预准备语句的一个好主意的主要原因是它避免了SQL注入攻击。
There are other ways round, but in my mind this is the simplest solution. 还有其他方法,但在我看来,这是最简单的解决方案。
SQL Injection attacks are situations where someone attempts to change the SQL statement that is being run by "injecting" other SQL into your statement. SQL注入攻击是指某人试图通过将“注入”其他SQL到您的语句中来更改正在运行的SQL语句的情况。
Using your code as an example, you may execute this statement: 以您的代码为例,您可以执行以下语句:
$sql = "INSERT INTO Entries (myoption1) VALUES ('". $_POST['myselectbox'] ."')";
Which would normally receive (let's suggest) something like myoption1 . 通常会收到(让我们建议)像myoption1这样的myoption1 。
This would result in the SQL being: 这将导致SQL为:
INSERT INTO Entries (myoption1) VALUES ('myoption1');
If someone decided to, they could send '='' OR '1'='1 如果有人决定,他们可以发送'='' OR '1'='1
This would result in the SQL being: 这将导致SQL为:
INSERT INTO Entries (myoption1) VALUES (''='' OR '1'='1');
Which is (obviously) very different. 这显然是非常不同的。
Or, even worse send '=')'; DROP TABLE Entries WHERE (''=' 或者,更糟糕的是发送'=')'; DROP TABLE Entries WHERE (''=' '=')'; DROP TABLE Entries WHERE (''='
This would result in the SQL being: 这将导致SQL为:
INSERT INTO Entries (myoption1) VALUES (''=''); DROP TABLE Entries WHERE (''='');
Use Prepared Statements 使用准备好的陈述
Simply put, but using prepared statements, you are telling mysql that what you are sending is a literal string to be used as a parameter. 简单地说,但是使用准备好的语句,你告诉mysql你发送的是一个文字字符串,用作参数。 It can never be regarded as part of the statement itself and therefore the above is simply not possible. 它永远不能被视为陈述本身的一部分,因此上述内容根本不可能。
Much much safer. 更安全。
I hope that makes it clearer. 我希望这更清楚。 If you want more info I suggest you research it independently... 如果您想了解更多信息,我建议您独立研究...
解决方案4
0 2014-02-25 10:44:50
$value = mysql_real_escape_string($_POST['myselectbox']);
$sql = "INSERT INTO Entries (myoption1) VALUES ($value)";
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.