[英]HTML/php forms: error when submitting links
I have a HTML form handled by php. 我有一个由php处理的HTML表单。 The form has various text input fields and one of those asks the user to input a link containing
http://
. 该表单具有各种文本输入字段,其中之一要求用户输入包含
http://
的链接。
The problem is when I submit a link like http://www.google.com/
the form fails badly by displaying random content from different php files on my website. 问题是当我提交诸如
http://www.google.com/
之类的链接时,该表单由于在我的网站上显示来自不同php文件的随机内容而严重失败。
Here's a resume of my code: 这是我的代码的简历:
<form action="add.php" method="post">
<input type="text" name="link" />
<input type="submit" value="submit" />
<?php
if (isset($_POST['link']))
{
$link = mysql_escape_string($_POST['link']);
mysql_query("INSERT INTO mytable(link) values($link)");
}
?>
Works just fine when not submitting a string that contains http://
. 不提交包含
http://
的字符串时,效果很好。 Anyone has any idea why this happens? 有人知道为什么会这样吗?
Sidenote : You will find an mysqli_*
based version further down. 旁注 :您会在下面找到基于
mysqli_*
的版本。
Assuming you are connected to your DB, you did not wrap $link
in VALUES
with quotes. 假设您已连接到数据库,则没有将
$link
括在VALUES
并带有引号。
Change this line: 更改此行:
mysql_query("INSERT INTO mytable(link) values( $link )");
^ ^ <- missing quotes
to: 至:
mysql_query("INSERT INTO mytable(link) values('$link')");
Tested and working with this example: (form is set to self) and using http://www.google.com/
as an input and a few others containing http://
经过测试并使用以下示例:(将表单设置为self),并使用
http://www.google.com/
作为输入,另一些包含http://
<?php
define('DB_NAME', 'xxx');
define('DB_USER', 'xxx');
define('DB_PASS', 'xxx');
define('DB_HOST', 'xxx');
$dbh = mysql_connect(DB_HOST, DB_USER, DB_PASS);
if(!$dbh)
{
die('Could not connect to database: ' . mysql_error());
}
$db_select = mysql_select_db(DB_NAME);
if(!$db_select)
{
die('Can\'t use ' . DB_NAME . ': ' . mysql_error());
}
if(isset($_POST['submit']) && !empty($_POST['link'])){
$link = mysql_real_escape_string($_POST['link']);
mysql_query("INSERT INTO mytable (link) values('$link')");
if(!mysql_query)
{
die("sorry");
}
else{ echo "Success"; }
mysql_close();
}
?>
<!DOCTYPE html>
<html>
<body>
<title></title>
<h3>Place your Link Below:</h3>
<form action="" method="post">
<input type="text" name="link" />
<input type="submit" name="submit" value="submit" />
</body>
</html>
Footnotes: 脚注:
Do consider switching to mysqli_*
functions with prepared statements or PDO. 请考虑使用准备好的语句或PDO切换到
mysqli_*
函数。 The mysql_*
functions are deprecated and will be removed from future releases. mysql_*
函数已过时,将从以后的版本中删除。
Here is an mysqli_*
based version: 这是基于
mysqli_*
的版本:
<?php
define('DB_NAME', 'xxx');
define('DB_USER', 'xxx');
define('DB_PASS', 'xxx');
define('DB_HOST', 'xxx');
$dbh = mysqli_connect(DB_HOST, DB_USER, DB_PASS);
if(!$dbh)
{
die('Could not connect to database: ' . mysqli_error());
}
$db_select = mysqli_select_db($dbh,DB_NAME);
if(!$db_select)
{
die('Can\'t use ' . DB_NAME . ': ' . mysqli_error());
}
if(isset($_POST['submit']) && !empty($_POST['link'])){
$link = mysqli_real_escape_string($dbh,$_POST['link']);
mysqli_query($dbh,"INSERT INTO mytable (link) values('$link')");
if(!mysqli_query)
{
die("sorry");
}
else{ echo "Success"; }
mysqli_close($dbh);
}
?>
<!DOCTYPE html>
<html>
<body>
<title>Home Page</title>
<h3>Please Place your Order Below:</h3>
<form action="" method="post">
<input type="text" name="link" />
<input type="submit" name="submit" value="submit" />
</body>
</html>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.