HTML / php表单:提交链接时出错
[英]HTML/php forms: error when submitting links
问题描述
I have a HTML form handled by php. 
我有一个由php处理的HTML表单。 The form has various text input fields and one of those asks the user to input a link containing http:// . 该表单具有各种文本输入字段,其中之一要求用户输入包含http://的链接。
The problem is when I submit a link like http://www.google.com/ the form fails badly by displaying random content from different php files on my website. 问题是当我提交诸如http://www.google.com/之类的链接时,该表单由于在我的网站上显示来自不同php文件的随机内容而严重失败。
Here's a resume of my code: 这是我的代码的简历:
<form action="add.php" method="post">
<input type="text" name="link" />
<input type="submit" value="submit" />
<?php
if (isset($_POST['link']))
{
$link = mysql_escape_string($_POST['link']);
mysql_query("INSERT INTO mytable(link) values($link)");
}
?>
Works just fine when not submitting a string that contains http:// . 不提交包含http://的字符串时,效果很好。 Anyone has any idea why this happens? 有人知道为什么会这样吗?
1 个解决方案
解决方案1
0 2014-03-03 15:49:10
Sidenote : You will find an mysqli_* based version further down. 旁注 :您会在下面找到基于mysqli_*的版本。
Assuming you are connected to your DB, you did not wrap $link in VALUES with quotes. 假设您已连接到数据库,则没有将$link括在VALUES并带有引号。
Change this line: 更改此行:
mysql_query("INSERT INTO mytable(link) values( $link )");
^ ^ <- missing quotes
to: 至:
mysql_query("INSERT INTO mytable(link) values('$link')");
Tested and working with this example: (form is set to self) and using http://www.google.com/ as an input and a few others containing http:// 经过测试并使用以下示例:(将表单设置为self),并使用http://www.google.com/作为输入,另一些包含http://
<?php
define('DB_NAME', 'xxx');
define('DB_USER', 'xxx');
define('DB_PASS', 'xxx');
define('DB_HOST', 'xxx');
$dbh = mysql_connect(DB_HOST, DB_USER, DB_PASS);
if(!$dbh)
{
die('Could not connect to database: ' . mysql_error());
}
$db_select = mysql_select_db(DB_NAME);
if(!$db_select)
{
die('Can\'t use ' . DB_NAME . ': ' . mysql_error());
}
if(isset($_POST['submit']) && !empty($_POST['link'])){
$link = mysql_real_escape_string($_POST['link']);
mysql_query("INSERT INTO mytable (link) values('$link')");
if(!mysql_query)
{
die("sorry");
}
else{ echo "Success"; }
mysql_close();
}
?>
<!DOCTYPE html>
<html>
<body>
<title></title>
<h3>Place your Link Below:</h3>
<form action="" method="post">
<input type="text" name="link" />
<input type="submit" name="submit" value="submit" />
</body>
</html>
Footnotes: 脚注:
Do consider switching to mysqli_* functions with prepared statements or PDO. 请考虑使用准备好的语句或PDO切换到mysqli_*函数。 The mysql_* functions are deprecated and will be removed from future releases. mysql_*函数已过时,将从以后的版本中删除。
Here is an mysqli_* based version: 这是基于mysqli_*的版本:
<?php
define('DB_NAME', 'xxx');
define('DB_USER', 'xxx');
define('DB_PASS', 'xxx');
define('DB_HOST', 'xxx');
$dbh = mysqli_connect(DB_HOST, DB_USER, DB_PASS);
if(!$dbh)
{
die('Could not connect to database: ' . mysqli_error());
}
$db_select = mysqli_select_db($dbh,DB_NAME);
if(!$db_select)
{
die('Can\'t use ' . DB_NAME . ': ' . mysqli_error());
}
if(isset($_POST['submit']) && !empty($_POST['link'])){
$link = mysqli_real_escape_string($dbh,$_POST['link']);
mysqli_query($dbh,"INSERT INTO mytable (link) values('$link')");
if(!mysqli_query)
{
die("sorry");
}
else{ echo "Success"; }
mysqli_close($dbh);
}
?>
<!DOCTYPE html>
<html>
<body>
<title>Home Page</title>
<h3>Please Place your Order Below:</h3>
<form action="" method="post">
<input type="text" name="link" />
<input type="submit" name="submit" value="submit" />
</body>
</html>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.