如何在php mysql提交表单中停止自动乘法
[英]how to stop auto multiplication in php mysql submit form
问题描述
this code is working fine but my problem is that when i submit (size) row data using php this php code so it is auto multiply and submit in phpmyadmin like that 350000 
此代码工作正常,但我的问题是,当我使用php提交此PHP代码(大小)行数据时,它会自动相乘并在phpmyadmin中提交,例如350000
example i submit a form and (size) row data is 例如我提交一个表格和(大小)行数据是
480 x 800 pixels, 4.3 inches (~217 ppi pixel density) Sensors: Accelerometer, proximity
and when i check phpmyadmin (size) row so it is auto multiply and submit the (size) row data like this 当我检查phpmyadmin(size)行时,它会自动相乘并提交像这样的(size)行数据
350000
how can i solve this problem please help me to fix this issue 我该如何解决此问题,请帮助我解决此问题
thanks 谢谢
this is php mysql form data submit code 这是PHP MySQL的表格数据提交代码
<?php
/*
NEW.PHP
Allows user to create a new entry in the database
*/
// creates the new record form
// since this form is used multiple times in this file, I have made it a function that is easily reusable
function renderForm($model, $category, $weight,$size, $error)
{
?>
<?php
// if there are any errors, display them
if ($error != '')
{
echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
}
?>
<?php
}
//This is the directory where images will be saved
$target = "media/";
$target = $target . basename( $_FILES['photo']['name']);
//This gets all the other information from the form
$photo=($_FILES['photo']['name']);
//Writes the photo to the server
if(move_uploaded_file($_FILES['photo']['tmp_name'], $target))
{
//Tells you if its all ok
echo "<center>Photo ". basename( $_FILES['uploadedfile']['name']). " has been uploaded, and your information has been added to the directory</center>";
}
//connect to database
mysql_connect('localhost','root','password');
mysql_select_db('price');
// check if the form has been submitted. If it has, start to process the form and save it to the database
if (isset($_POST['submit']))
{
// get form data, making sure it is valid
$model = mysql_real_escape_string(htmlspecialchars($_POST['model']));
$category = mysql_real_escape_string(htmlspecialchars($_POST['category']));
$weight = mysql_real_escape_string(htmlspecialchars($_POST['weight']));
$size = mysql_real_escape_string(htmlspecialchars($_POST['size']));
$entertainment = mysql_real_escape_string(htmlspecialchars($_POST['entertainment']));
$price = mysql_real_escape_string(htmlspecialchars($_POST['price']));
$date = mysql_real_escape_string(htmlspecialchars($_POST['date']));
$photo = mysql_real_escape_string(htmlspecialchars($_FILES['photo']['name']));
// check to make sure both fields are entered
if ($model == '' || $category == '')
{
// generate error message
$error = 'ERROR: Please fill in all required fields!';
// if either field is blank, display the form again
renderForm($model, $category, $weight, $size,$error);
}
else
{
// save the data to the database
mysql_query("INSERT mprice SET model='$model', category='$category', weight='$weight', size='$size', entertainment='$entertainment', price='$price', date='$date', photo='$photo'")
or die(mysql_error());
echo "<center>Done!</center>";
// once saved, redirect back to the view page
}
}
else
// if the form hasn't been submitted, display the form
{
renderForm('','','','','','','','');
}
?>
1 个解决方案
解决方案1
3 2014-10-11 12:16:12
You are experiencing sql injection. 您正在经历sql注入。 That is, you are allowing code submitted by a user to be run in your database server. 也就是说,您允许用户提交的代码在数据库服务器中运行。 The string 480 * 800 is code and the MySQL server is running it for you. 字符串480 * 800是代码,MySQL服务器正在为您运行它。
This is not a cool feature on the open internet. 在开放的互联网上,这不是一个很酷的功能。 Lucky for you, you don't have a ;DROP TABLE mprice; 幸运的是,您没有;DROP TABLE mprice; accelerometer in one of your rows, eh? 一行中的加速度计,是吗?
Please consider using bind variables. 请考虑使用绑定变量。 This is easiest to do if you upgrade your MySQL API to mysqli_ or PDO . 如果将MySQL API升级到mysqli_或PDO这是最容易做到的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.