PHP 表单不插入 SQL 数据库
[英]PHP form doesn't insert into SQL database
问题描述
I am trying to test a very simple PHP form that inserts input into an SQL database.
我正在尝试测试一个非常简单的 PHP 表单,该表单将输入插入到 SQL 数据库中。 The connection works fine, but the data does not appear in the database when I refresh it.连接工作正常,但刷新数据库时数据没有出现在数据库中。 I have only two files, an index.html and a process.php.我只有两个文件,一个 index.html 和一个 process.php。
index.html:索引.html:
<html>
<head>Testing</head>
<body>
<div id="frm">
<form action="process.php" method=POST>
<p>
<label>Username</label>
<input type="text" id="stuff" name="stuff">
</p>
<p>
<input type="submit" id="btn" value="Login">
</p>
</form>
</div>
</body>
</html>
Process.php:进程.php:
<?php
$userinput = $_POST['stuff'];
$servername = "localhost";
$username = "root";
$password = "";
$database = "testing";
$conn = new mysqli($servername, $username, $password, $database);
if ($conn->connect_error)
{
die("connection failed: " . $conn->connect_error);
}
else
{
echo "Connected successfully ";
echo $userinput;
$sql = "INSERT INTO `entries`(`input`) VALUES ('$userinput')";
}
?>
4 个解决方案
解决方案1
1 2020-02-06 09:20:30
The problem is that you're not actually running the query.问题是您实际上并没有运行查询。 You just assigned the query string to a variable, so it's not being executed in MySQL.您刚刚将查询字符串分配给一个变量,因此它不会在 MySQL 中执行。
Your code is vulnerable to SQL injection , so I'm proposing a solution:您的代码容易受到SQL 注入的影响,因此我提出了一个解决方案:
<?php
$userinput = $_POST['stuff'];
$servername = "localhost";
$username = "root";
$password = "";
$database = "testing";
$conn = new mysqli($servername, $username, $password, $database);
if ($conn->connect_error)
{
die("connection failed: " . $conn->connect_error);
}
else
{
echo "Connected successfully ";
echo $userinput;
$sql = "INSERT INTO `entries` (`input`) VALUES (?)";
if ($stmt = $conn->prepare($sql)) { // Prepare statement
$stmt->bind_param("s", $userinput); //Bind the string (s), with the content from $userinput to the statement marker (?)
$stmt->execute(); // Run (execute) the query
$stmt->close(); //clean up
}
This code should work and also keep you secure from SQL injections.此代码应该可以工作,并且还可以保护您免受 SQL 注入的侵害。
解决方案2
0 2020-02-06 02:15:12
Haven't tested it fully but I fixed your query.尚未对其进行全面测试,但我已修复您的查询。
$sql = mysqli_query($conn, "INSERT INTO entries (input) VALUES ('$userinput')");
also change the post part to: <form action="process.php" method="POST">还将帖子部分更改为: <form action="process.php" method="POST">
That should fix the problem for you那应该可以为您解决问题
Also make sure you use the function: mysqli_real_escape_string to escape malicious user input to prevent SQL injection.还要确保使用函数: mysqli_real_escape_string来转义恶意用户输入以防止 SQL 注入。
Another thing: you could change localhost to 127.0.0.1.另一件事:您可以将 localhost 更改为 127.0.0.1。 I think this is more reliable although it's the same in most cases.我认为这更可靠,尽管在大多数情况下它是相同的。
解决方案3
-1 2020-02-06 02:20:16
Your code is not submitting the query to the database, it is opening the connection but not submitting the query, see below to the submit query request if you use mysqli in PHP您的代码未将查询提交到数据库,而是打开连接但未提交查询,如果您在 PHP 中使用 mysqli,请参阅下面的提交查询请求
... else {
# this submits the query
$conn -> query ($sql);
}
解决方案4
-2 2020-02-06 09:09:00
you need to take function mysqli_query of mysqli that will take parameter as connection object like $conn and 2nd parameter will be sql query to execute.您需要采用mysqli的函数mysqli_query,它将参数作为连接对象,如$conn,第二个参数将是要执行的sql查询。 like this像这样
$sql = mysqli_query($conn, "INSERT INTO entries (input) VALUES ('$userinput')");
to prevent from sql injection you must use PDO because PDO use paramBind to protect injection .为了防止 sql 注入,您必须使用 PDO,因为 PDO 使用 paramBind 来保护注入。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.