为什么我收到错误“'字段列表'中的未知列'存款'”
[英]Why am I receiving the error “Unknown column 'deposit' in 'field list'”
问题描述
I have created a simple HTML form for submitting an amount of money that should be deposited into an account.
我创建了一个简单的 HTML 表单,用于提交应存入帐户的金额。 The form consists of a number input and a submit button.该表单由一个数字输入和一个提交按钮组成。
When I press the submit button after inputting 10 in the input box I get this following error message:当我在输入框中输入10后按下提交按钮时,我收到以下错误消息:
Error updating record: Unknown column 'deposit' in 'field list'
I don't have such a column in my table as can be seen on the following image:我的表中没有这样的列,如下图所示:
Welcome to the Bank! <br><br>
<table bgcolor="orange" border="1" cellspacing="0" cellpadding="50">
<tr><td>
<form action="" method='post'><b>Amount of money you want to deposit:</b><br><br>
<input type='number'><input name ='deposit' type='submit' value='deposit'></td></form>
<?php include 'db.php';
if (isset($_POST['deposit']))
{
$deposit = $_POST['deposit'];
$sql = "UPDATE bank SET bank = bank + $deposit, cash_on_hand = cash_on_hand - $deposit WHERE id=1";
if ($conn->query($sql) === TRUE)
{
echo "Record updated successfully"; /*Money Deposited successfully!*/
}
else
{
echo "Error updating record: " . $conn->error;
}
$conn-> close();
}
?>
2 个解决方案
解决方案1
1 已采纳 2021-02-02 20:35:54
You have two problems with this code.这段代码有两个问题。 The biggest one is that you have SQL injection.最大的一个是你有 SQL 注入。 This is the reason why you get that error message.这就是您收到该错误消息的原因。
You should never ever inject variables directly into SQL.永远不要将变量直接注入 SQL。 This will break your SQL and cause errors which can even be abused by attackers.这将破坏您的 SQL 并导致甚至可能被攻击者滥用的错误。 When you submit the form by pressing on the button the value of the button is sent to PHP.当您通过按下按钮提交表单时,按钮的值将发送到 PHP。 This value is then injected into SQL.然后将该值注入 SQL。
// The value comes from <input name ='deposit' type='submit' value='deposit'>
$deposit = $_POST['deposit'];
$sql = "UPDATE bank SET bank = bank + $deposit, cash_on_hand = cash_on_hand - $deposit WHERE id=1";
// this becomes an invalid query
$sql = "UPDATE bank SET bank = bank + deposit, cash_on_hand = cash_on_hand - deposit WHERE id=1";
Always use prepared statements with parameter binding.始终使用带有参数绑定的准备好的语句。
include 'db.php';
if (isset($_POST['deposit'])) {
$deposit = $_POST['deposit'];
$stmt = $conn->prepare('UPDATE bank SET bank = bank + ?, cash_on_hand = cash_on_hand - ? WHERE id=1');
$stmt->bind_param('ss', $deposit, $deposit); //bind the same variable twice for the two placeholders
$stmt->execute();
}
Your second problem is the broken HTML form.您的第二个问题是损坏的 HTML 表格。 Only <input> s with name are submitted to the server.只有带有名称的<input>被提交到服务器。 The submit button doesn't need a name, but the number input field does.提交按钮不需要名称,但数字输入字段需要。 When fixed it should look something like this:修复后它应该看起来像这样:
<form action="" method='post'>
<b>Amount of money you want to deposit:</b>
<br><br>
<input type='number' name='deposit'>
<input type='submit'>
</form>
If you want to learn more about HTML forms there is a guide on MDN .如果您想了解有关 HTML forms 的更多信息,请参阅MDN 指南。
解决方案2
0 2021-02-02 20:32:43
Change this:改变这个:
<input type='number'><input name ='deposit' type='submit' value='deposit'>
to this:对此:
<input type='number' name="deposit"/><input name='submit' type='submit' value='deposit'/>
The way you've got it now, it sends the word "deposit" to your server, because that's the value of the button (which is the field which has the name="deposit" . Meanwhile, your number field doesn't have a name at all, and therefore doesn't get submitted with the form.你现在得到它的方式,它将“存款”这个词发送到你的服务器,因为这是按钮的值(这是具有name="deposit"的字段。同时,你的数字字段没有一个名字,因此不会与表单一起提交。
That's the root cause of your error because your SQL (due to the lack of proper parameterised queries) ends up as这是您的错误的根本原因,因为您的 SQL (由于缺乏适当的参数化查询)最终成为
UPDATE bank SET bank = bank + deposit, cash_on_hand = cash_on_hand - deposit WHERE id=1
And of course deposit , as you rightly say, isn't a column in your table.当然,如您所说, deposit不是您表格中的一列。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.