PHP MYSQL-空变量在插入时失败
[英]PHP MYSQL - empty variable fails on insert
问题描述
I have an insert statement that inserts variables collected from a form POST on the previous page. 
我有一个插入语句,该语句插入从上一页的POST表单收集的变量。 If the variables from the form are not filled in it fails on insert (presumably because it is inserting an empty string...) I have the dataype set to allow NULL values - how do I insert null values if the field was left empty from the form POST? 如果未填写表单中的变量,则它在插入时会失败(大概是因为它正在插入一个空字符串...)我将dataype设置为允许NULL值-如果从POST表格?
$query = "
INSERT INTO songs (
userid,
wavURL,
mp3URL,
genre,
songTitle,
BPM
) VALUES (
'$userid',
'$wavFile',
'$mp3File',
'$genre',
'$songTitle',
'$BPM'
)
";
$result = mysql_query($query);
3 个解决方案
解决方案1
1 2011-09-18 02:19:03
The exact manner depends on if you are writing the query or binding parameters to a prepared statement. 确切的方式取决于您是否将查询或绑定参数写入到准备好的语句中。
If writing your own, it would look something like this: 如果您自己编写,它将看起来像这样:
$value = empty($_POST['bar']) ? null : $_POST['bar'];
$sql = sprintf('INSERT INTO foo (bar) VALUES (%s)',
$value === null ? 'NULL', "'".mysql_real_escape_string($value)."'");
$result = mysql_query($sql);
The main point is that you need to pass in the string NULL (without quotes) if the value should be null and the string 'val' if the value should be "val". 要点是,如果值应为null,则需要传递字符串NULL (不带引号),如果值应为'val'则需要传递字符串“ val”。 Note that since we are writing string literals in PHP, in both cases there is one more pair of quotes in the source code (this makes one pair in the first case, two pairs in the second). 请注意,由于我们使用PHP编写字符串文字,因此在两种情况下,源代码中都存在一对引号(在第一种情况下为一对,在第二种情况下为两对)。
Warning: When inserting to the database directly from request variables, it is very easy to be wide open to SQL injection attacks. 警告:直接从请求变量插入数据库时,很容易对SQL注入攻击敞开大门。 Do not be another victim; 不要成为另一个受害者; read about how to protect yourself and implement one of the universally accepted solutions. 了解有关如何保护自己并实现普遍接受的解决方案之一的信息。
解决方案2
0 2011-09-18 02:34:50
对于我所了解的,当某些内容未填充时,post变量不会设置为空值,而是根本不会设置,因此在php中您可以这样做:
$genre = isset($_POST['genre']) ? $_POST['genre'] : NULL;
解决方案3
0 2011-09-18 03:49:34
Here's how I do it. 这是我的方法。 I don't like sending anything to an SQL query right from POST (always sanitize!) in the following cas you just run through the POST vars one by one and assign them to a secondary array while checking for 0 length strings and setting them to NULL. 我不喜欢在以下cas中直接从POST发送任何内容到SQL查询(总是清理!),您只是逐个运行POST变量并将它们分配给辅助数组,同时检查长度为0的字符串并将其设置为空值。
foreach ($_POST as $key => $value) {
strlen($value)=0 ? $vars[$key] = NULL : $vars[$key] = $value
}
Then you can build your SQL query from the newly created $vars[] array. 然后,您可以从新创建的$ vars []数组构建SQL查询。
As Jon states above, this would be the place to also escape strings, strip code and basically do all your server side validation prior to data being inserted into the db. 正如Jon所说,这里是转义字符串,剥离代码并基本上在将数据插入db之前进行所有服务器端验证的地方。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.