[英]Could you tell me what is wrong with this piece of code for my blog?
If I remove this code, my page loads. 如果删除此代码,则会加载页面。 But If I add this, I get a HTTP Error 500 from my web matrix.
但是,如果添加此内容,则会从Web矩阵中收到HTTP错误500。
<?php
try {
if(isset(['submit'])) {
include('config.php');
$subject = $_POST['subject'];
$content = $_POST['editor1'];
$date = $_POST['date'];
$tags = $_POST['tags'];
$author = $_POST['author'];
$thumbnail = $_POST['thumbnail'];
$sql = "INSERT INTO articles (Subject, Content, Date, Author, Tags, Thumbnail) VALUES ('$subject','$content','$date','$author','$tags', '$thumbnail')";
$dbh->query($sql);
}
} catch(PDOException $e) {
echo $e->getMessage();
}
?>
In the line 在行中
if (isset(['submit']))
there is a variable missing. 缺少变量。 You may want to use this line:
您可能要使用此行:
if(isset($_POST['submit']))
By the way your SQL code is open for blind SQL injections. 顺便说一下,您的SQL代码是开放的,用于盲SQL注入。 You should parse the parameter or better still, use prepared statements.
您应该解析参数,或者最好还是使用准备好的语句。
$stmt = $dbh->prepare("INSERT INTO articles (Subject, Content, Date, Author, Tags, Thumbnail) VALUES (':subject',':content',':date',':author',':tags', ':thumbnail')");
$stmt->bindParam(':subject', $subject);
$stmt->bindParam(':content', $content);
// ...
$stmt->execute();
This is not a statement: 这不是声明:
if (isset(['submit']))
it should be: 它应该是:
if (isset($_POST['submit']))
with all chance. 很有机会。
Anyway, you should bind parameters to the query, and not hardcode them into it. 无论如何,您应该将参数绑定到查询,而不要将其硬编码到查询中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.