PHP SQL将文本值插入数据库

Question

我正在从事一个在线购物车项目，该项目要求我能够向添加到购物车的每个商品添加自定义文本输入字段。 但是，当我尝试将卡中每个项目的信息插入数据库时​​，我无法弄清楚如何将itemtext值传递到我的INSERT语句中。 我如何才能将初始商品列表中的itemtext值传递到Orderitems的数据库中？ itemtext输入在第170行，我想将其传递到在第83行看到的INSERT语句中。

 <?php session_start(); $user = $_SESSION['user']; if(!isset($user)) { header("Location:userlogin.php"); } $cart = $_COOKIE['WSC']; if(isset($_POST['clear'])) { $expire = time() -60*60*24*7*365; setcookie("WSC", $cart, $expire); header("Location:order.php"); } if($cart && $_GET['id']) { $cart .= ',' . $_GET['id']; $expire = time() +60*60*24*7*365; setcookie("WSC", $cart, $expire); header("Location:order.php"); } if(!$cart && $_GET['id']) { $cart = $_GET['id']; $expire = time() +60*60*24*7*365; setcookie("WSC", $cart, $expire); header("Location:order.php"); } if($cart && $_GET['remove_id']) { $removed_item = $_GET['remove_id']; $arr = explode(",", $cart); unset($arr[$removed_item-1]); $new_cart = implode(",", $arr); $new_cart = rtrim($new_cart, ","); $expire = time() +60*60*24*7*365; setcookie("WSC", $new_cart, $expire); header("Location:order.php"); } if(isset($_POST['PlaceOrder'])) { $email = $user; $orderdate = date('m/d/Y'); $ordercost = $_POST['ordercost']; $ordertype = $_POST['ordertype']; $downcost = $_POST['downcost']; $cardtype = $_POST['cardtype']; $cardnumber = $_POST['cardnumber']; $cardsec = $_POST['cardsec']; $cardexpdate = $_POST['cardexpdate']; $orderstatus = "Pending"; if($ordertype=="") { $ordertypeMsg = "<br><span style='color:red;'>You must enter an order type.</span>"; } if($cardtype=="") { $cardtypeMsg = "<br><span style='color:red;'>You must enter a card type.</span>"; } if($cardnumber=="") { $cardnumberMsg = "<br><span style='color:red;'>You must enter a card number.</span>"; } if($cardsec=="") { $cardsecMsg = "<br><span style='color:red;'>You must enter a security code.</span>"; } if($cardexpdate=="") { $cardexpdateMsg = "<br><span style='color:red;'>You must enter an expiration date.</span>"; } else { include ('includes/dbc_admin.php'); $sql = "INSERT INTO Orders (email, orderdate, ordercost, ordertype, downcost, cardtype, cardnumber, cardsec, cardexpdate, orderstatus) VALUES ('$email', '$orderdate', '$ordercost', '$ordertype', '$downcost', '$cardtype', '$cardnumber', '$cardsec', '$cardexpdate', '$orderstatus')"; mysql_query($sql) or trigger_error("WHOA! ".mysql_error()); $sql = "SELECT orderid FROM Orders"; $result = mysql_query($sql) or die("Invalid query: " . mysql_error()); while($row=mysql_fetch_assoc($result)) { $myid = $row[orderid]; } $itemnumber = 1; $items = explode(',', $cart); foreach($items AS $item) { $sql = "SELECT * FROM Catalog where id = '$item'"; $result = mysql_query($sql) or die("Invalid query: " . mysql_error()); while($row=mysql_fetch_assoc($result)) { $itemtext = $_POST['itemtext']; $sql= "INSERT INTO OrderItems (orderid, itemnumber, itemid, itemtype, media, itemtext, price) VALUE ('$myid', '$itemnumber', '$row[itemid]', '$row[itemtype]', '$row[media]', '$itemtext[itemnumber]', '$row[price]')"; mysql_query($sql) or trigger_error("WHOA! ".mysql_error()); } $itemnumber++; } $inserted = "<h2>Thank You!</h2> <h3>Your order has been placed.</h3>"; } } ?> <!DOCTYPE html> <html> <head> <title>Williams Specialty Company</title> <link href="style.css" rel="stylesheet" type="text/css" /> <script type="text/javascript"> function validateForm() { var ordercost = document.form1.ordercost.value; var downcost = document.form1.downcost.value; var ordertype = document.form1.ordertype.value; var cardtype = document.form1.cardtype.value; var cardnumber = document.form1.cardnumber.value; var cardsec = document.form1.cardsec.value; var cardexpdate = document.form1.cardexpdate.value; var ordertypeMsg = document.getElementById('ordertypeMsg'); var cardtypeMsg = document.getElementById('cardtypeMsg'); var cardnumberMsg = document.getElementById('cardnumberMsg'); var cardsecMsg = document.getElementById('cardsecMsg'); var cardexpdateMsg = document.getElementById('cardexpdateMsg'); if(ordertype == ""){ordertypeMsg.innerHTML = "You must enter an order type."; return false;} if(cardtype == ""){cardtypeMsg.innerHTML = "You must enter a card type."; return false;} if(cardnumber == ""){cardnumberMsg.innerHTML = "You must enter a card number."; return false;} if(cardsec == ""){cardsecMsg.innerHTML = "You must enter a security code."; return false;} if(cardexpdate == ""){cardexpdateMsg.innerHTML = "You must enter an expiration date."; return false;} } </script> </head> <body> <?php include('includes/header.inc'); ?> <?php include('includes/nav.inc'); ?> <div id="wrapper"> <?php include('includes/aside.inc'); ?> <section> <h2>My Cart</h2> <table width="100%"> <tr> <th>Catalog ID</th> <th>Item Name</th> <th>Price</th> <th>Item Text</th> <th>Actions</th> </tr> <?php $cart = $_COOKIE['WSC']; if ($cart) { $i = 1; $ordercost; include('includes/dbc.php'); $items = explode(',', $cart); foreach($items AS $item) { $sql = "SELECT * FROM Catalog where id = '$item'"; $result = mysql_query($sql) or die("Invalid query: " . mysql_error()); while($row=mysql_fetch_assoc($result)) { echo '<tr>'; echo '<td align="left">'; echo $row['itemid']; echo '</td>'; echo '<td align="left">'; echo $row['itemname']; echo '</td>'; echo '<td align="left">'; echo $row['price']; $ordercost+=$row['price']; $downcost = $ordercost / 10; echo '</td>'; echo '<td align="left">'; echo '<p><input type="text" id= "itemtext" name="itemtext"></p>'; echo '</td>'; echo '<td align="left">'; echo '<a href="order.php?remove_id='.$i.'">Remove From Cart</a>'; echo '</td>'; echo '</tr>'; } $i++; } } ?> </table><br /> <form method="POST" action="<?php $_SERVER['PHP_SELF'];?>"> <input type="submit" name="clear" value="Empty Shopping Cart"> </form> <?php if(isset($inserted)) {echo $inserted;} else{ ?> <form method="post" action="<?php echo $SERVER['PHP_SELF'] ?>" name="form1" onSubmit="return validateForm()"> <p>Total Price: <?php echo $ordercost;?> <input type="hidden" id="ordercost" name="ordercost" value="<?php echo $ordercost;?>"> </p> <p>Down Cost: <?php echo number_format((float)$downcost, 2, '.', '');?> <input type="hidden" id="downcost" name="downcost" value="<?php echo number_format((float)$downcost, 2, '.', '');?>"> </p> <p><label>Order Type:</label><br> <input type="text" id="ordertype" name="ordertype"> <?php if(isset($ordertypeMsg)) {echo $ordertypeMsg;} ?> <br /><span id="ordertypeMsg" style="color:red"></span> </p> <p><label>Card Type:</label><br> <input type="text" id="cardtype" name="cardtype"> <?php if(isset($cardtypeMsg)) {echo $cardtypeMsg;} ?> <br /><span id="cardtypeMsg" style="color:red"></span> </p> <p><label>Card Number:</label><br> <input type="text" id="cardnumber" name="cardnumber"> <?php if(isset($cardnumberMsg)) {echo $cardnumberMsg;} ?> <br /><span id="cardnumberMsg" style="color:red"></span> </p> <p><label>Card Security Code:</label><br> <input type="text" id="cardsec" name="cardsec"> <?php if(isset($cardsecMsg)) {echo $cardsecMsg;} ?> <br /><span id="cardsecMsg" style="color:red"></span> </p> <p><label>Card Expiration Date:</label><br> <input type="text" id="cardexpdate" name="cardexpdate"> <?php if(isset($cardexpdateMsg)) {echo $cardexpdateMsg;} ?> <br /><span id="cardexpdateMsg" style="color:red"></span> </p> <p><input type="submit" name="PlaceOrder" value="Place Order"></p> </form><?php }?> </section> </div> <?php include('includes/footer.inc'); ?> </body> </html> 

Answer 1

更新：这是您的答案：将'$itemtext[itemnumber]'更改为'$itemtext'

这是错误的，因为您使用引号的方式。 （不是答案，但您可能想考虑一下；-)）

$sql = "INSERT INTO Orders (email, orderdate, ordercost, ordertype, downcost, cardtype, cardnumber, cardsec, cardexpdate, orderstatus)
        VALUES ('$email', '$orderdate', '$ordercost', '$ordertype', '$downcost', '$cardtype', '$cardnumber', '$cardsec', '$cardexpdate', '$orderstatus')";

你不应该使用'$email'但-对于示例- ...VALUES ('".$email."',...

在此处了解更多信息： PHP中的单引号和双引号字符串有什么区别？

另外，您的代码不安全。 请使用： http : //php.net/manual/en/function.mysql-real-escape-string.php

例：
...VALUES ('".mysql_real_escape_string($email)."',...