PHP仅在VARCHAR列中向sql添加数字

Question

当直接在 MySQL 中使用查询时，PHP 仅在 VARCHAR 列中向 MySQL 添加数字而不是文本，它可以工作……但是如果我使用 HTML 中的$_POST ，它会失败，我不知道它是如何失败的。 这里有什么问题 ？

<?php 
    $link=mysqli_connect("localhost","root","","home_ac");
    if(mysqli_connect_error()) {
        die("error in database");
    }

    $name =$_POST["name"];
    $query = "INSERT INTO `test`(`number`, `name`) VALUES (NULL,$name)";

    if(mysqli_query($link, $query)){
        echo "done";
    }
    else {
        echo "failed";
    }   
?>

<!doctype html>
<html>
    <head>
    <meta charset="utf-8">
        <title>Untitled Document</title>
    </head>

    <body>
        <form method="post">
            <input type="text" placeholder="enter a name" name="name">
            <input type="submit" value="add">
        </form>
    </body>
</html>

Answer 1

你需要在文本周围引用

$query = "INSERT INTO `test`(`number`, `name`) VALUES (NULL,'$name')";

请考虑准备好的查询。 它解决了引号问题并防止 SQL 注入。

Answer 2

您必须使用 PHP Prepared Statements 或 PHP Data Objects (PDO)。

例如，使用 PDO：

<html>
    <head>
    <meta charset="utf-8">
    <title> Example PDO Insert </title>
    </head>

    <body>
    <form method="post" action="" name="myForm" id="myForm">

        <input type="text" placeholder="Enter Your Name" name="name" required="required">
        <input type="submit" name="submit" value="add">
    </form>
    </body>
</html>




<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "home_ac";

try {

    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);


    if ( isset($_POST['submit']) && !empty($_POST['name']) ) {
        # code...

    $sql = "INSERT INTO test (number,name) VALUES (NULL,'$name')";
    // use exec() because no results are returned
    $conn->exec($sql);
    echo "New record created successfully";

    }

}
catch(PDOException $e)
    {
    echo $sql . "<br>" . $e->getMessage();
    }

$conn = null;
?>