[英]Why isn't my MySQL database being updated on my local server after executing PHP script through iOS app?
[英]Why is my query not executing / why isn't a record being added to my database?
我有一个表单,可将用户输入提交给以下 php 脚本(我已排除定义 mysql 信息的行):
if (isset($_POST['ttname'])); {
$dbc = @mysql_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME) OR die('No DB connection');
$ttarray = array(1=> $_POST['mon1'], $_POST['mon2'], $_POST['mon3'], $_POST['mon4'], $_POST['mon5'], $_POST['tue1'], $_POST['tue2'], $_POST['tue3'], $_POST['tue4'],
$_POST['tue5'], $_POST['wed1'], $_POST['wed2'], $_POST['wed3'], $_POST['wed4'], $_POST['wed5'], $_POST['thu1'], $_POST['thu2'], $_POST['thu3'], $_POST['thu4'],
$_POST['thu5'], $_POST['fri1'], $_POST['fri2'], $_POST['fri3'], $_POST['fri4'], $_POST['fri5']);
$name = $_POST['ttname'];
$tt = implode(',', $ttarray);
$query = "INSERT INTO Timetable ('NAME','TIMETABLE')
VALUES ($name,$tt)";
$result = mysql_query($query,$dbc) or die('Query Failed');
}
但是,每当我尝试向表单提交数据时,查询都无法执行。
我会很感激任何可以帮助我解释为什么会发生这种情况的人。
至少是这样的:
$tt = mysql_real_escape_string(implode(',', $ttarray));
$query = "INSERT INTO Timetable ('NAME','TIMETABLE') VALUES ('$name','$tt')";
1) $tt
根本没有转义
2)您已经厌倦了插入比可用字段更多的值。 通过将$tt
更改为'$tt'
您将使字段数相同。
您将 4 个参数传递给 mysql_connect,AFAIK 数据库不能是其中之一。
resource mysql_connect ([ string $server = ini_get("mysql.default_host") [, string $username = ini_get("mysql.default_user") [, string $password = ini_get("mysql.default_password") [, bool $new_link = false [, int $client_flags = 0 ]]]]] )
至少像这样重写您的代码(非常冗长):
if (isset($_POST['ttname']));
{
$dbc = mysql_connect(DB_HOST, DB_USER, DB_PASS) OR die('No DB connection');
mysql_select_db(DB_NAME);
$ttarray = array($_POST['mon1'], $_POST['mon2'], $_POST['mon3'], $_POST['mon4'], $_POST['mon5'], $_POST['tue1'], $_POST['tue2'], $_POST['tue3'], $_POST['tue4'],
$_POST['tue5'], $_POST['wed1'], $_POST['wed2'], $_POST['wed3'], $_POST['wed4'], $_POST['wed5'], $_POST['thu1'], $_POST['thu2'], $_POST['thu3'], $_POST['thu4'],
$_POST['thu5'], $_POST['fri1'], $_POST['fri2'], $_POST['fri3'], $_POST['fri4'], $_POST['fri5']);
$sanitized = array();
foreach($ttarray as $value)
{
$sanitized[] = mysql_real_escape_string($value);
}
$name = mysql_real_escape_string($_POST['ttname']);
$tt = implode(',', $sanitized);
$query = "INSERT INTO Timetable ('name','timetable') VALUES ('".$name."', '".$tt."')";
$result = mysql_query($query, $dbc) or die('Query Failed');
}
但我强烈建议您在将来使用PDO和准备好的语句来防止这样的高缺陷查询。 mysql_real_escape_string 是一个很棒的 function 但它不是 100% 准确并且不会使您的查询防注入。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.