[英]Written code in php and saving data in myphpadmin, data does't save into database nor it is any error
我已將以下代碼將相同的簡單數據寫入SQL。 它所做的一切都正確,只是沒有將數據保存到數據庫中。
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$ename = mysqli_real_escape_string($con,$_POST['ename']);
$enumber = mysqli_real_escape_string($con,$_POST['enumber']);
$eemail = mysqli_real_escape_string($con,$_POST['eemail']);
$eproperty = mysqli_real_escape_string($con,$_POST['eproperty']);
$emessage = mysqli_real_escape_string($con,$_POST['emessage']);
$status = "OK";
$msg="";
if ($status=="OK") {
$query = mysqli_query($con,"insert into enquiry (ename, enumber, eemail, eproperty, emessage) values('$ename', '$enumber', '$eemail', '$eproperty', $'emessage')");
print "<div class='alert alert-success'>Your property enquiry has been submitted successfully.</div>";
} else {
$errormsg = "<div class='alert alert-danger'>
<button type='button' class='close' data-dismiss='alert'>×</button>
<i class='fa fa-ban-circle'></i><strong>Please Fix Below Errors : </br></strong>".$msg."</div>"; //printing error if found in validation
}
}
您的代碼對SQL injections
開放,請使用准備好的語句。 錯誤在這里:
values('$ename', '$enumber', '$eemail', '$eproperty', $'emessage')");
這是$'emessage'
錯字,因此將其更改為:
'$emessage'
最后一個消息變量未正確添加
$query=mysqli_query($con,"insert into enquiry (ename, enumber, eemail, eproperty, emessage) values('$ename', '$enumber', '$eemail', '$eproperty', '$emessage')");//quote should be before variable itself
您的代碼很容易受到sql注入的攻擊。 在使用mysqli程序樣式時充分利用准備好的語句
使用准備好的語句,
$stmt = $con->prepare("INSERT INTO enquiry (ename,enumber,eemail,eproperty,emessage) VALUES(?,?,?,?,?)");//bind parameter to prevent sql injection
$stmt->bind_param('sssss', $ename,$enumber, $eemail,$eproperty,$emessage);
if($stmt->execute() === true) {
echo 'enquiry saved';
} else {
echo 'error'. $stmt->error;
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.