使用Prepared Statement在數據庫中插入數據時出錯
[英]Error Inserting data in Database using Prepared Statement
問題描述
我正在使用PHP和Prepared Statement為我的公司開發票務系統。 添加票證時,應該填寫以下字段:
- 機票類型
- 門票標題
- 門票說明
- 要求日期
- 要求的小時數
- 公司
- 參觀類型
- 優先
- 狀態
- 指派技術員
這可以起作用: 1.您可以選擇從數據庫中提取的票證類型。 2.您可以選擇從數據庫中拉出的公司。 3.您可以選擇從數據庫中提取的訪問類型。 4.您可以選擇從數據庫中拉出的技術人員。
問題是,當您按下添加票證時,它不會向數據庫添加任何內容。
這是我的代碼:
newticket.php
<?php
$projects = ProjectData::getAll();
$priorities = PriorityData::getAll();
$ticket= TicketData::getAll();
$statuses = StatusData::getAll();
$kinds = KindData::getAll();
$users = UserData::getAll();
?>
<div class="row">
<div class="col-md-12">
<div class="card">
<div class="card-header" data-background-color="blue">
<h4 class="title">Nuevo Ticket</h4>
</div>
<div class="card-content table-responsive">
<form class="form-horizontal" role="form" method="post" action="./?action=addticket">
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Tipo</label>
<div class="col-lg-10">
<select name="kind_id" class="form-control" required>
<?php foreach($kinds as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
<?php endforeach; ?>
</select>
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Titulo</label>
<div class="col-lg-10">
<input type="text" name="title" required class="form-control" id="inputEmail1" placeholder="Titulo">
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Descripcion</label>
<div class="col-lg-10">
<textarea class="form-control" name="description" required placeholder="Descripcion"></textarea>
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Fecha de la Visita</label>
<div class="col-lg-4">
<input name="date_at" id="date_at" class="form-control" type="date">
</div>
<label for="inputEmail1" class="col-lg-2 control-label">Hora de la Visita</label>
<div class="col-lg-4">
<input name="time_at" id="time_at" class="form-control" type="time" />
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Proyecto</label>
<div class="col-lg-4">
<select name="project_id" class="form-control" required>
<option value="">-- SELECCIONE --</option>
<?php foreach($projects as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
<?php endforeach; ?>
</select>
</div>
<label for="inputEmail1" class="col-lg-2 control-label">Categoria</label>
<div class="col-lg-4">
<select name="category_id" class="form-control" required>
<option value="">-- SELECCIONE --</option>
<?php foreach(CategoryData::getAll() as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
<?php endforeach; ?>
</select>
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Prioridad</label>
<div class="col-lg-4">
<select name="priority_id" class="form-control" required>
<option value="">-- SELECCIONE --</option>
<?php foreach($priorities as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
<?php endforeach; ?>
</select>
</div>
<label for="inputEmail1" class="col-lg-2 control-label">Estado</label>
<div class="col-lg-4">
<select name="status_id" class="form-control" required>
<?php foreach($statuses as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
<?php endforeach; ?>
</select>
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Asignar a</label>
<div class="col-lg-4">
<select name="tecnico_id" class="form-control" required>
<option value="">-- SELECCIONE --</option>
<?php foreach($users as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name." ".$p->lastname; ?></option>
<?php endforeach; ?>
</select>
</div>
</div>
<div class="form-group">
<div class="col-lg-offset-2 col-lg-10">
<button type="submit" class="btn btn-default">Agregar Ticket</button>
</div>
</div>
</form>
</div>
</div>
</div>
</div>
ticketdata.php
<?php
class TicketData {
public static $tablename = "ticket";
public function TicketData(){
$this->name = "";
$this->lastname = "";
$this->email = "";
$this->password = "";
$this->date_at="";
$this->time_at="";
$this->tecnico_id="";
$this->created_at = "NOW()";
}
public function getTicket(){ return TicketData::getById($this->ticket_id); }
public function getProject(){ return ProjectData::getById($this->project_id); }
public function getPriority(){ return PriorityData::getById($this->priority_id); }
public function getStatus(){ return StatusData::getById($this->status_id); }
public function getKind(){ return KindData::getById($this->kind_id); }
public function getCategory(){ return CategoryData::getById($this->category_id); }
public function add(){
$sql = "insert into ticket (title,description,date_at,time_at,category_id,project_id,priority_id,user_id,status_id,kind_id,created_at,tecnico_id) ";
$sql .= "value (\"$this->title\",\"$this->description\",\"$this->date_at\",\"$this->time_at\",\"$this->category_id\",\"$this->project_id\",$this->priority_id,$this->user_id,$this->status_id,$this->kind_id,$this->created_at,$this->tecnico_id)";
return Executor::doit($sql);
}
public static function delById($id){
$sql = "delete from ".self::$tablename." where id=$id";
Executor::doit($sql);
}
public function del(){
$sql = "delete from ".self::$tablename." where id=$this->id";
Executor::doit($sql);
}
// partiendo de que ya tenemos creado un objecto TicketData previamente utilizamos el contexto
public function update(){
$sql = "update ".self::$tablename." set title=\"$this->title\",category_id=\"$this->category_id\",date_at=\"$this->date_at\",time_at=\"$this->time_at\",tecnico_id=\"$this->tecnico_id\",project_id=\"$this->project_id\",priority_id=\"$this->priority_id\",description=\"$this->description\",status_id=\"$this->status_id\",kind_id=\"$this->kind_id\",updated_at=NOW() where id=$this->id";
Executor::doit($sql);
}
public static function getById($id){
$sql = "select * from ".self::$tablename." where id=$id";
$query = Executor::doit($sql);
return Model::one($query[0],new TicketData());
}
public static function getRepeated($pacient_id,$medic_id,$date_at,$time_at){
$sql = "select * from ".self::$tablename." where pacient_id=$pacient_id and medic_id=$medic_id and date_at=\"$date_at\" and time_at=\"$time_at\"";
$query = Executor::doit($sql);
return Model::one($query[0],new TicketData());
}
public static function getByMail($mail){
$sql = "select * from ".self::$tablename." where mail=\"$mail\"";
$query = Executor::doit($sql);
return Model::one($query[0],new TicketData());
}
public static function getEvery(){
$sql = "select * from ".self::$tablename;
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getEvents(){
$sql = "select * from ".self::$tablename;
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getAll(){
$sql = "select * from ".self::$tablename." order by created_at desc";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getAllPendings(){
$sql = "select * from ".self::$tablename." where status_id=1";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getAllByPacientId($id){
$sql = "select * from ".self::$tablename." where pacient_id=$id order by created_at";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getAllByMedicId($id){
$sql = "select * from ".self::$tablename." where medic_id=$id order by created_at";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getBySQL($sql){
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getOld(){
$sql = "select * from ".self::$tablename." where date(date_at)<date(NOW()) order by date_at";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getLike($q){
$sql = "select * from ".self::$tablename." where title like '%$q%'";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
}
?>
更新
對TicketData.php進行了一些更改,以更正@smith和@Nick的觀察結果。 他們看起來像這樣:
class TicketData {
public static $tablename = "ticket";
public function TicketData(){
$this->name = "";
$this->title = "";
$this->description= "";
$this->lastname = "";
$this->email = "";
$this->password = "";
$this->date_at="";
$this->time_at="";
$this->tecnico_id="";
$this->created_at = "NOW()";
}
public function getProject(){ return ProjectData::getById($this->project_id); }
public function getPriority(){ return PriorityData::getById($this->priority_id); }
public function getStatus(){ return StatusData::getById($this->status_id); }
public function getKind(){ return KindData::getById($this->kind_id); }
public function getCategory(){ return CategoryData::getById($this->category_id); }
public function add(){
$sql = "insert into ticket (title,description,date_at,time_at,category_id,project_id,priority_id,user_id,status_id,kind_id,created_at,tecnico_id) ";
$sql .= "values (\"$this->title\",\"$this->description\",\"$this->date_at\",\"$this->time_at\",\"$this->category_id\",\"$this->project_id\",\"$this->priority_id\",\"$this->user_id\",\"$this->status_id\",\"$this->kind_id\",\"$this->created_at\",\"$this->tecnico_id\")";
return Executor::doit($sql);
}
現在, 它將保存以下字段:
- 票證類型(
kind_id) - 票務標題(
title) - 機票說明(
description) - 要求的日期(
date_at) - 要求的小時數(
hour_at) - 公司(
project_id) - 訪問類型(
category_id) - 優先級(
priority_id) - 狀態(
status_id)
它不會保存此字段:
- 指派技術員(
tecnico_id)
addticket-action.php
<?php
$r = new TicketData();
$r->title = $_POST["title"];
$r->description = $_POST["description"];
$r->category_id = $_POST["category_id"];
$r->project_id = $_POST["project_id"];
$r->priority_id = $_POST["priority_id"];
$r->user_id = $_SESSION["user_id"];
$r->status_id = $_POST["status_id"];
$r->kind_id = $_POST["kind_id"];
$r->date_at = $_POST["date_at"];
$r->time_at = $_POST["time_at"];
$r->tecnico_id = $_POST["tecnico_id"];
$r->created_at = $_POST["created_at"];
$r->add();
Core::alert("Successfully added!");
Core::redir("./index.php?view=tickets");
?>
我想在清理並轉換為適當的准備好的語句 之前使一切正常。 我需要更正/添加什么以使腳本保存( date_at )( hour_at )和( tecnico_id )字段?
1 個解決方案
解決方案1
0 2018-05-28 04:25:00
提供一些日志或后端錯誤消息可能對解決此問題很有幫助。
乍一看,最主要的是您實際上並沒有使用准備好的語句。 您基本上是將一個字符串串聯在一起以形成一個SQL語句,這有兩個原因,這很糟糕 :
- 您容易受到SQL注入的攻擊。 例如,如果您將
","",""); DROP TABLE ticket; --放入您的標題字段,則有人可能會核對您的票證表,因為您的代碼不會對此進行檢查。 - 您需要清理您的輸入。 如果title包含雙引號,則會過早結束您的字符串輸入,從而導致SQL失敗。
這是一個很大的安全漏洞,因此,請將其塞住,同時為自己節省一些輸入衛生方面的麻煩! 如果您轉換為准備好的語句並且可以使用,則可能是一個消毒問題。 如果仍然無法使用,請在其中獲取一些日志記錄語句,然后看看您擁有什么。
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php https://www.w3schools.com/php/php_mysql_prepared_statements.asp
無法使用PHP中的准備好的語句將數據插入數據庫,未報告錯誤
[英]Failing to insert data into database using prepared statement in PHP, no error reported
如何使用php中的預處理語句從mysql數據庫中檢索數據?
[英]How to retrieve data from the mysql database using prepared statement in php?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.