[英]Error Inserting data in Database using Prepared Statement
我正在使用PHP和Prepared Statement為我的公司開發票務系統。 添加票證時,應該填寫以下字段:
這可以起作用: 1.您可以選擇從數據庫中提取的票證類型。 2.您可以選擇從數據庫中拉出的公司。 3.您可以選擇從數據庫中提取的訪問類型。 4.您可以選擇從數據庫中拉出的技術人員。
問題是,當您按下添加票證時,它不會向數據庫添加任何內容。
這是我的代碼:
newticket.php
<?php
$projects = ProjectData::getAll();
$priorities = PriorityData::getAll();
$ticket= TicketData::getAll();
$statuses = StatusData::getAll();
$kinds = KindData::getAll();
$users = UserData::getAll();
?>
<div class="row">
<div class="col-md-12">
<div class="card">
<div class="card-header" data-background-color="blue">
<h4 class="title">Nuevo Ticket</h4>
</div>
<div class="card-content table-responsive">
<form class="form-horizontal" role="form" method="post" action="./?action=addticket">
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Tipo</label>
<div class="col-lg-10">
<select name="kind_id" class="form-control" required>
<?php foreach($kinds as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
<?php endforeach; ?>
</select>
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Titulo</label>
<div class="col-lg-10">
<input type="text" name="title" required class="form-control" id="inputEmail1" placeholder="Titulo">
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Descripcion</label>
<div class="col-lg-10">
<textarea class="form-control" name="description" required placeholder="Descripcion"></textarea>
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Fecha de la Visita</label>
<div class="col-lg-4">
<input name="date_at" id="date_at" class="form-control" type="date">
</div>
<label for="inputEmail1" class="col-lg-2 control-label">Hora de la Visita</label>
<div class="col-lg-4">
<input name="time_at" id="time_at" class="form-control" type="time" />
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Proyecto</label>
<div class="col-lg-4">
<select name="project_id" class="form-control" required>
<option value="">-- SELECCIONE --</option>
<?php foreach($projects as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
<?php endforeach; ?>
</select>
</div>
<label for="inputEmail1" class="col-lg-2 control-label">Categoria</label>
<div class="col-lg-4">
<select name="category_id" class="form-control" required>
<option value="">-- SELECCIONE --</option>
<?php foreach(CategoryData::getAll() as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
<?php endforeach; ?>
</select>
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Prioridad</label>
<div class="col-lg-4">
<select name="priority_id" class="form-control" required>
<option value="">-- SELECCIONE --</option>
<?php foreach($priorities as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
<?php endforeach; ?>
</select>
</div>
<label for="inputEmail1" class="col-lg-2 control-label">Estado</label>
<div class="col-lg-4">
<select name="status_id" class="form-control" required>
<?php foreach($statuses as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
<?php endforeach; ?>
</select>
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Asignar a</label>
<div class="col-lg-4">
<select name="tecnico_id" class="form-control" required>
<option value="">-- SELECCIONE --</option>
<?php foreach($users as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name." ".$p->lastname; ?></option>
<?php endforeach; ?>
</select>
</div>
</div>
<div class="form-group">
<div class="col-lg-offset-2 col-lg-10">
<button type="submit" class="btn btn-default">Agregar Ticket</button>
</div>
</div>
</form>
</div>
</div>
</div>
</div>
ticketdata.php
<?php
class TicketData {
public static $tablename = "ticket";
public function TicketData(){
$this->name = "";
$this->lastname = "";
$this->email = "";
$this->password = "";
$this->date_at="";
$this->time_at="";
$this->tecnico_id="";
$this->created_at = "NOW()";
}
public function getTicket(){ return TicketData::getById($this->ticket_id); }
public function getProject(){ return ProjectData::getById($this->project_id); }
public function getPriority(){ return PriorityData::getById($this->priority_id); }
public function getStatus(){ return StatusData::getById($this->status_id); }
public function getKind(){ return KindData::getById($this->kind_id); }
public function getCategory(){ return CategoryData::getById($this->category_id); }
public function add(){
$sql = "insert into ticket (title,description,date_at,time_at,category_id,project_id,priority_id,user_id,status_id,kind_id,created_at,tecnico_id) ";
$sql .= "value (\"$this->title\",\"$this->description\",\"$this->date_at\",\"$this->time_at\",\"$this->category_id\",\"$this->project_id\",$this->priority_id,$this->user_id,$this->status_id,$this->kind_id,$this->created_at,$this->tecnico_id)";
return Executor::doit($sql);
}
public static function delById($id){
$sql = "delete from ".self::$tablename." where id=$id";
Executor::doit($sql);
}
public function del(){
$sql = "delete from ".self::$tablename." where id=$this->id";
Executor::doit($sql);
}
// partiendo de que ya tenemos creado un objecto TicketData previamente utilizamos el contexto
public function update(){
$sql = "update ".self::$tablename." set title=\"$this->title\",category_id=\"$this->category_id\",date_at=\"$this->date_at\",time_at=\"$this->time_at\",tecnico_id=\"$this->tecnico_id\",project_id=\"$this->project_id\",priority_id=\"$this->priority_id\",description=\"$this->description\",status_id=\"$this->status_id\",kind_id=\"$this->kind_id\",updated_at=NOW() where id=$this->id";
Executor::doit($sql);
}
public static function getById($id){
$sql = "select * from ".self::$tablename." where id=$id";
$query = Executor::doit($sql);
return Model::one($query[0],new TicketData());
}
public static function getRepeated($pacient_id,$medic_id,$date_at,$time_at){
$sql = "select * from ".self::$tablename." where pacient_id=$pacient_id and medic_id=$medic_id and date_at=\"$date_at\" and time_at=\"$time_at\"";
$query = Executor::doit($sql);
return Model::one($query[0],new TicketData());
}
public static function getByMail($mail){
$sql = "select * from ".self::$tablename." where mail=\"$mail\"";
$query = Executor::doit($sql);
return Model::one($query[0],new TicketData());
}
public static function getEvery(){
$sql = "select * from ".self::$tablename;
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getEvents(){
$sql = "select * from ".self::$tablename;
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getAll(){
$sql = "select * from ".self::$tablename." order by created_at desc";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getAllPendings(){
$sql = "select * from ".self::$tablename." where status_id=1";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getAllByPacientId($id){
$sql = "select * from ".self::$tablename." where pacient_id=$id order by created_at";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getAllByMedicId($id){
$sql = "select * from ".self::$tablename." where medic_id=$id order by created_at";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getBySQL($sql){
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getOld(){
$sql = "select * from ".self::$tablename." where date(date_at)<date(NOW()) order by date_at";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getLike($q){
$sql = "select * from ".self::$tablename." where title like '%$q%'";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
}
?>
更新
對TicketData.php進行了一些更改,以更正@smith和@Nick的觀察結果。 他們看起來像這樣:
class TicketData {
public static $tablename = "ticket";
public function TicketData(){
$this->name = "";
$this->title = "";
$this->description= "";
$this->lastname = "";
$this->email = "";
$this->password = "";
$this->date_at="";
$this->time_at="";
$this->tecnico_id="";
$this->created_at = "NOW()";
}
public function getProject(){ return ProjectData::getById($this->project_id); }
public function getPriority(){ return PriorityData::getById($this->priority_id); }
public function getStatus(){ return StatusData::getById($this->status_id); }
public function getKind(){ return KindData::getById($this->kind_id); }
public function getCategory(){ return CategoryData::getById($this->category_id); }
public function add(){
$sql = "insert into ticket (title,description,date_at,time_at,category_id,project_id,priority_id,user_id,status_id,kind_id,created_at,tecnico_id) ";
$sql .= "values (\"$this->title\",\"$this->description\",\"$this->date_at\",\"$this->time_at\",\"$this->category_id\",\"$this->project_id\",\"$this->priority_id\",\"$this->user_id\",\"$this->status_id\",\"$this->kind_id\",\"$this->created_at\",\"$this->tecnico_id\")";
return Executor::doit($sql);
}
現在, 它將保存以下字段:
kind_id
) title
) description
) date_at
) hour_at
) project_id
) category_id
) priority_id
) status_id
) 它不會保存此字段:
tecnico_id
) addticket-action.php
<?php
$r = new TicketData();
$r->title = $_POST["title"];
$r->description = $_POST["description"];
$r->category_id = $_POST["category_id"];
$r->project_id = $_POST["project_id"];
$r->priority_id = $_POST["priority_id"];
$r->user_id = $_SESSION["user_id"];
$r->status_id = $_POST["status_id"];
$r->kind_id = $_POST["kind_id"];
$r->date_at = $_POST["date_at"];
$r->time_at = $_POST["time_at"];
$r->tecnico_id = $_POST["tecnico_id"];
$r->created_at = $_POST["created_at"];
$r->add();
Core::alert("Successfully added!");
Core::redir("./index.php?view=tickets");
?>
我想在清理並轉換為適當的准備好的語句 之前使一切正常。 我需要更正/添加什么以使腳本保存( date_at
)( hour_at
)和( tecnico_id
)字段?
提供一些日志或后端錯誤消息可能對解決此問題很有幫助。
乍一看,最主要的是您實際上並沒有使用准備好的語句。 您基本上是將一個字符串串聯在一起以形成一個SQL語句,這有兩個原因,這很糟糕 :
","",""); DROP TABLE ticket; --
放入您的標題字段,則有人可能會核對您的票證表,因為您的代碼不會對此進行檢查。 這是一個很大的安全漏洞,因此,請將其塞住,同時為自己節省一些輸入衛生方面的麻煩! 如果您轉換為准備好的語句並且可以使用,則可能是一個消毒問題。 如果仍然無法使用,請在其中獲取一些日志記錄語句,然后看看您擁有什么。
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php https://www.w3schools.com/php/php_mysql_prepared_statements.asp
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.