![](/img/trans.png)
[英]Why isn't my MySQL database being updated on my local server after executing PHP script through iOS app?
[英]Why is my query not executing / why isn't a record being added to my database?
我有一個表單,可將用戶輸入提交給以下 php 腳本(我已排除定義 mysql 信息的行):
if (isset($_POST['ttname'])); {
$dbc = @mysql_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME) OR die('No DB connection');
$ttarray = array(1=> $_POST['mon1'], $_POST['mon2'], $_POST['mon3'], $_POST['mon4'], $_POST['mon5'], $_POST['tue1'], $_POST['tue2'], $_POST['tue3'], $_POST['tue4'],
$_POST['tue5'], $_POST['wed1'], $_POST['wed2'], $_POST['wed3'], $_POST['wed4'], $_POST['wed5'], $_POST['thu1'], $_POST['thu2'], $_POST['thu3'], $_POST['thu4'],
$_POST['thu5'], $_POST['fri1'], $_POST['fri2'], $_POST['fri3'], $_POST['fri4'], $_POST['fri5']);
$name = $_POST['ttname'];
$tt = implode(',', $ttarray);
$query = "INSERT INTO Timetable ('NAME','TIMETABLE')
VALUES ($name,$tt)";
$result = mysql_query($query,$dbc) or die('Query Failed');
}
但是,每當我嘗試向表單提交數據時,查詢都無法執行。
我會很感激任何可以幫助我解釋為什么會發生這種情況的人。
至少是這樣的:
$tt = mysql_real_escape_string(implode(',', $ttarray));
$query = "INSERT INTO Timetable ('NAME','TIMETABLE') VALUES ('$name','$tt')";
1) $tt
根本沒有轉義
2)您已經厭倦了插入比可用字段更多的值。 通過將$tt
更改為'$tt'
您將使字段數相同。
您將 4 個參數傳遞給 mysql_connect,AFAIK 數據庫不能是其中之一。
resource mysql_connect ([ string $server = ini_get("mysql.default_host") [, string $username = ini_get("mysql.default_user") [, string $password = ini_get("mysql.default_password") [, bool $new_link = false [, int $client_flags = 0 ]]]]] )
至少像這樣重寫您的代碼(非常冗長):
if (isset($_POST['ttname']));
{
$dbc = mysql_connect(DB_HOST, DB_USER, DB_PASS) OR die('No DB connection');
mysql_select_db(DB_NAME);
$ttarray = array($_POST['mon1'], $_POST['mon2'], $_POST['mon3'], $_POST['mon4'], $_POST['mon5'], $_POST['tue1'], $_POST['tue2'], $_POST['tue3'], $_POST['tue4'],
$_POST['tue5'], $_POST['wed1'], $_POST['wed2'], $_POST['wed3'], $_POST['wed4'], $_POST['wed5'], $_POST['thu1'], $_POST['thu2'], $_POST['thu3'], $_POST['thu4'],
$_POST['thu5'], $_POST['fri1'], $_POST['fri2'], $_POST['fri3'], $_POST['fri4'], $_POST['fri5']);
$sanitized = array();
foreach($ttarray as $value)
{
$sanitized[] = mysql_real_escape_string($value);
}
$name = mysql_real_escape_string($_POST['ttname']);
$tt = implode(',', $sanitized);
$query = "INSERT INTO Timetable ('name','timetable') VALUES ('".$name."', '".$tt."')";
$result = mysql_query($query, $dbc) or die('Query Failed');
}
但我強烈建議您在將來使用PDO和准備好的語句來防止這樣的高缺陷查詢。 mysql_real_escape_string 是一個很棒的 function 但它不是 100% 准確並且不會使您的查詢防注入。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.