0

这是代码有问题的部分: 

$query = mysql_query("INSERT INTO members 
(user, pass, mail, country, city, www, credo)
VALUES  ('$_POST[user]','$_POST[pass]', '$_POST[mail]',
'$_POST[country]', '$_POST[city]', '$_POST[www]', '$_POST[credo]')")
or die ("Error - Couldn't register user.");

我得到了模具错误。
我怎样才能找到无法执行的更具体的部分?
我试图一一消除字段 - 没有结果。

4

3 回答 3

2

这应该会向您展示查询失败的原因,并且至少可以防止一些安全问题:

小改进

// Run by each $_POST entry and set it to empty if not found
// Clean the value against tags and blank spaces at the edges
$dataArr = array();
foreach($_POST as $key => $value) {
    $dataArr[$key] = ($value == "undefined") ? '' : strip_tags(trim($value));
}

// try to perform the INSERT query or die with the returned mysql error
$query = mysql_query("
  INSERT INTO members 
  (user, pass, mail, country, city, www, credo)
  VALUES (
    '".$dataArr["user"]."',
    '".$dataArr["pass"]."',
    '".$dataArr["mail"]."',
    '".$dataArr["country"]."',
    '".$dataArr["city"]."',
    '".$dataArr["www"]."',
    '".$dataArr["credo"]."'
  )
") or die ("Error:<br/>".mysql_error());

中等改进

// Run by each $_POST entry and set it to empty if not found
// Clean the value against tags and blank spaces at the edges
$dataArr = array();
foreach($_POST as $key => $value) {
    $dataArr[$key] = ($value == "undefined") ? '' : strip_tags(trim($value));
}

// escape everything
$query = sprintf("
    INSERT INTO members 
    (user, pass, mail, country, city, www, credo) 
    value ('%s', '%s', '%s', '%s', '%s', '%s', '%s')",
    mysql_real_escape_string($dataArr["user"]), 
    mysql_real_escape_string($dataArr["pass"]), 
    mysql_real_escape_string($dataArr["mail"]), 
    mysql_real_escape_string($dataArr["country"]), 
    mysql_real_escape_string($dataArr["city"]), 
    mysql_real_escape_string($dataArr["www"]), 
    mysql_real_escape_string($dataArr["credo"])
);

// try to perform the INSERT query or die with the returned mysql error
$result = mysql_query($query) or die ("Error:<br/>".mysql_error());

高级改进

如果您正在开始一个新项目,或者您仍然可以改变您的方式,我强烈推荐使用PHP PDO来防止与您正在使用的当前数据库连接相关的许多安全问题。

于 2012-07-24T19:52:31.873 回答
0 
INSERT INTO members 
(user, pass, mail, country, city, www, credo)
VALUES  
('".$_POST['user']."','".$_POST['pass']."', '".$_POST['mail']."',
'".$_POST['country']."', '".$_POST['city']."', '".$_POST['www']."', '".$_POST['credo']."')")

只是一个简短的警告。将 POST 值直接插入数据库可能会导致安全漏洞。确保在将所有用户输入插入数据库之前对其进行验证和过滤。

于 2012-07-24T19:35:21.930 回答
0

您的 Sql 查询错误。这里

VALUES  ('$_POST[user]')

你必须改用

 $_POST['user']

你直接在数据库中插入值..!!! 这完全是一种不好的感觉。让它逃脱

$user = mysql_real_escape_string(trim($_POST['user']));
$pass = mysql_real_escape_string(trim($_POST['pass']));
$mail = mysql_real_escape_string(trim($_POST['mail']));
$country = mysql_real_escape_string(trim($_POST['country']));
$city = mysql_real_escape_string(trim($_POST['city']));
$www = mysql_real_escape_string(trim($_POST['www']));
$credo = mysql_real_escape_string(trim($_POST['credo']));

然后将其插入数据库,

$query = mysql_query("INSERT INTO members 
        (user, pass, mail, country, city, www, credo)
        VALUES  ($user,$pass, $mail,$country, $city, $www, $credo)")
        or die ("Error - Couldn't register user.");

该代码现在是安全的,可以插入数据库,是一个干净的代码。

于 2016-09-28T05:35:29.520 回答