1 
<?php
$conn= new mysqli("localhost", "my_user", "my_password", "world"); //changed for the sake of this question

$username = $_POST['Username'];
$password = sha1($_POST['Password']);
$email = $_POST['Email'];
$firstname = $_POST['FirstName'];
$lastname = $_POST['LastName'];

$insert = 'INSERT INTO User(FirstName, LastName, Email, Username, Password, Type) VALUES ("'.$firstname.'", "'.$lastname.'", "'.$email.'", "'.$username.'", "'.$password.'", 'User');';

$result = $conn->query($insert);

?>
<form method='post' action='regprocess.php'>
<fieldset class="register">
<h2>Register</h2>
<ul>
    <li><label for="FirstName">First Name: </label> <input type="text" name="FirstName" id="FirstName"></li>
    <li><label for="LastName">Last Name: </label> <input type="text" name="LastName" id="LastName"></li>
    <li><label for="Email">Email: </label><input type="email" name="Email" id="Email"></li>
    <li><label for="Username">Username: </label><input type="text" name="Username" id="Username"></li>
    <li><label for="Password">Password: </label><input type="password" name="Password" id="Password"></li>
    <li><input type="submit" value="Register"></li>
</ul>
</fieldset></form>

表单和顶部 sql 代码位于单独的文件中。

大家好,我正在尝试插入 mysql 表,但它不会插入到我的表中。我试图让它通过注册表插入。而且我不太确定为什么它不起作用。一些见解会很棒。如果您需要我提供表格,我会提供,但我认为这不是它不起作用的部分原因。

4

4 回答 4

1

It's a good thing you're using mysqli, but you're using it incorrectly and are exposing yourself to a number of very serious SQL injection bugs, the consequences of which could be severe.

This is what you should be doing to actually fix the numerous problems present in your example:

$stmt = $conn->prepare('INSERT INTO User(FirstName, LastName, Email, Username, Password, Type) VALUES (?,?,?,?,?,?)');

$stmt->bind_param($firstname, $lastname, $email, $username, $password, 'User');
$stmt->execute();

$result = $stmt->get_result();

The primary advantage of placeholders is not having to worry about how to properly quote data, it's done for you automatically. It also largely avoids having to use two different kinds of quotes within your statement.

If you do not use placeholders for ANY and ALL data being put into your SQL you may end up in serious trouble. You must be vigilant about this.

于 2012-08-21T06:17:12.910 回答
0

您的最后一个参数值是单引号。替换为双引号,使其显示为 ..."'.$password.'", "User");';

于 2012-08-21T02:29:08.443 回答
0

我不知道PHP。不过,我会尝试帮助您使用 MySQL。

我认为插入查询中的引号有问题。

尝试从值子句中删除单引号。

于 2012-08-21T02:30:39.583 回答
0

As an advice, always use " from the start to the end of the sql query text;

$insert = 'INSERT INTO User(FirstName, LastName, Email, Username, Password, Type) VALUES ("'.$firstname.'", "'.$lastname.'", "'.$email.'", "'.$username.'", "'.$password.'", 'User');';

put it like:

$insert = "INSERT INTO User(`FirstName`, `LastName`, `Email`, `Username`, `Password`, `Type`) VALUES ('$firstname', '$lastname', '$email', '$username', '$password', 'User');";

In your query, you had 'User' and you need to escape the ' as \'

And dont forget to always sanitize your content before adding it to the database

于 2012-08-21T06:24:20.560 回答