0

我即将创建一个简单的代码来添加新闻......(我的小项目)当我点击提交时,我得到一个成功文本,并重定向回页面,但没有添加数据,如果我将表单留空 -不出现错误消息。

...而且 mysql_real_escape_string 会给我省点麻烦吗?

<?php 
include('connect_db.php');
if(isset($_POST['submit']))
{
    $title = mysql_real_escape_string(htmlspecialchars($_POST['title']));
    $text = mysql_real_escape_string(htmlspecialchars($_POST['text']));

    if ($title == '' || $text == '')
    {

         // generate error message
         $error = 'ERROR: Please fill in all required fields!';
    }

    $result = mysql_query("INSERT INTO news ('id', 'date', 'title', 'text')
                           VALUES ('NULL', NOW(),'$title','$text')",$conn);

    echo "<b>Thank you!<br>You'll be redirected in (4) secs...";
    echo "<meta http-equiv=Refresh content=4;url=add.php>";

    } else {

    echo "<form method='post' action='add.php'>
          <legend>Add news</legend>
          <label>Title</label>
          <input type='text' name='title'>
          <label>Text</label>
          <textarea rows='5' name='text'></textarea>
          <br />
          <button type='submit' name='submit' class='btn'>Submit</button>
          </form>";
}?>
4

2 回答 2

3

NULL是一个关键字,它不应该用引号引起来。

同样,字段名称应该用反引号`而不是单引号括起来',并且您还应该将表名括在其中以保持一致性。

此外,它看起来id设置为AUTO_INCREMENT,因此您无需将其设置为NULL。如果dateTIMESTAMP(应该是),那么您也可以DEFAULT CURRENT_TIMESTAMP从查询中设置和删除它。

$result = mysql_query("INSERT INTO `news` (`title`,`text`) VALUES ('$title','$text')");
于 2012-08-23T19:14:11.047 回答
0

您的代码有点未完成。

<?php 

// connect to the database
include('connect_db.php');


if(isset($_POST['submit']))

{

    // htmlspecialchars is needed when displaying HTML to the user from an input, not for inserting into a database. mysql_real_escape_string is plenty for this purpose.

    $title = mysql_real_escape_string($_POST['title']);
    $text = mysql_real_escape_string($_POST['text']);

    if ($title == '' || $text == '')

    {

        // You have generated an error but you are not displaying it anywhere.

        // generate error message
        echo 'ERROR: Please fill in all required fields!';

       // You will want to either send the error in a query string to this page again and display it above the form or re-echo the form here.

    }else{

        // Don't submit the data if there is an error.

        // ID should be auto-increment in your database, don't set it here even if you set it NULL, you can also have MySQL apply the current time rather than here.

        $result = mysql_query("INSERT INTO news (`title`, `text`)
        VALUES ('$title','$text')");

        echo "<b>Thank you!<br>You'll be redirected in (4) secs...";
        echo "<meta http-equiv=Refresh content=4;url=add.php>";

    }

} else {

    echo "<form method='post' action='add.php'>
    <legend>Add news</legend>
    <label>Title</label>
    <input type='text' name='title'>
    <label>Text</label>
    <textarea rows='5' name='text'></textarea>
    <br />
    <button type='submit' name='submit' class='btn'>Submit</button>
    </form>";

}
?>
于 2012-08-23T19:23:37.200 回答