php - 使用php将表单中的数据输入数据库

Question

我正在尝试将数据输入数据库，但我不断收到错误消息。我不知道问题出在哪里。这是代码：

<?php 
  $sql = "INSERT INTO $db_table (title,group,overlapok,userid,name,phone,email,description,managers,location,notify,notifyman,
remind,remindman,appmsg,viewaccess,viewulist,viewclist,makeaccess,makeulist,makeclist,showappinfo) 
VALUES ('".mysql_real_escape_string(stripslashes($_REQUEST['txtTitle'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['chkGroupCal'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['chkAllowOverlap'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtUserID'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtOwner'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtPhone'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtEmail'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtDesc'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtManagers'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtLocation'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['chkNotifyMe'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['chkNotifyMgrs'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['chkRemind'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['chkRemindMan'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['txtAppText'])).
"','".mysql_real_escape_string(stripslashes($_REQUEST['selViewBlockRestr'])).
     "','".mysql_real_escape_string(stripslashes($_REQUEST['txtViewBlocksUserID']))
   "','".mysql_real_escape_string(stripslashes($_REQUEST['txtViewBlocksCourseID']))."','".mysql_real_escape_string(stripslashes($_REQUEST['selMakeApptRestr']))."','".mysql_real_escape_string(stripslashes($_REQUEST['txtMakeApptUserID']))."','".mysql_real_escape_string(stripslashes($_REQUEST['txtMakeApptDptID']))."','".mysql_real_escape_string(stripslashes($_REQUEST['chkShowAppInfo']))."')"; 

if($result = mysql_query($sql,$db)) 
   {
    echo '<h1>Thank you</h1> Your information has been entered into our database<br><br>
        <p> <a href="viewcalendar.page.php"> View Calendar </a> </p>
        <img src="eDiary.jpg"';

    } 
   else 
   {
    echo "ERROR: ";
   }  ?>

该表单包括可以留空复选框的部分。

我听从了您的建议并使用了 PDO。一直返回以下错误：警告：PDO::__construct() [pdo.--construct]: [2002] /opt/lampp/htdocs/Scheduler/pages/enterCal 中的参数无效（尝试通过 unix:// 连接）第 72 行的 .page.php 连接失败：SQLSTATE [HY000] [2002] 无效参数致命错误：在 /opt/lampp/htdocs/Scheduler/pages/enterCal.page 中的非对象上调用成员函数 exec() .php 在第 80 行。

我认为 $db 不是一个对象，并且连接没有被执行。我该如何处理？我试过谷歌，但似乎想不出任何可行的方法。

    <?php

$dsn = 'mysql:host=localhost;dbname=eDiary';
$user = 'root';
$password = '';

try 
{
        $db = new PDO($dsn,$user,$password);
        $db -> setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);}                
catch (PDOException $e) {
  echo 'Connection Failed: ' . $e->getMessage();
    }

$result = $db->exec("INSERT INTO wassCalendar(title, group, overlapok, userid, name, phone, email, description, managers, location, notify, notifyman, remind, 
remindman, appmsg, viewaccess, viewulist, viewclist, makeaccess, makeulist, makeclist, showappinfo) 
VALUES($txtTitle, $chkGroupCal, $chkAllowOverlap, $txtUserID, $txtOwner,  $txtPhone, $txtEmail, $txtDesc, $txtManagers, 
$txtLocation, $chkNotifyMe, $chkNofityMgrs, $chkRemind, $chkRemindMan, $txtAppText, $selViewBlockRestr, 
$txtViewBlocksUserID, $txtViewBlocksCourseID, $selMakeApptRestr, $txtMakeApptUserID, $txtMakeApptDptID, 
$chkShowAppInfo)"; 

$insert_id = mysql_insert_id();

?>

Answer 1

在需要在查询中使用用户输入的情况下，您需要对查询进行参数化。

这是我讨论相同问题的另一个主题。

依靠清理输入是非常糟糕的做法，最终会咬你。