0

有一个简单的注册表单,它被链接到一个 php 文件,以便将信息发送到数据库,但每次我尝试它时,数据都没有显示在 phpMyAdmin 数据库中?

<?php

$name = $_POST['name'];
$address = $_POST['address'];
$number = $_POST['number'];
$email = $_POST['email'];
$details = $_POST['details'];

$user="root";
$password="secure";
$database="darrenweircharity";
mysql_connect("localhost",$user,$password);
@mysql_select_db($database) or die ("Unable to select database");

$query = "INSERT INTO registrationdetails(name, address, number, email, details)".
"VALUES('$name', '$address', '$number', '$email', '$details' NOW())";
mysql_query($query);
mysql_close();
?>
4

3 回答 3

1

请不要mysql_*在新代码中使用函数。它们不再被维护,并且已经开始弃用过程。看到红框了吗?改为了解准备好的语句,并使用PDOMySQLi -本文将帮助您决定使用哪个。如果您选择 PDO,这里有一个很好的教程

尝试:

$query = "INSERT INTO registrationdetails(name, address, number, email, details)".
         "VALUES('" . $name . "', '" . $address . "', '" . $number . "', '" . $email . "', '" . $details . "');";

NOW()在查询的末尾有不应该在那里。

另请注意,您的代码存在 SQL 注入漏洞(请参阅 参考资料mysql_real_escape_string()),我建议您通过PDO.

于 2012-12-06T15:57:50.583 回答
0

防止可能的 SQL 注入:

$name = mysql_real_escape_string($name);
$address = mysql_real_escape_string($address);
$number = mysql_real_escape_string($number);
$email = mysql_real_escape_string($email);
$details = mysql_real_escape_string($details);

用。。。来代替:

$query = "
INSERT INTO registrationdetails (`name`, `address`, `number`, `email`, `details`)
VALUES ('$name', '$address', '$number', '$email', '$details')");
于 2012-12-06T15:58:36.213 回答
0 
$query = "
    INSERT INTO registrationdetails (name, address, number, email, details, date_time)
    VALUES ('{$name}', '{$address}', '{$number}', '{$email}', '{$details}', NOW())
";

将 替换为date_time您的 column_name。并记住在将所有提交的值mysql_real_escape_string插入数据库之前对其进行转义。

于 2012-12-06T16:21:07.483 回答