0

我想将数据插入这样设置的数据库中

桌子

  • 名称 varchar(35)
  • 部门 varchar(50)
  • 评分 smallint(6)
  • 容易小int(6)
  • 教科书 varchar(3)
  • 时间戳时间戳
  • 课程字符(10)
  • 曲线字符(3)
  • 评论文字

我用下面这样的查询插入数据,它实际上并没有插入数据库,页面重新加载,就是这样。这是 和 的print_r()结果var_dump()。实际查询功能如下。可能是什么问题?我认为它可能是某种文本类型溢出。但是我想不通,谢谢你的帮助

print_r()结果:

insert into professor(name,department,rating,easiness,textbook,course,curve,comment)values('Cherry, Mark','HUMANITIES','8','8','yes','PHIL 3311','no','Go to class. He doesn't require it but it will make the difference between an A or a B. It's very difficult to do anything without being in class. He gives all the answers you need so long as you show up. He's a very good teacher and I would recommend him to someone else')

var_dump()结果:

string(424) "insert into professor(name,department,rating,easiness,textbook,course,curve,comment)values('Cherry, Mark','HUMANITIES','8','8','yes','PHIL 3311','no','Go to class. He doesn't require it but it will make the difference between an A or a B. It's very difficult to do anything without being in class. He gives all the answers you need so long as you show up. He's a very good teacher and I would recommend him to someone else')" bool(false)

这是我的代码:

function processadd()
{
    $name =htmlentities($_POST['prof']);
    $department =htmlentities($_POST['depart']);
    $rating =htmlentities($_POST['Rating']);
    $easy=htmlentities($_POST['Easiness']);
    $textbook =htmlentities($_POST['Book']);
    $course =htmlentities($_POST['course']);
    $curve =htmlentities($_POST['curve']);
    $comment =htmlentities($_POST['comment']);
    if($course == "" || $comment == "")
    {
        print"<div class=error><h3> Empty Fields exist!, please fill out completely</h3></div>";
    }
    else
    {
    $db = adodbConnect();
    $query = "insert into professor(name,department,rating,easiness,textbook,course,curve,comment)values('$name','$department','$rating','$easy','$textbook','$course','$curve','$comment')";
    $result = $db -> Execute($query);
    }
    print_r($query);
    print_r($result);
    print"<br>";
    print"<br>";
    print"<br>";
    var_dump($query);
    var_dump($result);

}
4

2 回答 2

0

您的问题可能在评论中。看起来你没有在整个评论中逃避 's。尝试插入此语句:

insert into professor(name,department,rating,easiness,textbook,course,curve,comment)
values('Cherry, Mark','HUMANITIES','8','8','yes','PHIL 3311','no','Go to class. He doesn\'t require it but it will make the difference between an A or a B. It\'s very difficult to do anything without being in class. He gives all the answers you need so long as you show up. He\'s a very good teacher and I would recommend him to someone else');
于 2012-12-17T05:51:04.350 回答
0

虽然您没有指定您收到的错误,但我猜它与不转义查询中的引号有关,特别是(但不限于)该comment列。

例如,您的示例中的列是:

去上课了。他不需要它,但它会在 A 或 B 之间产生差异。不上课就很难做任何事情。只要你出现,他就会给出你需要的所有答案。他是一位非常好的老师,我会向其他人推荐他

此文本包含几个单引号,它们会破坏您的 SQL 查询并给您一个错误。

htmlentities在每列的输入上使用,但是,这并不能阻止 SQL 注入;并且,默认情况下,htmlentities也不转换单引号。

我不知道您的数据库类正在实现什么 MySQL 库,但您可能想尝试使用该库的转义函数。

例如,如果您使用的是较旧的mysql_函数,请使用mysql_real_escape_string()而不是htmlentities()每个值。另一方面,如果您使用更推荐的MySQLiPDO类,请将您的查询转换为准备好的语句。

于 2012-12-17T05:52:20.560 回答