0

我使用 HTML 制作了一个表单,并尝试使用 PHP 将数据插入 MySQL 数据库。但是数据库中只有几个单元格被添加。无法弄清楚出了什么问题。请帮忙。提前致谢。

这是我的代码,页面格式为 (patienthistory.php)

<?php 

  // Connects to your Database 

mysql_connect("localhost", "root", "") or die(mysql_error()); 

mysql_select_db("cleftdb") or die(mysql_error()); 


//checks cookies to make sure they are logged in 

if(isset($_COOKIE['ID_my_site'])) 

{ 

$username = $_COOKIE['ID_my_site']; 

$pass = $_COOKIE['Key_my_site']; 

    $check = mysql_query("SELECT * FROM members WHERE username = '$username'")or die(mysql_error()); 
}
else 

//if the cookie does not exist, they are taken to the login screen 

{            

header("Location: login.php"); 

 } 

$check = mysql_query("SELECT id FROM members WHERE username = '$username'")or die(mysql_error());
while ($row = mysql_fetch_assoc($check)) {
$id = $row["id"];
}



echo '<form action="savepatienthistory.php" method=post />';

echo '<input type="hidden" name="id" value="'.$id.'">';

echo '<p>Patient ID: <input type="text" name="pid" /></p>';
echo '<p>First Name: <input type="text" name="fname" /></p>';
echo '<p>Last Name: <input type="text" name="lname" /></p>';
echo '<p>Date of birth : <input type="date" name="dob" /></p>';
echo '<p>Sex: 
<select name="sex">
<option value="Male">Male</option>
<option value="Female">Female</option>
</select>
</p>';
echo '<p>Race: <input type="text" name="race" /></p>';
echo '<p>Address: <input type="text" name="address" /></p>';
echo '<p>GN Division: <input type="text" name="GNdivision" /></p>';
echo '<p>Parent/Guardian First Name: <input type="text" name="Xfname" /></p>';
echo '<p>Parent/Guardian Last Name: <input type="text" name="Xlname" /></p>';
echo '<p>Parent/Guardian Age: <input type="text" name="Xage" /></p>';
echo '<p>Parent/Guardian Occupation: <input type="text" name="Xoccupation" /></p>';
echo '<p>Parent/Guardian NIC number: <input type="text" name="XNICno" /></p>';
echo '<p>Parent/Guardian Race: <input type="text" name="Xrace" /></p>';
echo '<p>Parent/Guardian Address: <input type="text" name="Xaddress" /></p>';
echo '<p>Parent/Guardian GN Division: <input type="text" name="XGNdivision" /></p>';
echo '<p>Parent/Guardian Relationship to the Patient: <input type="text" name="Xrelationship" /></p>';
echo '<p>Parent/Guardian Country: <input type="text" name="Xcountry" /></p>';
echo '<p>General Medical History: 
<select name="otherproblem">
    <option value="Nothing">Nothing</option>
    <option value="Allergy: Penicillin">Allergy: Penicillin</option>
    <option value="Aspirin">Aspirin</option>
    <option value="Erythromycin">Erythromycin</option>
    <option value="Latex or Rubber Products">Latex or Rubber Products</option>
    <option value="Codeine">Codeine</option>
    <option value="Tetracycline">Tetracycline</option>
    <option value="Germicides/Pesticides, Foods">Germicides/Pesticides, Foods</option>
    <option value="Other">Other</option>
    <option value="Asthma">Asthma</option>
    <option value="Bleeding Disorders">Bleeding Disorders</option>
    <option value="Diabetes">Diabetes</option>
    <option value="Epilepsy">Epilepsy</option>
    <option value="GI disorders">GI disorders</option>
    <option value="Heart disease">Heart disease</option>
    <option value="Hepatitis">Hepatitis</option>
    <option value="Jaundice">Jaundice</option>
    <option value="Liver disease">Liver disease</option>
    <option value="Neoplasm">Neoplasm</option>
    <option value="Psychiatric Problems">Psychiatric Problems</option>
    <option value="Respiratory diseases">Respiratory diseases</option>
    <option value="Rheumatic fever">Rheumatic fever</option>
</select>
</p>';
echo '<p>Do patient currently under medical treatment? If yes, what are the medicines: <input type="text" name="medicaltreatment" /></p>';
echo '<p>Do Patient Need Antibiotic Prophylaxis?  
<select name="antibiotic">
    <option value="Yes">Yes</option>
    <option value="No">No</option>
</select>
</p>';



echo '<input type="submit" value="Submit">';
echo '</form>';


?>

和我的 savepatienthistory.php 代码,

<?php 
 // Connects to your Database 

 mysql_connect("localhost", "root", "") or die(mysql_error()); 

 mysql_select_db("cleftdb") or die(mysql_error()); 


 $id = $_POST['id'];
 $pid = $_POST['pid'];
 $fname = $_POST['fname'];
 $lname = $_POST['lname'];
 $dob = $_POST['dob'];
 $sex = $_POST['sex'];
 $race = $_POST['race'];
 $address = $_POST['address'];
 $GNdivision = $_POST['GNdivision'];
 $Xfname = $_POST['Xfname'];
 $Xlname = $_POST['Xlname'];
 $Xage = $_POST['Xage'];
 $Xoccupation = $_POST['Xoccupation'];
 $XNICno = $_POST['XNICno'];
 $Xrace = $_POST['Xrace'];
 $Xaddress = $_POST['Xaddress'];
 $XGNdivision = $_POST['XGNdivision'];
 $Xrelationship = $_POST['Xrelationship'];
 $Xcountry = $_POST['Xcountry'];
 $otherproblem = $_POST['otherproblem'];
 $medicaltreatment = $_POST['medicaltreatment'];
 $antibiotic = $_POST['antibiotic'];


 $sql = "INSERT into history (id) VALUES ('$id')";

 $sql = "INSERT into history (pid) VALUES ('$pid')";
 $sql = "INSERT into history (fname) VALUES ('$fname')";
 $sql = "INSERT into history (lname) VALUES ('$lname')";
 $sql = "INSERT into history (dob) VALUES ('$dob')";
 $sql = "INSERT into history (sex) VALUES ('$sex')";
 $sql = "INSERT into history (race) VALUES ('$race')";
 $sql = "INSERT into history (address) VALUES ('$address')";
 $sql = "INSERT into history (GNdivision) VALUES ('$GNdivision')";
 $sql = "INSERT into history (Xfname) VALUES ('$Xfname')";
 $sql = "INSERT into history (Xlname) VALUES ('$Xlname')";
 $sql = "INSERT into history (Xage) VALUES ('$Xage')";
 $sql = "INSERT into history (Xoccupation) VALUES ('$Xoccupation')";
 $sql = "INSERT into history (XNICno) VALUES ('$XNICno')";
 $sql = "INSERT into history (Xrace) VALUES ('$Xrace')";
 $sql = "INSERT into history (Xaddress) VALUES ('$Xaddress')";
 $sql = "INSERT into history (XGNdivision) VALUES ('$XGNdivision')";
 $sql = "INSERT into history (Xrelationship) VALUES ('$Xrelationship')";
 $sql = "INSERT into history (Xcountry) VALUES ('$Xcountry')";
 $sql = "INSERT into history (otherproblem) VALUES ('$otherproblem')";
 $sql = "INSERT into history (medicaltreatment) VALUES ('$medicaltreatment')";
 $sql = "INSERT into history (antibiotic) VALUES ('$antibiotic')";



 if(!mysql_query($sql)){
die('Error: '.mysql_error());
 } 

 mysql_close();

 ?>

这是添加到 db 的值的屏幕截图 截屏

4

2 回答 2

0

非常重要的第一句话是您的代码存在明显的安全问题,因为它对sql 注入非常开放。您直接将用户输入(即 POST 值)插入到 sql 语句中,而不检查它们是否存在恶意内容。请务必阅读此主题并调整代码。

您的 sql insert 语句未执行,并且您不断覆盖该语句,因此只会执行最后一条。您必须将它们全部组合在一个语句中。

INSERT INTO history (fname, lname) VALUES ('john', 'doe')

在您的情况下,您可以使用循环和字符串连接来制作完整的语句

$post = array($pid = $_POST['pid'], $fname = $_POST['fname'], $lname = $_POST['lname']);

$sql = "INSERT INTO history ('pid', 'fname', 'lname') VALUEs ('";

foreach( $post as $val ){
    $sql .= $val."', '";
}
$sql = substr($sql, 0, -3);
$sql .= ")";

mysql_query($sql);

我在这里的循环中只包含了三列,但是将它扩展到所有需要的列应该很简单。我还假设您从 $_POST 获得的“id”是表的主键,因此从 INSERT 语句中省略,因为它将自动生成。

于 2013-01-12T21:27:23.607 回答
0

根据您的代码,只有最后一个 sql 语句被插入到 db 中,并且所有以前的 sql 语句都不会执行......我不知道你为什么要形成这样的插入查询..

请在单个语句中这样做,

$sql = "INSERT INTO history(id,pid,fname,lname,....) VALUES('".$id."",'".$pid."','".$fname."',....)";

并在上面执行类似查询将在表中插入所有数据。

或使用如下

$sql = "INSERT INTO history SET id = '".$id."',
                                pid = '".$pid."',
                                fname = '".$fname."',....";

使用这种方式可以避免计数不匹配......

于 2013-01-13T07:16:35.943 回答