0

II 创建了一个用于插入新公司的表单,并且在此页面上,它是将数据插入数据库的 PHP 脚本。

我不知道这段代码的错误在哪里。

<?php
if (isset($_POST['submit']))
{
    // Form has been submitted.
    $query = mysql_query("INSERT INTO companies (name, subdomain0, subdomain1, subdomain2, 
    position, country, city, district, contact, set_up_date, address, phone, area_phone_code, website, fax, email)
    VALUES ('{$_POST['name']}', '{$_POST['domain']}', '{$_POST['subdomain1']}',
    '{$_POST['subdomain2']}', '{$_POST['position']}', '{$_POST['country']}', '{$_POST['city']}',
    '{$_POST['district']}', '{$_POST['contact']}', '{$_POST['setdate']}', '{$_POST['address']}', '{$_POST['phone']}',
    '{$_POST['areacode']}, '{$_POST['website']}', '{$_POST['fax']}', '{$_POST['email']}')");

    $result = mysql_query($query, $connection);
    if (!$result) {
        echo  "The company was not created.";
    } else {
        echo  "The company was successfully created.";
    }
}
?>
4

3 回答 3

2

重写您的代码并将其{}从变量中删除

    VALUES ('$_POST['name']','$_POST['domain']', '$_POST['subdomain1']',...

1-确保在将它们发送到数据库之前对其进行转义。

2-不要使用 mysql ,使用 pdo 或 mysqli

为了逃避他们这样做:

 $name = mysql_real_escape_string($_POST['name']) ;

然后像这样将它传递给你的查询

    VALUES ('$name', .... <-- same with other columns

编辑-

试试这个

  if (isset($_POST['submit'])) { // Form has been submitted.

  $name = mysql_real_escape_string($_POST['name']) ;
  $subdomain0 = mysql_real_escape_string($_POST['subdomain0']) ;
  $subdomain1 = mysql_real_escape_string($_POST['subdomain1']) ;
  $subdomain2 = mysql_real_escape_string($_POST['subdomain2']) ;
  $position = mysql_real_escape_string($_POST['position']) ;
  $country = mysql_real_escape_string($_POST['country']) ;
  $city = mysql_real_escape_string($_POST['city']) ;
  $district = mysql_real_escape_string($_POST['district']) ;
  $contact = mysql_real_escape_string($_POST['contact']) ;
  $set_up_date = mysql_real_escape_string($_POST['setdate']) ;
  $address = mysql_real_escape_string($_POST['address']) ;
  $phone = mysql_real_escape_string($_POST['phone']) ;
  $areacode = mysql_real_escape_string($_POST['areacode']) ;
  $website = mysql_real_escape_string($_POST['website']) ;
  $fax = mysql_real_escape_string($_POST['fax']) ;
  $email = mysql_real_escape_string($_POST['email']) ;

 $query = mysql_query("INSERT INTO companies (name, subdomain0, subdomain1,  subdomain2, 
 position, country, city, district, contact, set_up_date, address, phone,   area_phone_code, website, fax, email)
  VALUES ('$_POST['name']', '$subdomain0', '$subdomain1',
  '$subdomain2', '$position', '$country',  '$city',
   '$district', '$contact', '$set_up_date',  '$address', '$phone',
   '$areacode, '$website', '$fax', '$email')");

      echo  "The company was successfully created.";
     else {
         echo  "The company was not created.";

    }
   }
  ?>
于 2013-02-03T11:06:23.507 回答
0 
INSERT INTO companies  
SET name = $name, 
    subdomain0 = $domain, 
    subdomain1 = $doamin1

很快

于 2013-02-03T11:11:37.760 回答
0

你必须小心sql 注入。您可以通过链接了解 mysql_* 函数的其他选项,因为它已被弃用。

此外,最好尝试通过使用mysql_error函数打印出错误来找出错误。(检查链接以获取替代方案,因为这也已被弃用)

于 2013-02-03T11:14:51.993 回答