-5

完成 PHP 表单后,我在数据库中插入了这一行:

INSERT INTO guitarwars VALUES (0, NOW(), '$name', '$score');

问题是在我的 PHP 页面中我看到的是 $name,而不是我输入的表单中的名称。

LE:我有 2 个文件:index.php,addscore.php: index.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Guitar Wars - High Scores</title>
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<h2>Guitar Wars - High Scores</h2>
<p>Welcome, Guitar Warrior, do you have what it takes to crack the high score list? If so, just <a href="addscore.php">add your own score</a>.</p>
<hr />

<?php
// Connect to the database 
$dbc = mysqli_connect('localhost', 'root', '', 'guitar');

// Retrieve the score data from MySQL
$query = "SELECT * FROM guitarwars";
$data = mysqli_query($dbc, $query);

// Loop through the array of score data, formatting it as HTML 
echo '<table>';
while ($row = mysqli_fetch_array($data)) { 
// Display the score data
echo '<tr><td class="scoreinfo">';
echo '<span class="score">' . $row['score'] . '</span><br />';
echo '<strong>Name:</strong> ' . $row['name'] . '<br />';
echo '<strong>Date:</strong> ' . $row['date'] . '</td></tr>';
if(is_file($row['screenshot']) && filesize($row['screenshot'])>0) {
echo '<td><img src="'.$row['screenshot'].'" alt="Score image" /></td></tr>';
}
else {
echo '<td><img src="unverified.gif" alt="Unverified score" /></td></tr>';
}
}
echo '</table>';

mysqli_close($dbc);
?>

</body> 
</html>

添加core.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Guitar Wars - Add Your High Score</title>
<link rel="stylesheet" type="text/css" href="style.css" />
</head>
<body>
<h2>Guitar Wars - Add Your High Score</h2>

<?php
if (isset($_POST['submit'])) {
// Grab the score data from the POST
$name = $_POST['name'];
$score = $_POST['score'];

if (!empty($name) && !empty($score)) {
  // Connect to the database
  $dbc = mysqli_connect('localhost', 'root', '', 'guitar');

  // Write the data to the database
  $query = "INSERT INTO guitarwars VALUES (0, NOW(), '$name', '$score')";
  mysqli_query($dbc, $query);

  // Confirm success with the user
  echo '<p>Thanks for adding your new high score!</p>';
  echo '<p><strong>Name:</strong> ' . $name . '<br />';
  echo '<strong>Score:</strong> ' . $score . '</p>';
  echo '<p><a href="index.php">&lt;&lt; Back to high scores</a></p>';

  // Clear the score data to clear the form
  $name = "";
  $score = "";

  mysqli_close($dbc);
}
else {
  echo '<p class="error">Please enter all of the information to add your high score.</p>';
}
}
?>

<hr />
<form enctype="multipart/form-data" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<input type="hidden" name="MAX_FILE_SIZE" value="32768" />
<label for="name">Name:</label>
<input type="text" id="name" name="name" value="<?php if (!empty($name)) echo $name; ?>" /><br />
<label for="score">Score:</label>
<input type="text" id="score" name="score" value="<?php if (!empty($score)) echo $score; ?>" />
<input type="file" id="screenshot" name="screenshot" />
<hr />
<input type="submit" value="Add" name="submit" />
</form>
</body> 
</html>

在我完成了addscore.php的表格并放了一张乐谱的照片后,我使用了 INSERT INTO guitarwars VALUES (0, NOW(), '$name', '$score'); 在数据库中插入来自 PHP 脚本的值。然后,在 index.php 中,我应该看到我在表单中输入的名称,而不是 $name。

4

1 回答 1

4

变量没有被插值,这意味着您的查询使用单引号或 NOWDOC(或其他原因)。最好通过 PDO/mysqli 使用正确的参数化查询。我更喜欢前者。

$pdo = new PDO('mysql:host=localhost;dbname=dbname', 'user', 'pass');
$stmt = $pdo->prepare("INSERT INTO guitarwards VALUES (0, NOW(), ?, ?)");
$stmt->execute(array($name, $score));

此外,您可以列出要插入的列,并可能省略前两个。

于 2013-02-28T17:38:17.617 回答