1

我正在尝试获取当前的 PHP 代码并插入到数据库中。目前,我可以保存名字、姓氏和电子邮件,但无法保存表单数据的其余部分“性别”和“控制台”。这是代码

<!Doctype html public>

<html>
<body>

fill out the following form:

<table border="1" cellpadding="10">
<td>
<h1> Devices owned Survey </h1>
<form action="submit_answer.php" method = "POST"> 
First Name: <br /> <input type="text" name="first" /><br />
<br />
Last Name: <br /> <input type="text" name="last" /> <br />
<br />
Email: <br /> <input type="text" name="email" /> <br />
<br />
<u>Gender</u>: <br />
<br />
<input type="radio" name="gender" value="male" /> Male<br />
<input type="radio" name="gender" value="female" /> Female <br />
<br />
<u>I Have The Following:</u> <br />
<br />
<input type="checkbox" name="console" value="Playstation3" /> Playstation 3<br />
<input type="checkbox" name="console" value="Xbox360" />  Xbox 360 <br />
<input type="checkbox" name="console" value="Wii" />  Wii <br />
<input type="checkbox" name="console" value="Iphone" />  Iphone <br />
<input type="checkbox" name="console" value="MacBook" />  MacBook <br />
<br />
<input type="submit"/>
</form>

</td>
</table>
</body>
</html>



 PHP //SUMBMIT FORM
<?php

define('DB_NAME', 'survey');
define('DB_USER', 'root');
define('DB_PASSWORD', 'XXXX');
define('DB_HOST', 'localhost');

$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);

 if (!$link)
{
die('Could NOT Connect: ' . mysql_error());
}
$db_selected = mysql_select_db(DB_NAME, $link);

if (!$db_selected) 
{
die ('Cant\'t use' . DB_NAME. ':' . mysql_error());
}
echo 'Connected Sucessfully';

$first = $_POST["first"]; // Since method=”post” in the form
$last = $_POST["last"];
$email = $_POST["email"];
$gender = $_POST["gender"];
$console = $_POST["console"];


$sql = "INSERT INTO survey (first, last, email) VALUES                   
( '$_POST[first]','$_POST[last]','$_POST[email]','$_POST[gender]','$_POST[console]')";
$result = mysql_query($sql);

$result = mysql_query($sql) or die ("could not save record");

mysql_close();
?>
//Also trying to validate the form so each question is answered
4

1 回答 1

2

您用来将数据保存到数据库的方法非常危险。您对 SQL 注入攻击持开放态度。话虽如此,您应该阅读使用mysql_query.

我不会完全重写您的代码来修复 SQL 注入漏洞,而是要解决您当前遇到的问题......

在您的代码中,您有:

$sql = "INSERT INTO survey (first, last, email) VALUES                   
( '$_POST[first]','$_POST[last]','$_POST[email]','$_POST[gender]','$_POST[console]')";

您指定 3 列,但传入 5 列。您需要添加其他 2 列

$sql = "INSERT INTO survey (first, last, email, gender, console) VALUES                   
( '$_POST[first]','$_POST[last]','$_POST[email]','$_POST[gender]','$_POST[console]')";

但说真的,改变你的代码!

编辑:

如果您想获取一个数组$_POST['console']并将其转换为具有逗号分隔值的字符串,请尝试以下操作:

将数组括号添加到您的name属性:

<input type="checkbox" name="console[]" value="Playstation3" /> Playstation 3<br />
<input type="checkbox" name="console[]" value="Xbox360" />  Xbox 360 <br />
<input type="checkbox" name="console[]" value="Wii" />  Wii <br />
<input type="checkbox" name="console[]" value="Iphone" />  Iphone <br />
<input type="checkbox" name="console[]" value="MacBook" />  MacBook <br />

迭代数组并将值附加到字符串:

<?PHP
$consoleArray = $_POST['console'];
$consoleCommaString = "";
if ($consoleArray != null && is_array($consoleArray)) {
    foreach ($consoleArray as $consoleValue) {
        $consoleCommaString .= $consoleValue .", ";
    }
}

$sql = "INSERT INTO survey (first, last, email, gender, console) VALUES ('$_POST[first]','$_POST[last]','$_POST[email]','$_POST[gender]','$consoleCommaString')";
?>
于 2013-05-02T21:44:12.387 回答