0

我有这个代码,这是从电子邮件给出的链接注册用户。所以ID和Email是通过表单获取并显示,然后检查是否有用户然后它会在字段上显示内容,那么它只是一个更新。现在我要做的是创建,因为链接中提供给用户的 ID 还不存在。这是名为 Register.php 的文件中的代码

<?php

    load_function('database.php');

    if(!empty($_GET['user_id']) && !empty($_GET['cbemail'])) 
    {
        $user_id = base64_decode($_GET['user_id']);
        $email = base64_decode($_GET['cbemail']);   

        $employee = get_employee($user_id,$email);

    }

        /*$first_name = $_POST['first_name'];
        $middle_name = $_POST['middle_name'];
        $last_name = $_POST['last_name'];
        $suffix = $_POST['suffix'];
        $gender = $_POST['gender'];
        $date_birth = $_POST['date_birth'];
        $cbemail = $_POST['cbemail'];
        $locality_id = $_POST['locality_id'];
        $home_phone = $_POST['home_phone'];
        $mobile_phone = $_POST['mobile_phone'];*/

?>

<div id="main-content">
    <div id="emp_registrationform">
      <form action="" method="post">
        <table width="600" border="0">
        <h1>Create Employee</h1>
          <tr>
            <td class="align-right"><label for="user_id">User</label>
            <input type="text" name="user_id" id="user_id" 
             value="<?php if(isset($user_id)){echo $user_id ; } ?>"/></td>
            </td>
          </tr>
          <tr>
            <td class="align-right"><label for="first_name">First Name</label>
              <input type="text" name="first_name" id="first_name" value='<?php echo $employee['first_name'] ?>'/></td>
            <td><label for="birth_date">Birth Date</label>
              <input type="text" name="birth_date" id="birth_date" value='<?php echo $employee['date_birth'] ?>'/></td>
          </tr>
          <tr>
            <td class="align-right"><label for="middle_name">Middle Name</label>
              <input type="text" name="middle_name" id="middle_name" value='<?php echo $employee['middle_name'] ?>'/></td>
            <td><label for="cbemail">Email</label>
              <input type="text" name="cbemail" id="cbemail" 
               value="<?php if(isset($email)){echo $email ; } ?>"/></td>
          </tr>
          <tr>
            <td class="align-right"><label for="last_name">Last Name</label>
              <input type="text" name="last_name" id="last_name" value='<?php echo $employee['last_name'] ?>'/></td>
            <td><label for="locality_id">Locality ID</label>
              <input type="text" name="locality_id" id="locality_id" value='<?php echo $employee['locality_id'] ?>'/></td>
          </tr>
          <tr>
            <td class="align-right"><label for="suffix">Suffix</label>
              <input type="text" name="suffix" id="suffix" value='<?php echo $employee['suffix'] ?>'/></td>
            <td><label for="home_phone">Phone(Home)</label>
              <input type="text" name="home_phone" id="home_phone" value='<?php echo $employee['home_phone'] ?>'/></td>
          </tr>
          <tr>
            <td class="align-right"><label for="gender">Gender</label>
              <select>
                <option selected><?php echo  $employee['gender'] ?></option>
                <option value="male">Male</option>
                <option value="female">Female</option>
              </select></td>
            <td><label for="mobile_phone">Phone(Mobile)</label>
              <input type="text" name="mobile_phone" id="mobile_phone" value='<?php echo  $employee['mobile_phone'] ?>'/></td>
          </tr>
           <td class="align-right">
              <input type="submit" id="submit-btn" value="Create Employee" />
           </td>
           <td>&nbsp;</td>
        </table>
      </form>
    </div>
  </div>

我的问题是这些数据,保存在数据库中时没有被捕获。我在数据库中的功能如下。

function add_employee($user_id, $first_name, $middle_name, $last_name, 
                      $suffix, $gender, $date_birth, $cbemail, 
                      $locality_id, $home_phone, $mobile_phone) {
    $db   =  load_db();
    $sql = "INSERT into employees (
            user_id, first_name, middle_name, last_name, 
            suffix, gender, date_birth, cbemail,
            locality_id, home_phone, mobile_phone 
            ) VALUES (
            $user_id, $first_name, $middle_name, $last_name, 
            $suffix, $gender, $date_birth, $cbemail,
            $locality_id, $home_phone, $mobile_phone
            )";
    $result = $db->query($sql);
}

是的,我需要一个 POST,但我不知道如何在输入框的值字段中捕获“值”。

提交按钮将在这行代码中重定向。

if(isset($_POST['save_user'])){
    add_employee($_POST['user_id'], $_POST['first_name'], $_POST['middle_name'], $_POST['last_name'], 
                 $_POST['suffix'], $_POST['gender'], $_POST['date_birth'], $_POST['cbemail'], 
                 $_POST['locality_id'], $_POST['home_phone'], $_POST['mobile_phone']);

那么有什么想法吗?我希望你明白这个问题。

4

4 回答 4

4

For strings to be stored in Mysql database you need to use '' (quotes).

So for string like $_POST['first_name'] , use '$_POST['first_name']'

Btw try to use parameterized queries to be safe too,

Then you should be good.

于 2013-05-16T09:53:18.857 回答
1

SQL 中的字符串值必须加引号。您正在转储数据而不引用它。这是无效的 SQL。

使用参数化查询,这些将自动引用您的数据并转义它以消除您巨大的 SQL 注入安全漏洞。

于 2013-05-16T09:50:20.193 回答
0

什么是if(isset($_POST['save_user'])){我没有看到任何带有save_user名称的字段。您应该将其更改为其他内容,也可能if(isset($_POST['user_id'])){需要其他人提及的引号。

于 2013-05-16T10:07:25.263 回答
0

用这个。

function add_employee($user_id, $first_name, $middle_name, $last_name, 
                  $suffix, $gender, $date_birth, $cbemail, 
                  $locality_id, $home_phone, $mobile_phone) {
$db   =  load_db();
$sql = "INSERT into employees (
        user_id, first_name, middle_name, last_name, 
        suffix, gender, date_birth, cbemail,
        locality_id, home_phone, mobile_phone 
        ) VALUES (
        '".$user_id."', '".$first_name."', '".$middle_name."', '".$last_name."', 
        '".$suffix."', '".$gender."', '".$date_birth."', '".$cbemail."',
        '".$locality_id."', '".$home_phone."', '".$mobile_phone."'
        )";
$result = $db->query($sql);
}
于 2013-05-16T09:53:26.677 回答