0

我在数据库“db2”中有一个名为“Directors”的表。我有一个 HTML 表单。我希望当我插入值并点击提交按钮时,在进行一些验证后(您会在脚本中注意到它们),将内容插入到新行中的表中(插入到插入中)。我试过自己做,但它总是在呼应我“失败”;这是我的 HTML 表单:

    <form action="process.php" method="post" accept-charset="utf-8">
<input type="hidden" name="pages_edit_nonce" />        

            <div class="section-item page-title-section">
                <label for="title">Full Name:</label><span class="help">*</span><div class="input-wrap"><input type="text" name="name" value=""  /></div>        </div>



    <div class="section-item">
        <label for="label">Phone:</label><span class="help">*Optionally</span><div class="input-wrap"><input type="text" name="phone" value=""  /></div>        </div>

    <div class="section-item">
        <label for="redirect">Е-mail:</label><span class="help">*</span><div class="input-wrap"><input type="text" name="email" value="" placeholder=""  /></div>        </div>

    <div class="section-item">
        <label for="redirect">School:</label><span class="help">*</span><div class="input-wrap"><input type="text" name="school" value="" placeholder=""  /></div>        </div>

    <div class="section-item">
        <label for="redirect">City:</label><span class="help">*</span><div class="input-wrap"><input type="text" name="city" value="" placeholder=""  /></div>        </div>

    <div class="section-item">
        <label for="redirect">Password:</label><span class="help">*</span><div class="input-wrap"><input type="password" name="password" value="" placeholder=""  /></div>        </div>

    <div class="admin-bar">
        <div class="admin-bar-inner">


            <input type="submit" value="Submit" class="btn" />
        </div>
    </div>

    </form>

这是我的 process.php 文件:

$server = "localhost";
    $user = "****";
    $pass = "****";

    $conn = mysql_connect($server, $user, $pass);
    $db = mysql_select_db("****", $conn);
    session_start();
    if(!$db) {
        $_SESSION['ERRMSG'] = "<strong>Error:</strong> The access to the database is denied!";
        header("Location: ../../admin/error/");
        exit();
    }

    session_start();

    function UniqueID() {
        $UID = rand(); //Create unique ID
        $check = mysql_query("SELECT * FROM `Directors` WHERE `UID` = '$UID'");
        if(mysql_num_rows($check) > 0) { //Check if it exists
            UniqueID(); //Redo the function
        } else {
            return $UID; //return the uniqueid
        }
    }

    $UID = UniqueID(); //Unique ID
    $email = $_POST['email']; 
    $password = $_POST['password']; 
    $name = $_POST['name']; 
    $phone = $_POST['phone']; 
    $school = $_POST['school'];
    $city = $_POST['city']; 

    //Create INSERT query
    $qry = "INSERT INTO `oclass`.`Directors`(`UID`,`Name`, `Phone`, `Email`, `SchoolGymnasium`, `City`, `Password`) VALUES('$UID','$name','$phone','$email','$school','$city','" . md5($password) . "')";
    $result = mysql_query($qry);

    //Check whether the query was successful or not
    if($result) {
        $_SESSION['SUCCMSGADDDIR'] = 'Sucessful.';
        header("location: URL");
        exit();
    } else {
        $_SESSION['ERRMSGADDDIR'] = 'Fail';
        header("location: URL");
    }

使用 mysql_error() 更改错误会话后,它给了我以下错误:致命错误:无法在第 10 行的...中写入上下文中使用函数返回值;第 10 行是:

mysql_error() = "<strong>Error:</strong> The access to the database is denied!";

我已经删除了名为 ID 的列(它是主键)并将 UID 列设置为主键,现在正在工作。感谢你们。

4

1 回答 1

0

首先,您一定从未听说过 SQL 注入http://en.wikipedia.org/wiki/SQL_injection。您当前的代码使您容易受到攻击。您不能像现在这样直接将用户输入插入数据库。mysql_* 函数也被弃用了。为了帮助您的代码更安全和更多更新,请尝试以下操作:

session_start();

$host = "localhost";
$user = "****";
$pass = "****";
$db   = "****";

$dbh = new PDO("mysql:host=$host;dbname=$db", $user, $pass);  
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$stmt = $dbh->prepare("INSERT INTO `oclass`.`Directors`(`UID`,`Name`, `Phone`, `Email`, `SchoolGymnasium`, `City`, `Password`) VALUES (:uid, :name, :phone, :email, :school, :city, :password)");

$stmt->bindParam(':uid',      uniqid());
$stmt->bindParam(':name',     $_POST['name']);
$stmt->bindParam(':phone',    $_POST['phone']);
$stmt->bindParam(':email',    $_POST['email']);
$stmt->bindParam(':school',   $_POST['school']);
$stmt->bindParam(':city',     $_POST['city']);
$stmt->bindParam(':password', md5($_POST['password']));

$stmt->execute();
于 2013-05-26T05:00:17.600 回答