0

我的代码在 MySQL 表“activate”中插入了一条空记录,而不是获取数据 activate.html。它调用了我删除的activate.php。我还应该补充一点,我是 php 新手,但知道注入攻击。我最初解决了一些安全问题,但正如我所说,已经剥离了代码以找到问题的根源。此外,当我回显表单字段时,它们会填充,而不是填充到 MySql 表中。任何想法为什么?先感谢您。

<?php
$host = "host"; // Host name
$username = "user"; // Mysql username
$password = "pass"; // Mysql password
$db_name = "db"; // Database name
$tbl_name = "activate"; // Table name

// Connect to server and select database.

mysql_connect("$host", "$username", "$password") or die("cannot connect");
mysql_select_db("$db_name") or die("cannot select DB");

// Get values from form

if (isset($_POST['submit'])) {
    $esn = mysql_real_escape_string($_POST['esn']);
    $esnverify = mysql_real_escape_string($_POST['esnverify']);
    $zip = mysql_real_escape_string($_POST['zip']);
    $comments = mysql_real_escape_string($_POST['comments']);
}

// Insert data into mysql

$sql = "INSERT INTO $tbl_name (esn, esnverify, zip, comments) VALUES ('$esn', '$esnverify', '$zip', '$comments')";
$result = mysql_query($sql);

// if successfully insert data into database, displays message "Successful".

if ($result) {
    echo "Successful";
    echo "<br />";
    echo $_POST['esn'];
    echo "<br />";
    echo $_POST['esnverify'];
    echo "<br />";
    echo $_POST['zip'];
    echo "<br />";
    echo $_POST['comments'];
    echo "<br />";
    echo "<a href='thankyou.html'>Back to main page</a>";
}
else {
    echo "ERROR";
}

?> 

    <?php

// close connection

mysql_close();
?>

激活.html

<form method="post" action="activate.php">
<p><b>ESN:</b> <input type="text" id="esn" name="esn" maxlength="50"><br/>
<b>Confirm ESN:</b> <input type="text" name="esnverify" id="esnverify" maxlength="50"><br/>
<b>Zip:</b> <input type="text" name="zip" id="zip" maxlength="5"><br/>

<p>Your comments:<br />
<textarea name="comments" rows="10" cols="40" id="comments" maxlength="500"></textarea></p>

<p><input type="submit" value="Send it!"></p></form>
4

2 回答 2

1

即使$_POST['submit']未设置(在这种情况下您的变量将没有值),您的代码仍会尝试将数据插入表中。这就是为什么会有空白行。

正如 Lion 在他的评论中所说,由于您的提交按钮没有 name 属性,$_POST['submit']因此永远不会设置,因此您将始终插入空白数据。

于 2013-06-11T18:47:12.253 回答
1 
   <?php
$host = "host"; // Host name
$username = "user"; // Mysql username
$password = "pass"; // Mysql password
$db_name = "db"; // Database name
$tbl_name = "activate"; // Table name

// Connect to server and select database.

mysql_connect("$host", "$username", "$password") or die("cannot connect");
mysql_select_db("$db_name") or die("cannot select DB");

// Get values from form

if (isset($_POST['submit'])) {
    $esn = mysql_real_escape_string($_POST['esn']);
    $esnverify = mysql_real_escape_string($_POST['esnverify']);
    $zip = mysql_real_escape_string($_POST['zip']);
    $comments = mysql_real_escape_string($_POST['comments']);


// Insert data into mysql

$sql = "INSERT INTO $tbl_name (esn, esnverify, zip, comments) VALUES ('$esn', '$esnverify', '$zip', '$comments')";
$result = mysql_query($sql);

// if successfully insert data into database, displays message "Successful".

if ($result) {
    echo "Successful";
    echo "<br />";
    echo $_POST['esn'];
    echo "<br />";
    echo $_POST['esnverify'];
    echo "<br />";
    echo $_POST['zip'];
    echo "<br />";
    echo $_POST['comments'];
    echo "<br />";
    echo "<a href='thankyou.html'>Back to main page</a>";
}
else {
    echo "ERROR";
}

}

?> 

    <?php

// close connection

mysql_close();
?>

另外,在 html 代码中更改它:

将 name='submit' 添加到输入字段/提交按钮。

于 2013-06-11T18:47:53.517 回答