0

我的 PHP 有问题。我有一个for循环如下:

$todays_date = date("Y-m-d H:i:s");
for ($k=0; $k < $_SESSION[CampaignTrax]; $k++) {
                        $numIncrement = $k +1;

$artistConcentrate = '$_POST[ArtistField_'.$numIncrement.']';
$titleConcentrate = '$_POST[TitleField_'.$numIncrement.']';
$mixConcentrate = '$_POST[MixField_'.$numIncrement.']';

$query2 = "INSERT INTO trackdata (promo_ID, track_orderno, track_dateofcreation, track_artist, track_title, track_mix, track_promo_title) VALUES('$_SESSION[promo_ID]', '$numIncrement', '$todays_date', '{$artistConcentrate}', '$titleConcentrate', '$mixConcentrate', '$_SESSION[CampaignTitle]')";
mysql_query($query2) or die('Error in MySQL query. Here is the error message: '.mysql_error());

}

我的问题是 $artistConcetrate 变量从字面上返回$_POST[ArtistField_1],并且该值显示在 PHPMyAdmin 上的 SQL 表中,所以我有机会让它实际返回提交为的值POST[ArtistField_1],因为这将通过循环自动递增所以artistfield_2等将被插入到表中。

我知道上面可能会出现 SQL 注入问题,但会在找到解决方案后更新我的代码。

非常感谢您对此的任何建议。

CP

4

4 回答 4

1

尝试这个

$todays_date = date("Y-m-d H:i:s");
for ($k=0; $k < $_SESSION[CampaignTrax]; $k++) {
                        $numIncrement = $k +1;

$artistConcentrate = $_POST["ArtistField_".$numIncrement];
$titleConcentrate = $_POST["TitleField_".$numIncrement];
$mixConcentrate = $_POST["MixField_".$numIncrement];

$query2 = "INSERT INTO trackdata (promo_ID, track_orderno, track_dateofcreation, track_artist, track_title, track_mix, track_promo_title) VALUES('".$_SESSION['promo_ID']."', '".$numIncrement."', '".$todays_date."', '".$artistConcentrate."', '".$titleConcentrate."', '".$mixConcentrate."', '".$_SESSION['CampaignTitle']."')";
mysql_query($query2) or die('Error in MySQL query. Here is the error message: '.mysql_error());

}
于 2013-07-06T12:19:36.287 回答
0

修改@whizzkid 代码:

$todays_date = date("Y-m-d H:i:s");
$query2 = "INSERT INTO trackdata (promo_ID, track_orderno, track_dateofcreation, track_artist, track_title, track_mix, track_promo_title) VALUES ";
for ($k=0; $k < $_SESSION[CampaignTrax]; $k++) {
                        $numIncrement = $k +1;

    $artistConcentrate = $_POST["ArtistField_".$numIncrement];
    $titleConcentrate = $_POST["TitleField_".$numIncrement];
    $mixConcentrate = $_POST["MixField_".$numIncrement];

    $query2 .= "(".$_SESSION['promo_ID']."', '".$numIncrement."', '".$todays_date."', '".$artistConcentrate."', '".$titleConcentrate."', '".$mixConcentrate."', '".$_SESSION['CampaignTitle']."'),";

}
$query2 = substr($query2, 0, -1);
mysql_query($query2) or die('Error in MySQL query. Here is the error message: '.mysql_error());

这只会触发mysql_query一次。

于 2013-07-06T12:37:29.603 回答
0 
$artistConcentrate = '$_POST[ArtistField_'.$numIncrement.']';
$titleConcentrate = '$_POST[TitleField_'.$numIncrement.']';
$mixConcentrate = '$_POST[MixField_'.$numIncrement.']';

$query2 = "INSERT INTO trackdata (promo_ID, track_orderno, track_dateofcreation, track_artist, track_title, track_mix, track_promo_title) VALUES('$_SESSION[promo_ID]', '$numIncrement', '$todays_date', '{$artistConcentrate}', '$titleConcentrate', '$mixConcentrate', '$_SESSION[CampaignTitle]')";

应该

$artistConcentrate = $_POST[ArtistField_'.$numIncrement.'];
$titleConcentrate = $_POST[TitleField_'.$numIncrement.'];
$mixConcentrate = $_POST[MixField_'.$numIncrement.'];

$query2 = "INSERT INTO trackdata (promo_ID, track_orderno, track_dateofcreation, track_artist, track_title, track_mix, track_promo_title) VALUES('".$_SESSION[promo_ID]."', '".$numIncrement."', '".$todays_date."', '".$artistConcentrate."', '".$titleConcentrate."', '".$mixConcentrate."', '".$_SESSION[CampaignTitle]."')";
于 2013-07-06T12:22:44.780 回答
0

您可以为此目的使用 mysql_real_escape_string 函数:-

这是文档链接:- http://php.net/manual/en/function.mysql-real-escape-string.php

在您的代码中,您可以执行以下操作:-

$todays_date = date("Y-m-d H:i:s");
for ($k=0; $k < $_SESSION[CampaignTrax]; $k++) {
                        $numIncrement = $k +1;

$artistConcentrate = mysql_real_escape_string($_POST['ArtistField_'.$numIncrement]);
$titleConcentrate = mysql_real_escape_string($_POST['TitleField_'.$numIncrement]);
$mixConcentrate = mysql_real_escape_string($_POST['MixField_'.$numIncrement]);

$query2 = "INSERT INTO trackdata (promo_ID, track_orderno, track_dateofcreation, track_artist, track_title, track_mix, track_promo_title) VALUES('$_SESSION[promo_ID]', '$numIncrement', '$todays_date', '{$artistConcentrate}', '$titleConcentrate', '$mixConcentrate', '$_SESSION[CampaignTitle]')";
mysql_query($query2) or die('Error in MySQL query. Here is the error message: '.mysql_error());

}

请记住检查 mysql_set_charset() 会影响结果。上面给出的研究文档链接。

于 2013-07-06T12:23:02.533 回答