0

所以我有3个表如下。

TOPICS      TOPIC_TAGS    Tags
topic_id    tag_id        tag_id
topic_data  topic_id      tags

现在我可以成功地将 topic_data 插入到 TOPICS 中,并且标签正在像这样插入......

tag_id    tags
1         this
2         is
3         a
4         test

但是当我试图将 tag_ids 插入 TOPIC_TAGS 表时,它只是像这样插入最后一个

topic_id  tag_id
0         4

并且在插入主题时也没有插入 topic_id。

这是发布数据的表单。

<form method="post" action="add_topic.php">
<table>
<tr>
<td align="left"><b>Enter your Topic keywords.
    <ul id="topic" name="tags[]"></ul>

</td>
</tr>
<tr>
<td colspan="3"><textarea name="topic_data" cols="50" rows="3" id="topic_data" placeholder="What Topic are you talking about?"></textarea></td>
</tr>
<tr>
<td colspan="3" align="right">Invisipost: <input type="hidden" name="invisipost" value="0"><input type="checkbox" name="invisipost" value="1"> <input type="submit" name="Submit" value="Talk" /> <input type="reset" name="Submit2" value="Reset" /></td>
</tr>
</table>
</form>

这是我的代码:

$tags = isset($_POST['tags']) ? $_POST['tags'] : null;

if (is_array($tags)) {
foreach ($tags as $t) {
    // Checking duplicate
     $sql_d = "SELECT * from tags where tags='$t'"; 
      $res=mysql_query($sql_d);
      $res = mysql_num_rows($res);
    if($res<1)
    {
    // escape the $t before inserting in DB
    $sql = "INSERT INTO tags (tags) VALUES('$t')";
    mysql_query($sql);
    }
 }
} else {
echo 'Invalid tag';
}
$sql_s = "SELECT * from tags where tag_id='$tags'";
$tag_id = isset($_GET['tag_id']) ? $_GET['tag_id'] : null;

if (is_array($tag_id)) {
foreach ($tag_id as $tid) {

    // escape the $t before inserting in DB
    $sql = "INSERT INTO topic_tags (tag_id) VALUES('$tid')";
    mysql_query($sql);
    }
 }

$sql="INSERT INTO topic_tags (tag_id)VALUES(LAST_INSERT_ID())";
$result=mysql_query($sql);


$topic_data= htmlentities($_POST['topic_data']);
$posted_by = $_SESSION['user_id'];
$posted = "date_add(now(),INTERVAL 2 HOUR)";
$invisipost = isset($_POST['invisipost']) ? $_POST['invisipost'] : 0 ;

if (($topic_data=="")) 
echo "<h2>Opps...</h2><p>You did not fill out all the required fields.</p>";

else 
$sql="INSERT INTO topics(topic_data, posted_by, posted, invisipost)VALUES('$topic_data', '$posted_by', $posted, $invisipost)";
$result=mysql_query($sql);

if($result){

$sql="INSERT INTO topic_tags (topic_id)VALUES(LAST_INSERT_ID()) WHERE topic_tags.tag_id='". $_GET['tags'] ."'";
$result=mysql_query($sql);
4

1 回答 1

0

不再支持功能mysql_*,它们已正式弃用不再维护,将来将被删除您应该使用PDOMySQLi更新您的代码,以确保您的项目在未来的功能。

既然你在使用mysql_*,你应该使用mysql_real_escape_string来防止注入。

注意:我的示例仅涵盖您在问题顶部提供的表格信息,您必须自己添加任何其他列。

使用 MySQLi 和prepared statements,您可以轻松地防止自己使用prepared statements 进行注入。

bind_param处理您插入的数据类型,例如代表i整数,s代表字符串,因此对于?您的查询中的每个数据,您都可以将其添加到bind_param相应的类型中。阅读更多关于bind_param这里。

我的测试表格:

<form method="post" action="add_topic.php">
<table>
<tr>
<td align="left"><b>Enter your Topic keywords.<br />
<input id="topic" name="tags">
</td>
</tr>
<tr>
<td colspan="3"><textarea name="topic_data" cols="50" rows="3" id="topic_data" placeholder="What Topic are you talking about?"></textarea></td>
</tr>
<tr>
<td colspan="3" align="right">Invisipost: <input type="hidden" name="invisipost" value="0"><input type="checkbox" name="invisipost" value="1"> <input type="submit" name="Submit" value="Talk" /> <input type="reset" name="Submit2" value="Reset" /></td>
</tr>
</table>
</form>

数据库.php:

<?php
// fill with your data
$db_host = 'localhost';
$db_user = 'stackoverflow';
$db_pass = 'stackoverflow';
$db_name = 'stackoverflow';

$con = mysqli_connect($db_host,$db_user,$db_pass,$db_name);
if($con->connect_error)
    die('Connect Error (' . mysqli_connect_errno() . ') '. mysqli_connect_error());

add_topic.php:

<?php
include_once "database.php";
$tags = $_POST['tags'];
$topic_data = $_POST['topic_data'];
$ids = array();

if (!isset($topic_data))
{
    die("<h2>Opps...</h2><p>You did not fill out the topic data field.</p>");
}

if (!isset($tags))
{
    die("<h2>Opps...</h2><p>You did not fill out the tags field.</p>");
}

foreach (explode(' ', $tags) as $tag)
{
    if ($stmt = $con->prepare("SELECT tag_id FROM tags WHERE tags=?"))
    {
        $stmt->bind_param("s", $tag);
        $stmt->execute();
        $stmt->bind_result($id);
        $stmt->fetch();
        $stmt->close();
    }

    if ($id == 0)
    {
        if ($stmt = $con->prepare("INSERT INTO tags (tags) VALUES(?)"))
        {
            $stmt->bind_param("s", $tag);
            $stmt->execute();
            $stmt->bind_result($id);
            $stmt->fetch();
            $ids[] = $stmt->insert_id;
            $stmt->close();
        }
    }
    else
        $ids[] = $id;
}

if ($stmt = $con->prepare("INSERT INTO topics(topic_data) VALUES(?)"))
{
    $stmt->bind_param("s", $topic_data);
    if ($stmt->execute())
    {
        $topic_id = $stmt->insert_id;
        $stmt->close();
        foreach ($ids as $id)
        {
            if ($stmt = $con->prepare("INSERT INTO topic_tags (topic_id, tag_id) VALUES(?, ?)"))
            {
                $stmt->bind_param("ii", $topic_id, $id);
                $stmt->execute();
                $stmt->close();
            }
        }     
    }
    else
        $stmt->close();
}

echo "<h2>Topic successfully inserted</h2><p>The topic and tags have been inserted.</p>";
$con->close();

正如您在我的代码中看到的那样,当我检查标签时,我也在检索已经存在的标签的 id 并将它们全部存储到数组$ids中以供以后重用 table topic_tags

成功插入主题后,我检索主题 ID,然后将所有标签 IDtopic_tags与主题 ID 一起插入表中。

在我的测试表单中,我使用了一个简单的标签输入,但是如果您将其用作数组,您也可以将其更改为:

if (!isset($tags))

至:

if (!isset($tags) || !is_array($tags))

并改变:

foreach (explode(' ', $tags) as $tag)

至:

foreach ($tags as $tag)
于 2013-07-22T04:40:11.867 回答