-1

我有来自表单的用户输入(可能的空字段 - 是的,数据库设置为使用空值),我需要将信息插入到数据库中的表中。

只是更多信息:我正在 Titanium 中制作此应用程序

这是将所有参数发送到 PHP 文件的代码:

saveButton.addEventListener('click', function() {

    var xhr = Ti.Network.createHTTPClient();
    var url = ""; //url is in here; I just took it out for privacy
    xhr.open("GET", url);
    var params = {
        query : "enterAsset",
        barcode : barcodeTextField.value, //all these textfields are editable by the user
        assetClass : assetClassTextField.value,
        manufacturer : manufacturerTextField.value,
        model : modelTextField.value,
        serialNum : serialNumTextField.value,
        custodian : custodianTextField.value,
        status : statusTextField.value,
        loginName : LOGIN_NAME,
        divisionID : DIVISION_ID,
        dateBuy : dateBoughtTextField.value,
        priceBuy : priceTextField.value,
        dateInSvc : dateInServiceTextField.value,
        dateLastSvc : dateLastServiceTextField.value,
    };
    xhr.onload = function() {
        alert("Successful entry"); //this alert does appear when the button is pressed
    };
    xhr.send(params);
});

这是连接数据库后PHP文件中的代码:

$query = $_GET['query'];

switch($query)  { //this switch statement exists so we can access the database for multiple queries from the same .php file. We know it works because the "login" query works just fine.
    case "data":
        //unimportant stuff is in here
        break;
    case "clients":
        //more irrelevant stuff in here
        break;
    case "login": //this works, but it's not trying to insert anything
        $username = $_GET['username'];  
        $password = $_GET['password'];  
        $stmt4 = $con->prepare('CALL Get_user_auth(:username,:password)');
        $stmt4->bindParam(':username',$username,PDO::PARAM_STR);
        $stmt4->bindParam(':password',$password,PDO::PARAM_STR);
        $stmt4->execute();
                $results = $stmt4->fetchAll(PDO::FETCH_ASSOC);
        $stmt4->closeCursor();
        break;
    case "search":
        //more irrelevant stuff in here
        break;
    case "enterAsset":
        $barcode = '12345';
        $assetClass = 'test';
        $manufacturer = 'test';
        $model = 'test';
        $serialNum = 'test';
        $custodian = 'test';
        $locationID = '1';
        $status = 'test';
        $dateBuy = 'test';
        $priceBuy = 'test';
        $dateInSvc = 'test';
        $dateLastSvc = 'test';
        $loginName = 'jane';
        $divisionID = '1';

        $stmt6 = $con->prepare('CALL Enter_new_asset(:divisionID,:barcode,:assetClass,:manufacturer,:model,:serialNum,:custodian,:status,:locationID,:dateBuy,:priceBuy,:dateInSvc,:dateLastSvc,:loginName)');
        $stmt6->bindParam(':divisionID',$divisionID,PDO::PARAM_INT,11);
        $stmt6->bindParam(':barcode',$barcode,PDO::PARAM_STR,128);
        $stmt6->bindParam(':assetClass',$assetClass,PDO::PARAM_STR,10);
        $stmt6->bindParam(':manufacturer',$manufacturer,PDO::PARAM_STR,10);
        $stmt6->bindParam(':model',$model,PDO::PARAM_STR,10);
        $stmt6->bindParam(':serialNum',$serialNum,PDO::PARAM_STR,20);
        $stmt6->bindParam(':custodian',$custodian,PDO::PARAM_STR,20);
        $stmt6->bindParam(':status',$status,PDO::PARAM_STR,10);
        $stmt6->bindParam(':locationID',$locationID,PDO::PARAM_INT,11);
        $stmt6->bindParam(':dateBuy',$dateBuy,PDO::PARAM_STR,13);
        $stmt6->bindParam(':priceBuy',$priceBuy,PDO::PARAM_STR,10);
        $stmt6->bindParam(':dateInSvc',$dateInSvc,PDO::PARAM_STR,13);
        $stmt6->bindParam(':dateLastSvc',$dateLastSvc,PDO::PARAM_STR,13);
        $stmt6->bindParam(':loginName',$loginName,PDO::PARAM_STR,20);

        $stmt6->execute();
        $stmt6->closeCursor();
        break;
    default:
        $results = "FAIL.";
        break;
}

当我指定“enterAsset”查询时,这将返回“null”,这是预期的,因为它不应该返回任何内容。

Enter_new_asset 的存储查询是:

INSERT INTO TBL_ASSET_DATA (Division_ID, Barcode_Tag, Asset_Class, Manufacturer, Model, Serial_Num, Custodian, Status, Location_ID, Date_buy, Price_buy, Date_in_svc, Date_last_svc, Updated_by)
VALUES(divisionID,barcode, assetClass, manufacturer, model, serialNum, custodian, status, locationID, dateBuy, priceBuy, dateInSvc, dateLastSvc, loginName)

编辑:我尝试对变量的一些值进行硬编码,现在我收到此错误:解析错误:语法错误,意外'';' (T_CONSTANT_ENCAPSED_STRING) 在第 90 行的 /homepages/21/d265224452/htdocs/brillient_wordpress/AMproxy.php

这是第 90 行的代码:

    $stmt6 = $con->prepare('CALL Enter_new_asset(:divisionID,:barcode,:assetClass,:manufacturer,:model,:serialNum,:custodian,:status,:locationID,:dateBuy,:priceBuy,:dateInSvc,:dateLastSvc,:loginName)');

我的问题是:为什么数据库没有用输入的信息更新?TBL_ASSET_DATA 中没有出现新条目。这个问题的其他问题似乎是使用 MySQLi 或不推荐使用的 mysql 命令,这是使用 PDO。

提前谢谢你的帮助。

编辑我通过替换来更新我的数据库

$stmt6 = $con->prepare('CALL Enter_new_asset(:divisionID,:barcode,:assetClass,:manufacturer,:model,:serialNum,:custodian,:status,:locationID,:dateBuy,:priceBuy,:dateInSvc,:dateLastSvc,:loginName)');

和:

$sql = "INSERT INTO TBL_ASSET_DATA(Division_ID, Barcode_Tag, Asset_Class, Manufacturer, Model, Serial_Num, Custodian, Status, Location_ID, Date_buy, Price_buy, Date_in_svc, Date_last_svc, Updated_by) VALUES(:divisionID,:barcode, :assetClass, :manufacturer, :model, :serialNum, :custodian, :status, :locationID, :dateBuy, :priceBuy, :dateInSvc, :dateLastSvc, :loginName)";
$stmt6 = $con->prepare($sql);

但我想知道这是否安全。

4

1 回答 1

0

您似乎缺少一个引号来关闭您的字符串:

$dateLastSvc = 'test;

这使您的代码行为不正确。如果使用带有上下文突出显示的编辑器,您可以轻松选择 ushc 拼写错误。例如,我可以在查看 Stack Overflow 所做的突出显示时立即了解这一点。

于 2013-08-14T15:26:35.377 回答