-5

我有这个基本的 php 插入脚本工作正常,一旦用户点击提交,它将完美地插入表单。然而,由于某种原因,当用户在点击提交之前访问页面时,它也会提交一条记录。在用户执行任何操作之前,它立即在顶部回显“输入成功”。数据库中将有一条空白记录。为什么会这样?

作为一个额外的问题......我可以防止sql注入购买简单地添加一些mysql_escape代码到这个的各个部分吗?这是一个 WordPress 页面,那还有必要吗?

<?php
$user_ID = get_current_user_id();

$hostname = "******";
$username = "******";
$dbname = "******";
$password = "*****";

//Connecting to your database
mysql_connect($hostname, $username, $password) OR DIE ("Unable to 
connect to database! Please try again later.");
mysql_select_db($dbname);

// Get values from form 
$genre = $_POST['genre'];
$movie_name = $_POST['movie_name'];
$movie_text = $_POST['movie_text'];


$query = "INSERT INTO movies (ID, genre, movie_name, movie_text)  VALUES
('$user_ID','$genre','$story_name','$story_text')";
$result = mysql_query($query);

if($result)
{
echo("
Entry Succesful");
}
else
{
echo("
failed to start");
}

?>

Get started!
<br><br>
<form name="movie" action="" method="post">

What type of movie? <select name="genre">
<option value="">Select...</option>
<option value="Comedy">Comedy</option>
<option value="Drama">Drama</option>

</select>

Name of Movie: <input type="text" size="55" name="movie_name">

<textarea rows="30" cols="80" name="movie_text" rows="4"></textarea>

<input type="submit" name="submit" id="submit" value="Add movie" />
</form>
4

2 回答 2

1

“但是,由于某种原因,当用户在点击提交之前访问该页面时,它也会提交一条记录。”

isset()使用您的(命名的)提交按钮作为参考,将您的代码包装在(if)条件语句中:

<?php

    if(isset($_POST['submit'])){
    $user_ID = get_current_user_id();
    ...

else
{
echo("
failed to start");
}

    } // end brace for if(isset($_POST['submit']))
?>

Get started!
<br><br>
<form name="movie" action="" method="post">
<input type="submit" name="submit" id="submit" value="Add movie" />

...

</form>

就 SQL 注入而言,请访问:

在堆栈上。

于 2014-07-23T04:12:27.150 回答
0

您需要检查用户是否点击了提交按钮,否则每次运行页面或请求页面时都会执行 php 脚本。你可以isset用来检查。试试下面的代码

<?php
if(isset($_REQUEST['submit']))
{
    $user_ID = get_current_user_id();
    $hostname = "******";
    $username = "******";
    $dbname = "******";
    $password = "*****";
    //Connecting to your database
    mysql_connect($hostname, $username, $password) OR DIE ("Unable to 
    connect to database! Please try again later.");
    mysql_select_db($dbname);

    // Get values from form 
    $genre = $_POST['genre'];
    $movie_name = $_POST['movie_name'];
    $movie_text = $_POST['movie_text'];


    $query = "INSERT INTO movies (ID, genre, movie_name, movie_text)  VALUES
    ('$user_ID','$genre','$story_name','$story_text')";
    $result = mysql_query($query);

    if($result)
    {
    echo("
    Entry Succesful");
    }

}

else { echo("启动失败"); } ?>

Get started!
<br><br>
<form name="movie" action="" method="post">

What type of movie? <select name="genre">
<option value="">Select...</option>
<option value="Comedy">Comedy</option>
<option value="Drama">Drama</option>

</select>

Name of Movie: <input type="text" size="55" name="movie_name">

<textarea rows="30" cols="80" name="movie_text" rows="4"></textarea>

<input type="submit" name="submit" id="submit" value="Add movie" />
</form>

希望这有帮助:)

于 2014-07-23T04:12:00.320 回答