php - php表单值不匹配

Question

我已经查看了代码，一切看起来都是正确的，所以我不确定哪里出了问题。我不断收到以下错误 s1s01 1136 column count does match。

我相信我使用了所有正确的安全代码，如果我没有谢谢你，请注意。

 <?php
include ('wording/en-translation.php');
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>

<body>
<?php
// define variables and set to empty values
$user_nameErr = $user_emailErr = "";
$user_name = $user_email = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {
  if (empty($_POST["user_name"])) {
    $user_nameErr = "Name is required";
  } else {
    $user_name = mysql_real_escape_string($_POST["user_name"]);
    //check if name only contains letters and whitespace
    if (!preg_match("/^[a-zA-Z]*$/",$user_name)) {
        $user_nameErr="Only letters and white spaces allowed";
    }
  }

  if (empty($_POST["user_email"])) {
    $user_emailErr = "Email is required";
  } else {
    $user_email = mysql_real_escape_string($_POST["user_email"]);
    //check if email is well-formed
    if (!filter_var($user_email, FILTER_VALIDATE_EMAIL)) {
        $user_emailErr = "Invalid Email Format";
    }
  }

if ($_SERVER["REQUEST_METHOD"] == "POST") {
   $user_name = mysql_real_escape_string($_POST["user_name"]);
   $user_email = mysql_real_escape_string($_POST["user_email"]);
}

function mysql_real_escape_string($data) {
   $data = trim($data);
   $data = stripslashes($data);
   $data = htmlspecialchars($data);
   return $data;
}
}
?>
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
    <label for="user_name"><?php echo WORDING_REGISTRATION_USERNAME; ?></label>
    <input id="user_name" type="text" pattern="[a-zA-Z0-9]{2,64}" value="<?php echo $user_name; ?>" name="user_name" required />
            <span class="error">* <?php echo $user_nameErr;?></span><br>
    <label for="user_email"><?php echo WORDING_REGISTRATION_EMAIL; ?></label>
    <input id="user_email" type="email" name="user_email" value="<?php echo $user_email; ?>" required />
            <span class="error">* <?php echo $user_emailErr;?></span>
    <input type="submit" name="register" value="<?php echo WORDING_REGISTER; ?>" />
</form>
<?php
echo $user_name;
echo "<br>";
echo $user_email;
echo "<br>";
?>
<?php
$servername = "localhost";
$username = "admin";
$password = "";
$dbname = "login";

try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $sql = "INSERT INTO users(user_name, user_email)
    VALUES(
    ". mysql_real_escape_string($user_name) ."',
    ". mysql_real_escape_string($user_email) ."'
    )";
    // use exec() because no results are returned
    $conn->exec($sql);
    echo "New record created successfully";
    }
catch(PDOException $e)
    {
    echo $sql . "<br>" . $e->getMessage();
    }

$conn = null;




?> 


</

Answer 1

通过对您的值进行完全错误的引用，您正在生成损坏的 SQL：

$sql = "INSERT INTO users(user_name, user_email)
VALUES(
". mysql_real_escape_string($user_name) ."',
                                          ^---start sql string
". mysql_real_escape_string($user_email) ."'
                                           ^---end of sql string
)";

这意味着你正在生成

INSERT INTO users (user_name, user_email) VALUES (Bob, 'bob@example.com')
                                                   ^--unknown field

您还混合了 mysql 库，这是完全不可能的，而且您很容易受到sql 注入攻击。

简而言之，这段代码完全是货物崇拜编程，你真的需要坐下来好好学习 PHP。