Javascript 将SQL添加到名为';onclick';
我有一个名为“添加”的按钮,它与列表中的每个人相关Javascript 将SQL添加到名为';onclick';,javascript,php,jquery,mysql,function,Javascript,Php,Jquery,Mysql,Function,我有一个名为“添加”的按钮,它与列表中的每个人相关 echo <td><input type=\"submit\" id=\"PlayerAdded".$id."\" value=\"Add\" onclick=\"add('".$id."','".$name."','".$_SESSION['GameID']."');\"></input></td>"; 删除变量前的括号,该括号是为函数中的每个变量编写的 在函数代码的末尾添加ajax
echo <td><input type=\"submit\" id=\"PlayerAdded".$id."\" value=\"Add\"
onclick=\"add('".$id."','".$name."','".$_SESSION['GameID']."');\"></input></td>";
删除变量前的括号,该括号是为函数中的每个变量编写的 在函数代码的末尾添加
ajaxfunction add(id, name, game) {
var t = "</td><td>";
var str = "<tr id='Players" + id + "'><td>"
var ctr = "</td></tr>"
var PID = "<input type = 'hidden' name='ID" + id + "' value='" + id + "'></input>" + id;
var Pnam = "<input type='hidden' name='Name" + id + "' value='" + name + "'></input>";
var place = "<select name='Place" + id + "'><option value='17'>17th</option><option value='16'>16th</option><option value='15'>15th</option><option value='14'>14th</option><option value='13'>13th</option><option value='12'>12th</option><option value='11'>11th</option><option value='10'>10th</option><option value='9'>9th</option><option value='8'>8th</option><option value='7'>7th</option><option value='6'>6th</option><option value='5'>5th</option><option value='4'>4th</option><option value='3'>3rd</option><option value='2'>2nd</option><option value='1'>1st</option></select>";
var points = "<form action='leaderboards.php' method='post' target='_blank'><input type='hidden' name='playerid' value='" + id + "'></input><input type='hidden' name='name' value='" + name + "'></input><input type='submit' value='View'></form>";
var cash = "$<input name='Cash" + id + "' placeholder=' 0'></input>";
var ticket = "<select name='Ticket" + id + "'><option value='No'>No</option><option value='Yes'>Yes</option>";
var del = "<input type='button' value='Delete' onclick='remove(" + id + ")'> </input>";
$('#PlayerAdded').before(str + PID + t + Pnam + name + t + place + t + points + t + cash + t + ticket + t + del + ctr);
// making ajax call to insert.php and posting the data
$.ajax({
method: "POST",
url: "insert.php",
data: {
"id": id,
"name": name,
"game": game
},
beforeSend:function(){
// show something before data is saved to db.
}
}).done(function(msg) {
$("body").append(msg); //debugging purpose
}).fail(function( jqXHR, textStatus ) {
alert( "Request failed: " + textStatus );
});
}
函数添加(id、名称、游戏){
var t=“”;
var str=“”
var ctr=“”
var PID=”“+id;
var Pnam=“”;
var place=“17th16th15th14th13th12th11th10th9th8th7th6th5th4th3rd2nd1st”;
var points=“”;
var cash=“$”;
var ticket=“否”;
var del=“”;
$(“#玩家添加”)。之前(str+PID+t+Pnam+name+t+place+t+points+t+cash+t+ticket+t+del+ctr);
//对insert.php进行ajax调用并发布数据
$.ajax({
方法:“张贴”,
url:“insert.php”,
数据:{
“id”:id,
“姓名”:姓名,
“游戏”:游戏
},
beforeSend:function(){
//在数据保存到数据库之前显示某些内容。
}
}).done(函数(msg){
$(“body”).append(msg);//调试目的
}).fail(函数(jqXHR,textStatus){
警报(“请求失败:+textStatus”);
});
}
<?php
if(isset($_POST['id']) && isset($_POST['name']) && isset($_POST['game'])){
$id= $_POST['id'];
$name= $_POST['name'];
$game= $_POST['game'];
//write your connection logic
// never write bare queries there is a chance of sql injection.
//Instead use prepared statement, prepare your query then bind the above values to it, then excute.
//write your insert logic below.
}
?>
删除变量前的括号,该括号是为函数中的每个变量编写的 在函数代码的末尾添加
ajaxfunction add(id, name, game) {
var t = "</td><td>";
var str = "<tr id='Players" + id + "'><td>"
var ctr = "</td></tr>"
var PID = "<input type = 'hidden' name='ID" + id + "' value='" + id + "'></input>" + id;
var Pnam = "<input type='hidden' name='Name" + id + "' value='" + name + "'></input>";
var place = "<select name='Place" + id + "'><option value='17'>17th</option><option value='16'>16th</option><option value='15'>15th</option><option value='14'>14th</option><option value='13'>13th</option><option value='12'>12th</option><option value='11'>11th</option><option value='10'>10th</option><option value='9'>9th</option><option value='8'>8th</option><option value='7'>7th</option><option value='6'>6th</option><option value='5'>5th</option><option value='4'>4th</option><option value='3'>3rd</option><option value='2'>2nd</option><option value='1'>1st</option></select>";
var points = "<form action='leaderboards.php' method='post' target='_blank'><input type='hidden' name='playerid' value='" + id + "'></input><input type='hidden' name='name' value='" + name + "'></input><input type='submit' value='View'></form>";
var cash = "$<input name='Cash" + id + "' placeholder=' 0'></input>";
var ticket = "<select name='Ticket" + id + "'><option value='No'>No</option><option value='Yes'>Yes</option>";
var del = "<input type='button' value='Delete' onclick='remove(" + id + ")'> </input>";
$('#PlayerAdded').before(str + PID + t + Pnam + name + t + place + t + points + t + cash + t + ticket + t + del + ctr);
// making ajax call to insert.php and posting the data
$.ajax({
method: "POST",
url: "insert.php",
data: {
"id": id,
"name": name,
"game": game
},
beforeSend:function(){
// show something before data is saved to db.
}
}).done(function(msg) {
$("body").append(msg); //debugging purpose
}).fail(function( jqXHR, textStatus ) {
alert( "Request failed: " + textStatus );
});
}
函数添加(id、名称、游戏){
var t=“”;
var str=“”
var ctr=“”
var PID=”“+id;
var Pnam=“”;
var place=“17th16th15th14th13th12th11th10th9th8th7th6th5th4th3rd2nd1st”;
var points=“”;
var cash=“$”;
var ticket=“否”;
var del=“”;
$(“#玩家添加”)。之前(str+PID+t+Pnam+name+t+place+t+points+t+cash+t+ticket+t+del+ctr);
//对insert.php进行ajax调用并发布数据
$.ajax({
方法:“张贴”,
url:“insert.php”,
数据:{
“id”:id,
“姓名”:姓名,
“游戏”:游戏
},
beforeSend:function(){
//在数据保存到数据库之前显示某些内容。
}
}).done(函数(msg){
$(“body”).append(msg);//调试目的
}).fail(函数(jqXHR,textStatus){
警报(“请求失败:+textStatus”);
});
}
<?php
if(isset($_POST['id']) && isset($_POST['name']) && isset($_POST['game'])){
$id= $_POST['id'];
$name= $_POST['name'];
$game= $_POST['game'];
//write your connection logic
// never write bare queries there is a chance of sql injection.
//Instead use prepared statement, prepare your query then bind the above values to it, then excute.
//write your insert logic below.
}
?>
您需要通过
AJAXadd()$.post('insertnew.php', { id:id,name:name,game:game }, function(data){
alert(data);
});
<?php
if(isset($_POST['id']) && isset($_POST['name']) && isset($_POST['game'])){
// sanitize your data here, then:
$id = $_POST['id'];
$name = $_POST['name'];
$game = $_POST['game'];
//connect to your db, or instead include your dbconnect.php
$link= new mysqli('localhost', 'my_user', 'my_password', 'world');
// check connection
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
//use prepared statement, prepare your query then bind the above values to it, then excute
$stmt = mysqli_prepare($link, "INSERT INTO results VALUES (?, ?, ?)");
mysqli_stmt_bind_param($stmt, $id, $name, $game);
if(mysqli_stmt_execute($stmt)){
echo "Record has been added successfully";
}else{
echo "Sorry, record could not be inserted";
}
}
?>
您需要通过
AJAXadd()$.post('insertnew.php', { id:id,name:name,game:game }, function(data){
alert(data);
});
<?php
if(isset($_POST['id']) && isset($_POST['name']) && isset($_POST['game'])){
// sanitize your data here, then:
$id = $_POST['id'];
$name = $_POST['name'];
$game = $_POST['game'];
//connect to your db, or instead include your dbconnect.php
$link= new mysqli('localhost', 'my_user', 'my_password', 'world');
// check connection
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
//use prepared statement, prepare your query then bind the above values to it, then excute
$stmt = mysqli_prepare($link, "INSERT INTO results VALUES (?, ?, ?)");
mysqli_stmt_bind_param($stmt, $id, $name, $game);
if(mysqli_stmt_execute($stmt)){
echo "Record has been added successfully";
}else{
echo "Sorry, record could not be inserted";
}
}
?>
您需要打一个
ajaxajaxsql注入connecttodb.php的文件include(“connecttodb.php”)那么它应该可以工作了?嗯。。。。我已经应用了你的答案,我收到了警报,数据正在输出到表中,我没有收到错误消息,但数据仍然没有进入数据库。我甚至测试了一个故意的错误(在mysqli_查询中用$conn替换$con),但仍然没有得到任何错误。我不知道ajax是否正在激活insert.php
。如果出现警报,那么您的php中存在问题,请仔细检查单引号和双引号,检查网络选项卡f12
,最好使用准备好的语句完成查询,我知道在他的原始代码中,他没有使用它,但避免使用它可能非常危险+1这只是示例目的。我没有添加关于php的输入,因为他的问题是关于ajax的,我知道sql注入
,因此如果我1)将代码从第一个示例复制到函数的末尾,然后2)创建一个名为insert.php的新文件,并包括一个名为(例如)connecttodb.php的文件
,然后将第一个和第三个注释之间的代码替换为include(“connecttodb.php”)那么它应该可以工作了?嗯。。。。我已经应用了你的答案,我收到了警报,数据正在输出到表中,我没有收到错误消息,但数据仍然没有进入数据库。我甚至测试了一个故意的错误(在mysqli_查询中用$conn替换$con),但仍然没有得到任何错误。我不知道ajax是否正在激活insert.php
。如果警报即将发出,那么您的php中存在问题,请仔细检查单引号和双引号,检查网络选项卡f12