我的php表单提交到mysql不会';如果文本之间只有一个引号,则不起作用
这是我的html页面:我的php表单提交到mysql不会';如果文本之间只有一个引号,则不起作用,php,mysql,forms,syntax,form-submit,Php,Mysql,Forms,Syntax,Form Submit,这是我的html页面: <form method="post"> <input type="hidden" name="user" readonly="readonly" value="<?php echo $session->username;?>"> <input placeholder="TAS Code" class="input-text" type="text" name="customerCode" id="name" /> &
<form method="post">
<input type="hidden" name="user" readonly="readonly" value="<?php echo $session->username;?>">
<input placeholder="TAS Code" class="input-text" type="text" name="customerCode" id="name" />
<textarea type="text" placeholder="Comments" style="width: 500px;" wrap="hard" class="input-text" name="comments" id="email"/></textarea>
<input type="submit" value="Submit" class="btn-u btn-u-small" name="submit" id="comment-submit" />
</form>
最后是我的web.php来处理表单内容
$mysqli =mysqli_connect("localhost","pf_sales","pfsal3s","pf_sales");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$webbox = $_POST['web'];
$codebox=$_POST['customerCode'];
$commentbox=$_POST['comments'];
$discount=$_POST['discount'];
$task=$_POST['taskbox'];
$clear=$_POST['clearbox'];
$user=$_POST['user'];
if ($codebox !="" && $commentbox !="" && $webbox!="" && $discount!="")
{
$query = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET web = ('$_POST[web]'),discount=('$_POST[discount]') where customerCode = ('$_POST[customerCode]');";
/* execute multi query */
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s\n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------\n");
}
} while ($mysqli->next_result());
}
/* close connection */
$mysqli->close();
}
if ($codebox !="" && $commentbox !="" && $webbox!="")
{
$query = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET web = ('$_POST[web]') where customerCode = ('$_POST[customerCode]');";
/* execute multi query */
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s\n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------\n");
}
} while ($mysqli->next_result());
}
/* close connection */
$mysqli->close();
}
if ($codebox !="" && $commentbox !="" && $task!="")
{
$query = "INSERT INTO commentstable (customerCode, comments) VALUES ('$_POST[customerCode]', '$_POST[comments]');";
$query .= "UPDATE webdiscount SET taskFor=('$_POST[taskbox]') where customerCode = ('$_POST[customerCode]');";
/* execute multi query */
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s\n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------\n");
}
} while ($mysqli->next_result());
}
/* close connection */
$mysqli->close();
}
else if ($codebox!="" && $commentbox!="" && $user!="")
{
$query ="INSERT INTO commentstable (user, customerCode, comments) VALUES ('$_POST[user]', '$_POST[customerCode]', '$_POST[comments]');";
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s\n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------\n");
}
} while ($mysqli->next_result());
}
$mysqli->close();
}
else if ($codebox!="" && $webbox!="" )
{
$query ="UPDATE webdiscount SET web = ('$_POST[web]') where customerCode = ('$_POST[customerCode]');";
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s\n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------\n");
}
} while ($mysqli->next_result());
}
$mysqli->close();
}
else if ($codebox!="" && $discount!="" )
{
$query ="UPDATE webdiscount SET discount=('$_POST[discount]') where customerCode = ('$_POST[customerCode]'); ";
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s\n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------\n");
}
} while ($mysqli->next_result());
}
$mysqli->close();
}
else if ($codebox !="" && $task!="")
{
$query = "UPDATE webdiscount SET taskFor=('$_POST[taskbox]') where customerCode = ('$_POST[customerCode]');";
/* execute multi query */
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s\n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------\n");
}
} while ($mysqli->next_result());
}
/* close connection */
$mysqli->close();
}
else if ($codebox !="" && $clear=="done")
{
$query = "UPDATE webdiscount SET taskFor='' where customerCode = ('$_POST[customerCode]');";
/* execute multi query */
if ($mysqli->multi_query($query)) {
do {
/* store first result set */
if ($result = $mysqli->store_result()) {
while ($row = $result->fetch_row()) {
printf("%s\n", $row[0]);
}
$result->free();
}
/* print divider */
if ($mysqli->more_results()) {
printf("-----------------\n");
}
} while ($mysqli->next_result());
}
/* close connection */
$mysqli->close();
因此,当我们放置代码和注释时,它应该更新注释表。只要我们不在文本中使用单引号,它就可以正常工作。i、 若我们写“我们并没有这样做”,那个么表单不会更新数据库
任何帮助都将不胜感激。谢谢使用
mysqli\u real\u escape\u string()
Read
所以代码应该是
$codebox=mysqli_real_escape_string($con, $_POST['customerCode']);
等等。使用
mysqli\u real\u escape\u string()
问题是因为您将未转换的单引号传递给SQL查询。例如,如果$\u POST['customerCode']
包含我们没有这样做
您的查询将如下所示:
INSERT INTO commentstable (customerCode, comments) VALUES ('We didn't do this', '…')
您看到了扭曲SQL语句的额外引号吗?您可以使用mysqli::real\u escape\u string
或更好的方法,通过切换到准备好的语句来防止这种情况。您的查询将如下所示:
$query = "INSERT INTO commentstable (customerCode, comments) VALUES (?, ?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param('is', $_POST['customerCode'], $_POST['comments']);
$stmt->execute();
顺便说一句,您应该使用isset
或empty
检查这些POST变量是否存在,否则如果这些变量未通过,您将收到错误。请切换到以防止。这也将解决您的问题。不,不要将mysql\u*
函数与mysqli\u*
函数混合使用。最好使用准备好的语句。这将是mysqli\u real\u escape\u字符串,因为他正在使用mysqli库。这也是错误的正确解决方案。准备好的语句将其更改为mysqli。@MarcelKorpel请在语法中指定错误。从技术上讲,答案是错误的。根据,在使用程序样式时,应将连接作为第一个参数传递。
INSERT INTO commentstable (customerCode, comments) VALUES ('We didn't do this', '…')
$query = "INSERT INTO commentstable (customerCode, comments) VALUES (?, ?)";
$stmt = $mysqli->prepare($query);
$stmt->bind_param('is', $_POST['customerCode'], $_POST['comments']);
$stmt->execute();