PHP和mySQL不工作
PHP代码:PHP和mySQL不工作,php,html,mysql,sql,Php,Html,Mysql,Sql,PHP代码: <?php // Create connection $con=mysqli_connect("localhost","root","root","demo1"); echo "Connection was successful"; // Check connection if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); }
<?php
// Create connection
$con=mysqli_connect("localhost","root","root","demo1");
echo "Connection was successful";
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
mysql_select_db("demo1",$con);
$sqli="INSERT INTO employee (Employee ID,NAME,Date Hired,Position,Salary,Department Code,Can HIRE,BOSSID)
VALUES('$_POST[EMPID]','$_POST[NAME]','$_POST[DATEHIRED]','$_POST[POSITION]','$_POST[SALARY]','$_POST[D EPTCODE]','$_POST[CANHIRE]','$_POST[BOSSID]')";
if (!mysqli_query($con,$sqli))
{
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
字段不能有像员工ID这样的空格,请仔细检查db表列名
此外,您的代码容易受到SQL注入的影响。您应该转义将在SQL查询中使用的任何用户输入。尝试将mysql\u-escape\u字符串($\u-POST['value'])
包装在所有$\u-POST
、$\u-GET
和$\u-REQUEST
输入中。使用mysqli为什么要“mysql\u-select\u-db”?mysqli将是:
bool mysqli_select_db ( mysqli $link , string $dbname )
您将代码与MySQL和MySQLi混合使用。我只将您的代码编入了MySQLi。请避免在列名中使用(空格)。您可以使用mysqli\u real\u escape\u string
防止一些SQL注入:
LAB5.php:
<?php
/* CHECK CONNECTION */
$connection=mysqli_connect("localhost","root","root","demo1");
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$empID=mysqli_real_escape_string($connection,$_POST['EMPID']);
$name=mysqli_real_escape_string($connection,$_POST['NAME']);
$datehired=mysqli_real_escape_string($connection,$_POST['DATEHIRED']);
$position=mysqli_real_escape_string($connection,$_POST['POSITION']);
$salary=mysqli_real_escape_string($connection,$_POST['SALARY']);
$deptcode=mysqli_real_escape_string($connection,$_POST['DEPTCODE']);
$canhire=mysqli_real_escape_string($connection,$_POST['CANHIRE']);
$bossID=mysqli_real_escape_string($connection,$_POST['BOSSID']);
/* MYSQLI REAL ESCAPE STRING WOULD PREVENT A BIT OF SQL INJECTION */
mysqli_query($connection,"INSERT INTO employee (EMPID, NAME, DATEHIRED, POSITION, SALARY, DEPTCODE, CANHIRE, BOSSID) /* DOUBLE CHECK YOUR COLUMN NAME */
VALUES('$empID','$name','$datehired','$position','$salary','$deptcode','$canhire','$bossid')";
mysqli_close($con);
?>
<html>
<body>
<h1> EMPLOYEE </h1><br>
<form action="LAB5.php" method="post">
Employee ID: <input type="text" name="EMPID" ><br>
Name: <input type="text" name="NAME" ><br>
Date Hired <input type="date" name="DATEHIRED" ><br>
Position: <input type="text" name="POSITION" ><br>
Salary: <input type="number" name="SALARY" ><br>
Department Code: <input type="text" name="DEPTCODE" ><br>
Can HIRE <input type="text" name="CANHIRE" ><br>
BOSSID: <input type="text" name="BOSSID" ><br>
<input type='submit'>
</form>
</body>
</html>
您应该切换到prepared语句,以摆脱现在的sql注入问题
此外,如果字段或表名包含空格,则需要将它们括在反勾中:
INSERT INTO employee (`Employee ID`,NAME, ....
您不能将mysqli.*
与类似的mysql.*
函数混合使用,请坚持使用mysqli.*
您正在混合数据库对象
mysql_select_db("demo1",$con);
应该是
mysqli_select_db("demo1", $con);
这一行:
$sqli="INSERT INTO employee (Employee ID, NAME, Date Hired, Position,Salary, Department Code, Can HIRE ,BOSSID)
VALUES('$_POST[EMPID]','$_POST[NAME]','$_POST[DATEHIRED]','$_POST[POSITION]','$_POST[SALARY]','$_POST[D EPTCODE]','$_POST[CANHIRE]','$_POST[BOSSID]')";
也是一个主要的安全风险,因为您似乎没有逃逸插入数据库的数据
首先看一下。。。请不要使用mysql.*
函数,因为它们已贬值。而是使用PDO
或mysqli.*
。此外,您的代码也会受到注入攻击。请看这个了解更多:答案已经给出;想知道他们是否捕捉到了一个小细节,或者两个,甚至三个。我不想碰这个,快来吧。将作为“员工Id”
的想法用于插入不起作用。他只需要知道他的实际列名。啊,是的,我打字太快了。我想这是一个选择。嗨,洛根,谢谢你的回答。我运行了您的代码,当我单击submit时,结果显示.php页面为空。你能帮帮我吗?@VirenPatel没问题!我的回答有助于解决你的问题吗?然后别忘了选择正确的答案,或者对我的答案进行投票@当然是空白的。但是当您查看数据库时,它将包含新插入的数据,不是吗?您想要输出什么?但没有错误?您可以更新您的帖子,并发布表的列名、数据库名称、用户名和密码列表吗。所以我可以为你更新我的答案。我已经更新了我的帖子,在我的数据库中有一张显示名字的图片。
$sqli="INSERT INTO employee (Employee ID, NAME, Date Hired, Position,Salary, Department Code, Can HIRE ,BOSSID)
VALUES('$_POST[EMPID]','$_POST[NAME]','$_POST[DATEHIRED]','$_POST[POSITION]','$_POST[SALARY]','$_POST[D EPTCODE]','$_POST[CANHIRE]','$_POST[BOSSID]')";