Php Mysql插入子查询不工作
有人能告诉我这个问题出了什么问题吗Php Mysql插入子查询不工作,php,mysql,forms,Php,Mysql,Forms,有人能告诉我这个问题出了什么问题吗 $query = " INSERT INTO brand_generic.brand_drug ( drug_id, brand_drug_name, manufacturer, type, price ) VALUES ( (SELECT id FROM brand_generic.generic_drug WHERE generic_drug_name = '{$safe_generic_drug_name}'), '{$s
$query = "
INSERT INTO brand_generic.brand_drug (
drug_id, brand_drug_name, manufacturer, type, price
) VALUES (
(SELECT id FROM brand_generic.generic_drug WHERE generic_drug_name = '{$safe_generic_drug_name}'), '{$safe_brand_drug_name}', '{$safe_manufacturer_name}', '{$safe_type}', {$safe_price}
);";
<?php
if(isset($_POST['submit'])){
$generic_drug_name = $_POST['generic_drug_name'];
$brand_drug_name = $_POST['brand_drug_name'];
$manufacturer_name = $_POST['manufacturer_name'];
$type = $_POST['type'];
$price = $_POST['price'];
}else{
$generic_drug_name = '';
$brand_drug_name = '';
$manufacturer_name = '';
$type = '';
$price = '';
}
$errors = '';
$errors['generic_drug_nameErr'] = '';
$errors['brand_drug_nameErr'] = '';
$errors['manufacturer_nameErr'] = '';
$errors['typeErr'] = '';
$errors['priceErr'] = '';
?>
<body>
<header>
<?php echo navigation(); ?>
</header>
<section>
<div id="envelope">
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="post">
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (empty($_POST["generic_drug_name"])) {
$errors['generic_drug_nameErr'] = "Name is required";
}else{
$generic_drug_name = test_input($_POST["generic_drug_name"]);
// check if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z ]*$/",$generic_drug_name)) {
$errors['generic_drug_nameErr'] = "Only letters and white space allowed";
}
}
if (empty($_POST["brand_drug_name"])) {
$errors['brand_drug_nameErr'] = "Name is required";
}else{
$brand_drug_name = test_input($_POST["brand_drug_name"]);
// check if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z ]*$/",$brand_drug_name)) {
$errors['brand_drug_nameErr'] = "Only letters and white space allowed";
}
}
if (empty($_POST["manufacturer_name"])) {
$errors['manufacturer_nameErr'] = "Name is required";
}else{
$manufacturer_name = test_input($_POST["manufacturer_name"]);
// check if name only contains letters and whitespace
if (!preg_match("/^[a-zA-Z ]*$/",$manufacturer_name)) {
$errors['manufacturer_nameErr'] = "Only letters and white space allowed";
}
}
if (empty($_POST["type"])) {
$errors['typeErr'] = "Type is required";
} else {
$type = test_input($_POST["type"]);
// check if e-mail address is well-formed
if (!preg_match("/^[a-zA-Z ]*$/",$type)) {
$errors['typeErr'] = "Only letters and white space allowed";
}
}
if (empty($_POST["price"])) {
$errors['priceErr'] = "";
} else {
$price = test_input($_POST["price"]);
// check if e-mail address is well-formed
if (!preg_match("/^[0-9\_]{1,4}/",$price)) {
$errors['priceErr'] = "Invalid price format";
}
}
}
?>
<center><h1>Add a new brand drug</h1></center><br>
<label>Generic Drug Name</label><span class="error">* </span><span class="text"><?php echo $errors['generic_drug_nameErr'];?></span>
<input type="text" name="generic_drug_name" placeholder="Enter Generic drug Names" value="<?php echo htmlspecialchars($generic_drug_name); ?>" width="100px;"/>
<label>Brand Drug Name</label><span class="error">* </span><span class="text"><?php echo $errors['brand_drug_nameErr'];?></span>
<input type="text" name="brand_drug_name" placeholder="Amlokind" autofocus="autofocus" value="<?php echo htmlspecialchars($brand_drug_name); ?>" width="100px;">
<label>Manufacturer</label><span class="error">* </span><span class="text"><?php echo $errors['manufacturer_nameErr'];?></span>
<input type="text" name="manufacturer_name" placeholder="Glaxo Smithkline Pharmaceuticals Pvt. Ltd." autofocus="autofocus" value="<?php echo htmlspecialchars($manufacturer_name); ?>">
<label>Type</label><span class="error">* </span><span class="text"><?php echo $errors['typeErr'];?></span>
<input type="text" name="type" placeholder="Tablet" autofocus="autofocus" value="<?php echo htmlspecialchars($type); ?>">
<label>Price</label><span class="error">* </span><span class="text"><?php echo $errors['priceErr'];?></span>
<input type="text" name="price" placeholder="10.45" autofocus="autofocus" value="<?php echo htmlspecialchars($price); ?>" >
<input type="submit" name = "submit" value="Add" id="submit"/>
</form>
</div>
<?php
if(isset($_POST['submit'])){
/*$generic_drug_name = $_POST['generic_drug_name'];
$brand_drug_name = $_POST['brand_drug_name'];
$manufacturer_name = $_POST['manufacturer_name'];
$type = $_POST['type'];
$price = $_POST['price'];*/
if(empty($errors)){
$safe_generic_drug_name = strtoupper($generic_drug_name);
$safe_brand_drug_name = strtoupper($brand_drug_name);
$safe_manufacturer_name = ucwords($manufacturer_name);
$safe_type = ucfirst($type);
$safe_price = $price;
$query = "INSERT INTO brand_generic.brand_drug (drug_id, brand_drug_name, manufacturer, type, price)
SELECT id, '{$safe_brand_drug_name}','{$safe_manufacturer_name}', '{$safe_type}', {$safe_price}
FROM brand_generic.generic_drug
WHERE generic_drug_name = '{$safe_generic_drug_name}';";
//INSERT INTO brand_generic.brand_drug (drug_id, brand_drug_name, manufacturer, type, price) VALUES ((SELECT id FROM brand_generic.generic_drug WHERE generic_drug_name = 'AMLODIPINE'), 'ZODIPINE', 'Zorex Pharma Pvt Ltd', 'Tablet', 10);
if(!$query){
die(mysqli_error());
}
$result = mysqli_query($connection, $query);
var_dump($result);
if($result){
$_SESSION["message"] = "Successfully subject created";
//redirect_to("manage_content.php");
echo $_SESSION["message"];
}else{
$_SESSION["message"] = "Sorry, subject couldn't be created";
//redirect_to("new_subject.php");
echo $_SESSION["message"];
}
}
}
?>
添加新品牌药物
仿制药名称*
试试这个:
INSERT INTO brand_generic.brand_drug (drug_id, brand_drug_name, manufacturer, type, price) SELECT ((SELECT id FROM brand_generic.generic_drug WHERE generic_drug_name = '{$safe_generic_drug_name}'), '{$safe_brand_drug_name}', '{$safe_manufacturer_name}', '{$safe_type}', {$safe_price});
你不能像那样运行select。有一个专门的
INSERT INTO ...
SELECT ... FROM
因此,除此之外,你可能还容易受到攻击。如果我写了很多次,说某人容易受到sql注入攻击,那么我有一分钱……五分钱比五分钱更值钱吗<代码>:-)VALUES()INSERT INTO ...
SELECT ... FROM