用PHP添加新的MySQL表行不工作[英] adding new mySQL table row with PHP doesn't work

本文是小编为大家收集整理的关于用PHP添加新的MySQL表行不工作的处理/解决方法,可以参考本文帮助大家快速定位并解决问题,中文翻译不准确的可切换到English标签页查看源文。

问题描述

我有一个小表格:

<form id="plannerform" action="save.php" method="post">
    <input id="plannername" placeholder=" " type="text" autocomplete="off" name="plannername">
    <input id="plannersubmit" type="submit" value="eintragen">
</form>

如你所见,文本输入上有 action="save.php" 和 method="post" 有 name="plannername".

这就是我的 php:

$con = mysql_connect("myHost","myUser","myPW");
if (!$con)
{
  die('Could not connect: ' . mysql_error());
}

mysql_select_db("myDB", $con);

$sql="INSERT INTO anmeldungen (FR_PM)
VALUES ('$_POST[plannername]')";

if (!mysql_query($sql,$con))
{
  die('Error: ' . mysql_error());
}
echo "1 record added";

FR_PM 是我表的一列.但是当我按下提交时,甚至没有创建一个新行.没发生什么事.但是当我用"mywebsite.com/save.php"调用我的 php 时,它会在我的表中添加一个新行(在"FR_PM"处没有值,这很明显)

我做错了什么?

推荐答案

如果你是初学者,你需要学习的东西之一,你应该尽量避免使用 mysql_* 函数,这是贬值的并且不再支持 php.而是将 mysqli_* 与准备好的语句一起使用,或者使用 PDO 准备好的语句.

准备好的语句使您的代码看起来干净且易于调试.

这是您使用准备好的语句的示例.

<form id="plannerform" action="save.php" method="post">
    <input id="plannername" placeholder=" " type="text" autocomplete="off" name="plannername">
    <input id="plannersubmit" type="submit" value="eintragen" name="submit">
 </form>

save.php

<?php
$servername = "localhost";
$username   = "root";
$password   = "";
$dbname     = "myDB";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

if (isset($_POST['submit'])) {

    if (empty($_POST['plannername'])) {

        die("Enter plannername");
    } else {
        // prepare and bind
        $stmt = $conn->prepare("INSERT INTO anmeldungen (FR_PM) VALUES (?)");
        $stmt->bind_param("s", $_POST['plannername']);

        if ($stmt->execute()) {

            echo "New records created successfully";

        } else {

            echo "Could not insert record";
        }

        $stmt->close();

    }
}
?>

我使用预处理语句的原因:

  • 准备好的语句减少了解析时间,因为在查询只执行一次(尽管该语句被执行多次次)
  • 绑定参数根据您的需要最小化到服务器的带宽发送每次只有参数,而不是整个查询
  • 准备好的语句对 SQL 注入非常有用,因为参数值,稍后使用不同的方式传输协议,不需要正确转义.如果原来的说法模板不是从外部输入派生的,SQL注入不能发生.
<块引用>

但是当我用"mywebsite.com/save.php"调用我的 php 时,它会添加一个新行在我的表中(在"FR_PM"处没有值,这很明显)

我做错了什么?

请务必防止这种情况发生,您需要先检查表单是否已提交,然后才能实际处理任何事情.

<块引用>

注意:如果我们要插入来自外部来源的任何数据(例如用户从表单输入),那么对数据进行清理非常重要并经过验证.始终将来自表单的输入视为来自非常危险的黑客

本文地址:https://www.itbaoku.cn/post/597322.html

问题描述

I got a little form:

<form id="plannerform" action="save.php" method="post">
    <input id="plannername" placeholder=" " type="text" autocomplete="off" name="plannername">
    <input id="plannersubmit" type="submit" value="eintragen">
</form>

As you can see there is the action="save.php" and method="post" on the text-input there is name="plannername".

And thats my php:

$con = mysql_connect("myHost","myUser","myPW");
if (!$con)
{
  die('Could not connect: ' . mysql_error());
}

mysql_select_db("myDB", $con);

$sql="INSERT INTO anmeldungen (FR_PM)
VALUES ('$_POST[plannername]')";

if (!mysql_query($sql,$con))
{
  die('Error: ' . mysql_error());
}
echo "1 record added";

The FR_PM is one column of my table. But when I press submit, not even a new row gets created. Nothing happens. But when I call my php with "mywebsite.com/save.php" it adds a new row in my table (with no value at "FR_PM", what's pretty obvious)

What do I do wrong?

推荐答案

one of the things that you need to learn if you are a beginner, you should try by all means to stay away from using mysql_* function this is depreciated and its no longer supported in php. instead use mysqli_* with prepared statements, or use PDO prepared statements.

prepared statments make you code looks clean and its easy to debug.

this is you example with prepared statements.

<form id="plannerform" action="save.php" method="post">
    <input id="plannername" placeholder=" " type="text" autocomplete="off" name="plannername">
    <input id="plannersubmit" type="submit" value="eintragen" name="submit">
 </form>

save.php

<?php
$servername = "localhost";
$username   = "root";
$password   = "";
$dbname     = "myDB";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

if (isset($_POST['submit'])) {

    if (empty($_POST['plannername'])) {

        die("Enter plannername");
    } else {
        // prepare and bind
        $stmt = $conn->prepare("INSERT INTO anmeldungen (FR_PM) VALUES (?)");
        $stmt->bind_param("s", $_POST['plannername']);

        if ($stmt->execute()) {

            echo "New records created successfully";

        } else {

            echo "Could not insert record";
        }

        $stmt->close();

    }
}
?>

The reason I used prepared statements :

  • Prepared statements reduces parsing time as the preparation on the query is done only once (although the statement is executed multiple times)
  • Bound parameters minimize bandwidth to the server as you need send only the parameters each time, and not the whole query
  • Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

But when I call my php with "mywebsite.com/save.php" it adds a new row in my table (with no value at "FR_PM", what's pretty obvious)

What do I do wrong?

Well do prevent that from happening you need to check if the form was submitted before you can actual process any thing.

Note: If we want to insert any data from external sources (like user input from a form ), it is very important that the data is sanitized and validated. always treat input from a form as if its from a very dangerous hacker