使用XAMPP時，爲什麼使用PHP存儲爲$ _POST ['name']的詳細信息？

Question

<table rows="5" cols="2" cellspacing="20%" > 
<form method="POST" action="<?php $_PHP_SELF ?>">//form for username password 
<?php 

$conn = mysqli_connect("localhost","root","","web"); 
if(! $conn) 
{ 
    die('Could not connect: ' . mysqli_error()); 
} 
if(isset($_POST['uname'])){ $usname = $_POST['uname']; }//variable assigned 
if(isset($_POST['pwd'])){ $pswd = $_POST['pwd']; }  // variable assigned 

// variable @_post['pwd"] is saved in the db instead of that data 

mysqli_query($conn,"INSERT INTO `login`(`username`, `password`) VALUES ('$usname','$pswd')"); 

echo "Entered data successfully\n"; 
mysqli_close($conn);// php close 

?> 

<tr> //table row 
<td >Username</td> 
<td><input type="text" name="uname" ></td> 
</tr> 
// table row is given 
<tr> 
    <td >Password</td> 
//password label is specified 
    <td><input type="password" name="pwd"></td> 
</tr> 
<tr> 
    <td><input type="button" name="sign" value="sign in" onclick="validate()" > </td> 
// table date 


</form> //form close tag 
</table> 

Answer 1

瞭解逃脫引號如果沒有，他們分開是這樣的：

mysqli_query($conn,"INSERT INTO `login`(`username`, `password`) VALUES (".$usname.",".$pswd.")"); 

Answer 2

它不XAMPP這樣做，就是Apache。處理您的請求的服務器。 Apache的，就像其他的服務器如Windows IIS，Nginx的，等等。需要遵循此處指定的所有方法的定義：

http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

而且你的代碼是在mysql_ *函數寫爲不安全。如果您要使用MySQLI或PDO，請使用參數化查詢正確執行此操作。如果不是至少逃脫他們：

if(isset($_POST['uname'])){ $usname = mysqli_real_escape_string($conn, $_POST['uname']); }//variable assigned 
if(isset($_POST['pwd'])){ $pswd = mysqli_real_escape_string($conn, $_POST['pwd']); }  // variable assigned