2012-09-25 156 views
1

我正在開發一個計費系統,現在它非常基本,但我想知道您是否可以幫助我使用我的代碼。如何將HTML表單中的數據插入到MySQL數據庫中?我的代碼:如何將HTML表單插入到MySQL數據庫中?

<?php 

if (isset($_POST['submitted'])) { 

    include('connect-mysql.php'); 

    $date = $_POST['date']; 
    $charge = $_POST['charge']; 
    $payment = $_POST['payment']; 
    $client_no = $_POST['client_no']; 
    $client_name = $_POST['client_name']; 
    $check_no = $_POST['check_no']; 
    $check = $_POST['check']; 
    $cash = $_POST['cash']; 
    $notes = $_POST['notes']; 
    $staff_initials = $_POST['staff_initials']; 
    $sqlinsert = "INSERT INTO payments (date, charge, payment, client_no, client_name, check_no, check, cash, notes, staff_initials) VALUES ('$date', '$charge', 'payment', '$client_no', '$client_name', '$check_no', '$check', '$cash', '$notes', '$staff_initials')"; 

    if (!mysqli_query($dbcon, $sqlinsert)) { 
     die('There was an error when trying to process your payment. Please contact technical support.'); 
    } //end of nested if statement 

} // end of the main if statement 
?> 

<html> 
<head> 
    <title>New Payment</title> 
</head> 
<body> 
<h1>Please Input Payment Details</h1> 
<form action="new_payment.php" method="POST"> 
<input type="hidden" name="submitted" value="true" /> 
<fieldset> 
    <legend>New Payment</legend> 
    <label>Date:<input type="text" name="date" /></label><br> 
    <label>Today's Charge: <input type="text" name="charge" /></label><br> 
    <label>Today's Payment: <input type="text" name="payment" /></label><br> 
    <label>Client Number: <input type="text" name="client_no" /></label><br> 
    <label>Client Name: <input type="text" name="client_name" /></label><br> 
    <label>Check Number: <input type="text" name="check_no" /></label><br> 
    <label>Check: <input type="text" name="check" /></label><br> 
    <label>Cash: <input type="text" name="cash" /></label><br> 
    <label>Notes: <input type="text" name="notes" /></label><br> 
    <label>Staff Initials: <input type="text" name="staff_initials" /></label><br> 
</fieldset> 
<br /> 
<input type="submit" value="Process Payment"> 
</form> 
</body> 
</html> 

請幫助我,這是非常重要的,我完成這個及時...

+3

你的代碼有什麼問題?它可能行不通,但你並沒有真正解釋清楚問題。 –

+4

使用準備好的查詢來隔離查詢中的數據至關重要。就目前而言,你已經**開放**到SQL注入,如果你還沒有註冊,你將被黑客入侵。 – Brad

+0

你打算使用MySQL還是MySQLi? – balaphp

回答

-1

如果在插入到數據庫中有問題,你應該改變

$sqlinsert = "INSERT INTO payments (date, charge, payment, client_no, client_name, check_no, check, cash, notes, staff_initials) VALUES ('$date', '$charge', 'payment', '$client_no', '$client_name', '$check_no', '$check', '$cash', '$notes', '$staff_initials')"; 

$sqlinsert = "INSERT INTO payments (date, charge, payment, client_no, client_name, check_no, check, cash, notes, staff_initials) VALUES ('$date', '$charge', '$payment', '$client_no', '$client_name', '$check_no', '$check', '$cash', '$notes', '$staff_initials')"; 

你忘了把$付款前在插入值

+0

雖然這可能直接回答問題它並不是一個正確的答案,因爲它沒有解決其他代碼中SQL注入的極端漏洞。 –

0

我不知道,但我認爲你應該改變

if (isset($_POST['submitted'])) 

if (isset($_POST['submit'])) 

<input type="submit" value="Process Payment"> 

<input type="submit" name="submit" id="submit" value="Process Payment"> 

和PU在INSERT命令支付

$sqlinsert = "INSERT INTO payments (date, charge, payment, client_no, client_name, check_no, check, cash, notes, staff_initials) VALUES ('$date', '$charge', '$payment', '$client_no', '$client_name', '$check_no', '$check', '$cash', '$notes', '$staff_initials')"; 
+1

使用'name =「submit」'不是一個好主意,以防萬一您可能以後嘗試使用jQuery - 與jQuery方法有衝突。 – Barmar

2

第一個錯誤T $: -

if (isset($_POST['submitted'])) 

<input type="submit" value="Process Payment"> 

改成這樣: -

if($_POST['process'] == 'Process Payment') 
<input name="process" type="submit" id="process" value="Process Payment"> 

你可以用這個來代替(防止SQL注入):

// CONNECTION TO DATABASE 

$mysqli = new mysqli('HOST','USERNAME','PASSWORD','DATABASE'); 

// CHECK CONNECTION 

/* check connection */ 
if (mysqli_connect_errno()) { 
    printf("Connect failed: %s\n", mysqli_connect_error()); 
    exit(); 
}   

$sqlinsert = "INSERT INTO payments (date, charge, payment, client_no, client_name, check_no, check, cash, notes, staff_initials) VALUES (?,?,?,?,?,?,?,?,?,?)"; 

$stmt = $mysqli->prepare($sqlinsert); 

    $date = $_POST['date']; 
    $charge = $_POST['charge']; 
    $payment = $_POST['payment']; 
    $client_no = $_POST['client_no']; 
    $client_name = $_POST['client_name']; 
    $check_no = $_POST['check_no']; 
    $check = $_POST['check']; 
    $cash = $_POST['cash']; 
    $notes = $_POST['notes']; 
    $staff_initials = $_POST['staff_initials']; 

$stmt->bind_param("ssssssssss",$date, $charge, $payment, $client_no, $client_name, $check_no, $check, $cash, $notes, $staff_initials); 

//EXECUTE QUERY 
$stmt->execute(); 

$rowcount = $stmt->affected_rows; 


if ($rowcount > 0) 
{ 
echo "Success!"; 
} 

else 
{ 
echo "Error!"; 
} 

//CLOSE EXECUTE 
$stmt->close(); 
+1

缺少'$ mysqli'變量的初始化。 '$ mysqli = new mysqli(「localhost」,「username」,「password」,「database」);' –

+0

對不起,謝謝提醒。更新。 – Furry

+0

如果您的問題已解決,請勾選正確的答案。 – Furry

相關問題