2012-09-26 94 views
2

請告訴我我的代碼有什麼問題!!!!如何從HTML表單插入數據到MySQL

新payment.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 
<html xmlns="http://www.w3.org/1999/xhtml"> 
<head> 
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> 
<title>Process New Payment</title> 
</head> 

<body> 
<h1>Please Input Payment Details</h1> 
<fieldset> 
    <legend>New Payment</legend> 
    <form action="process-payment.php" method="post" /> 
<table> 
<tr> 
<td>Date:</td><td><input type="date" name="date" /><br /></td> 
</tr> 
<tr> 
<td>Today's Charge:</td><td><input type="text" name="charge" /><br /></td> 
</tr> 
<tr> 
<td>Today's Payment:</td><td><input type="text" name="payment" /><br /></td> 
</tr> 
<tr> 
<td>Client Number:</td><td><input type="text" name="client_no" /><br /></td> 
</tr> 
<tr> 
<td>Client Name:</td><td><input type="text" name="client_name" /><br /></td> 
</tr> 
<tr> 
<td>Check Number:</td><td><input type="text" name="check_no" /><br /></td> 
</tr> 
<tr> 
<td>Check Amount:</td><td><input type="text" name="check" /><br /></td> 
</tr> 
<tr> 
<td>Cash Amount:</td><td><input type="text" name="cash" /><br /></td> 
</tr> 
<tr> 
<td>Notes:</td><td><input type="text" name="notes" /><br /></td> 
</tr> 
<tr> 
<td>Staff Initials:</td><td><input type="text" name="staff_initials" /><br /></td> 
</tr> 
</table> 
<input type="submit" value="Process Payment"> 
    </form> 
</fieldset> 
<br /> 
</body> 
</html> 

過程payment.php

<?php 

define('DB_NAME', 'DBNAME'); 
define('DB_USER', 'USERNAME'); 
define('DB_PASS', ''); 
define('DB_HOST', 'localhost'); 

$link = mysql_connect(DB_HOST, DB_USER, DB_PASS); 

if (!$link) { 
    dir('There was a problem when trying to connect to the host. Please contact Tech Support. Error: ' . mysql_error());  
} 

$db_selected = mysql_select_db(DB_NAME, $link); 

if (!$link) { 
    dir('There was a problem when trying to connect to the database. Please contact Tech Support. Error: ' . mysql_error());  
} 

$date = $_POST['date']; 
$charge = $_POST['charge']; 
$payment = $_POST['payment']; 
$client_no = $_POST['client_no']; 
$client_name = $_POST['client_name']; 
$check_no = $_POST['check_no']; 
$check = $_POST['check']; 
$cash = $_POST['cash']; 
$notes = $_POST['notes']; 
$staff_initials = $_POST['staff_initials']; 

$sql = "INSERT INTO payments (date, charge, payment, client_no, client_name, check_no, check, cash, notes, staff_initials) VALUES ('$date', '$charge', '$payment', '$client_no', '$client_name', '$check_no', '$check', '$cash', '$notes', '$staff_initials')"; 

if (!mysql_query($sql)) { 
    die('Error: ' . mysql_error()); 
} 

?> 

我不知道什麼是錯的,但我得到一個錯誤,當我按進程付款:

Error: You have an error in your SQL syntax; check the manual that corresponds to your >MySQL server version for the right syntax to use near 'check, cash, notes, staff_initials) >VALUES ('2012-09-24', '$0.00', '$20.00', '46' at line 1

+0

如果'$ 20.00'被設置爲數據庫中的整數,它將無法工作。讓我們看看你的數據庫。 – wesside

+0

可能的重複:http://stackoverflow.com/questions/12575444/how-do-i-insert-an-html-form-into-a-mysql-database/12575726 – Furry

+0

可能的重複[如何插入HTML形成一個MySQL數據庫?](http://stackoverflow.com/questions/12575444/how-do-i-insert-an-html-form-into-a-mysql-database) – Alice

回答

1

CHECKMySQL reserved keyword。您必須將其放在反引號中以將其用作列或表格標識符。

$sql = "INSERT INTO payments (date, charge, payment, client_no, client_name, check_no, `check`, cash, notes, staff_initials) VALUES ('$date', '$charge', '$payment', '$client_no', '$client_name', '$check_no', '$check', '$cash', '$notes', '$staff_initials')"; 

請注意,您的腳本容易受到SQL注入攻擊。至少,您必須在每個輸入變量上調用mysql_real_escape_string()

// As in: 
$charge = mysql_real_escape_string($_POST['charge']); 
+1

好抓bro。 – wesside

+0

非常感謝!大聲笑 –

1

變化

$sql = "INSERT INTO payments (date, charge, payment, client_no, client_name, check_no, check, cash, notes, staff_initials) VALUES ('$date', '$charge', '$payment', '$client_no', '$client_name', '$check_no', '$check', '$cash', '$notes', '$staff_initials')"; 

$sql = "INSERT INTO payments (date, charge, payment, client_no, client_name, check_no, check, cash, notes, staff_initials) VALUES ('".$date."', '".$charge."', '".$payment."', '".$client_no."', '".$client_name."', '".$check_no."', '".$check."', '".$cash."', '".$notes."', '".$staff_initials."')"; 

它可以支付查找MySQL的PDO,而不是使用您所使用的折舊連接代碼。

+0

沒有必要。只要變量被轉義,雙引號的外部字符串就會正確插入內部引號中的變量。 –

+0

真的!你每天都會學到新東西哈哈:) – Chris

+0

看PDO實施的這個答案http://security.stackexchange.com/questions/34655/is-there-any-sql-injection-for-this-php-login-example/34668#34668 – David

0

嘗試回顯所有元素,並查看是否有些變量可能爲空或空或不是。

我有同樣的錯誤。我通過這種方式解決了