使用JQuery將值插入到mySQL

Question

我是JQuery的新手，正在開發一個項目。這個項目不應該做任何事情，它更像是一個概念證明，所以我可以學習。到目前爲止，我有3個PHP文件，一個叫'connection.php'，它連接到我的本地mySQL DB。另一個叫做'save_score.php'，它將值保存到我的數據庫。最後，我有我的'test.php'文件，它創建了一些值，並使用JQuery將它們發送到'save_score.php'，將它們插入到我的數據庫中。

我的問題是'connection.php'正常工作。我可以在PHP中對INSERT INTO語句進行硬編碼，並將該查詢發送給我的數據庫以插入它。所以連接沒有問題。我還通過兩個echo語句測試了JQuery實際上是否將值發送到'save_score.php'，並且echo語句發回了我的測試值'Jeff'和'10'。但是，mySQL INSERT語句沒有工作的價值和查詢發送到我的數據庫。

所以在本質上，我已經投入「$店」應該做的伎倆的聲明，但它不是，我不知道爲什麼。

「save_score .PHP「：

<?php 
    include 'connection.php'; 

    $name  = $_POST['name']; 
    $score = $_POST['score']; 

    echo $name; 
    echo $score; 

    $store = "INSERT INTO `galleryscores` (`player_name`, `player_score`) VALUES ($name, $score)"; 

    $mysqli->query($store); 

    echo "done"; 
?> 

'connection.php'：

<?php 
    $servername = "localhost"; 
    $username = "root"; 
    $password = ""; 
    $dbname = "cs301"; 

    // Create connection 
    $mysqli = new mysqli($servername, $username, $password, $dbname); 
    // Check connection 
    if ($mysqli->connect_error) { 
    die("Connection failed: " . $mysqli->connect_error); 
} 

「test.php的」：

<html> 

<head> 
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script> 
    <link rel="stylesheet" href="https://ajax.googleapis.com/ajax/libs/jqueryui/1.12.1/themes/smoothness/jquery-ui.css"> 
    <script src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js"></script> 

    <script type="text/javascript"> 
    var you = 's'; 
    var you_score = 10; 

    $.post("save_score.php", { 
     name: you, 
     score: you_score 
     }) 
     .done(function(data) { 
     alert("Data Loaded: " + data); 
     }); 
    </script> 
</head> 

<body> 
</body> 

</html> 

Answer 1

下面是如何應PDO

$dbh = new PDO('mysql:dbname=cs301;host=localhost', $username, $password); 

$stmt = $dbh->prepare('INSERT INTO `galleryscores` (`player_name`, `player_score`) VALUES (:player_name, :player_score)'); 

$stmt->execute(array('player_name' => $_POST['name'], 'player_score' => $_POST['score'])); 

Answer 2

試着改變你的插入查詢到該

$store = "INSERT INTO `galleryscores` (`player_name`, `player_score`) VALUES ('".$name."', '".$score."')"; 

爲了要插入的價值，他們應該爲字符串查詢傳遞。最終，你傳遞一個字符串來執行。

EDITED 正如馬特所說的，你應該總是試着去阻止SQL注入。下面說明如何做到這一點：

$query = $mysqli->prepare("INSERT INTO `galleryscores` (`player_name`, `player_score`) VALUES (?, ?)"); 
$query->bind_param("si", $name, $score);// 's' represents the corresponding variable type is String 
$query->excecute(); 

bind_param documentation

Answer 3

做雖然我們是在它。如何使用MySQLi完成：D - 具有錯誤處理功能

$mysqli = new mysqli($host, $user, $pass, $db); 

if($mysqli->connect_error) 
    die('Connect Error (' . $mysqli->connect_errno . ') '. $mysqli->connect_error); 

if ($stmt = $mysqli->prepare("INSERT INTO `galleryscores` (`player_name`, `player_score`) VALUES (?, ?)")) 
{ 
    // Bind the values in order to the ?'s or log error 
    // Assuming Name is a string and score is always an int 
    if(!$stmt->bind_param("si", $name, $score)) 
    { 
     die('bind_param() failed: ' . htmlspecialchars($stmt->error)); 
    } 

    // Execute the completed sql command or log error 
    if (!$stmt->execute()) 
    { 
     die('execute() failed: ' . htmlspecialchars($stmt->error)); 
    } 

    $stmt->close(); // Close the database connection 
} 
else 
{ 
    die('prepare() failed: ' . htmlspecialchars($mysqli->error)); 
}