1. 首頁
  2. 問答
  3. 不能插入帶撇號的文本

不能插入帶撇號的文本

2017-09-03 87 views
0

如果文本有撇號,我無法從textarea插入文本,請先生的如何解決它。不能插入帶撇號的文本

這是我的整個代碼。我嘗試mysqli_real_escape_string,但它給出了一個錯誤。我嘗試mysqli_real_escape_string,但它給出了一個錯誤

<?php 

    session_start(); 

    $servername = "localhost"; 
    $username = "root"; 
    $password = ""; 
    $dbname = "srdatabase"; 

    $conn = new mysqli($servername, $username, $password, $dbname); 

    $speakerid = $_SESSION['speakerid']; 

    $speaker_info = "SELECT * FROM speakers WHERE id=$speakerid"; 
    $si_result = mysqli_query($conn, $speaker_info); 

    $array = mysqli_fetch_array($si_result); 
    $dbfullname = $array['speaker_fullname']; 
    $dbimage = $array['speaker_image']; 
    $dbspecialization = $array['speaker_specialization']; 
    $dbdescription = $array['speaker_description']; 
    $dbpaymentcost = $array['speaker_paymentcost']; 

?> 

<!DOCTYPE html> 
<html> 
<head> 
<title>Update Speaker</title> 
</head> 
<body> 

    <form action="updateSpeaker.php" method="post" enctype="multipart/form-data"> 
     <textarea name="description" class="inputbox" cols="60" rows="5" autofocus required="required" maxlength="2000" style="resize:none;" placeholder="Description"><?php echo htmlspecialchars($dbdescription);?></textarea> 
     <br> 
     <input name="update" id="buttonsubmit" type="submit" value="Update"> 
    </form> 

<?php 

    if(isset($_POST['update'])) 
    { 
     $newdescription = $_POST["description"]; 
     $finaldescription = $mysqli_real_escape_string($conn, $newdescription); 
     $update_data = "UPDATE speakers SET speaker_fullname = '".$_POST["fullname"]."', speaker_description = '$finaldescription', speaker_specialization = '".$_POST["specialization"]."', speaker_paymentcost = '".$_POST["paymentcost"]."' WHERE id=$speakerid"; 
     mysqli_query($conn, $update_data); 

    } 
?> 



</body> 
</html>

預處理語句:

$update_data = "UPDATE speakers SET speaker_fullname=?, speaker_description=?, speaker_specialization=?, speaker_paymentcost=? WHERE id=?"; 
$stmt = mysqli_prepare($conn, $update_data); 
mysqli_stmt_bind_param($stmt, 'ssssd', $_POST["fullname"], $finaldescription, $_POST["specialization"], $_POST["paymentcost"], $speakerid);

來源

2017-09-03 Red

+1

引用您在SQL查詢中使用的數據。 – user4035

+0

對不起,我試圖引用它,但沒有發生。或者我引用錯誤的 – Red

+1

重複問題的答案是否對您有幫助?那裏有代碼的例子。 – user4035

回答

1

您當前的代碼也混合OOP和程序基礎的功能,因此即使一旦你已經解決了原來的問題,它不會工作引用用戶輸入。

我已將您的代碼轉換爲PDO(未經測試),它應該指向正確的方向。希望能幫助到你。

<?php 
session_start(); 

// config holder 
$config = [ 
    'db' => [ 
     'host' => 'localhost', 
     'user' => 'root (DONT USE ROOT)', 
     'pass' => '', 
     'name' => 'srdatabase', 
    ]  
]; 

// connect to database 
try { 
    $db = new PDO(
     "mysql:host=" . $config['db']['host'] .";dbname=". $config['db']['name'], 
     $config['db']['user'], 
     $config['db']['pass'], 
     array(
      PDO::ATTR_EMULATE_PREPARES => false, 
      PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, 
      PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8', 
      PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, 
     ) 
    ); 
} catch (PDOException $e) { 
    exit('Could not connect to database.'); 
} 

// check id, though should be getting this from a $_GET 
if (empty($_SESSION['speakerid']) || !is_numeric($_SESSION['speakerid'])) { 
    exit('Invalid speaker id'); 
} 

// handle post 
if ($_SERVER['REQUEST_METHOD'] == 'POST') { 
    $errors = []; 

    // check or set inbound variables 
    $id = isset($_POST['id']) ? (int) $_POST['id'] : 0; 
    $description = isset($_POST['description']) ? $_POST['description'] : null; 

    // you could set errors here if there empty, but lets continue 
    /* 
    if (empty($description)) { 
     $errors['description'] = 'Description is a required field.'; 
    } 
    */ 

    if (
     empty($errors) && // check for no errors 
     !empty($id) && // not required if you checked above, check id is not empty 
     !empty($description) // not required if you checked above, check description is not empty 
    ) { 

     // prepare query for update, only want to update description 
     try { 
      $stmt = $db->prepare(' 
       UPDATE speakers 
       SET speaker_description = :description 
       WHERE id = :id 
      '); 
      // bind inbound variables to the query, then execute 
      $stmt->bindParam(':id', $id, PDO::PARAM_INT); 
      $stmt->bindParam(':description', $description, PDO::PARAM_STR); 
      $stmt->execute(); 
     } catch (PDOException $e) { 
      $errors['query'] = 'Error updating database: '.$e->getMessage(); 
     } 
    } 
} 

// select current row based upon the id 
$stmt = $db->prepare('SELECT * FROM speakers WHERE id = :id LIMIT 1'); 
$stmt->bindParam(':id', $_SESSION['speakerid'], PDO::PARAM_INT); 
$stmt->execute(); 

$result = $stmt->fetch(); 
/* would contain 
    $result['speaker_fullname']; 
    $result['speaker_image']; 
    $result['speaker_specialization']; 
    $result['speaker_description']; 
    $result['speaker_paymentcost']; 
*/ 
?> 

<!DOCTYPE html> 
<html> 
<head> 
    <title>Update Speaker</title> 
</head> 
<body> 
    <?php if (!empty($errors['query'])): ?> 
    <?= $errors['query'] ?> 
    <?php endif ?> 

    <form action="" method="post" enctype="multipart/form-data"> 
     <input type="hidden" name="id" value="<?= $_SESSION['speakerid'] ?>"> 

     <textarea name="description" class="inputbox" cols="60" rows="5" autofocus required="required" maxlength="2000" style="resize:none;" placeholder="Description"><?= htmlentities($result['speaker_description']) ?></textarea> 
     <?php if (!empty($errors['description'])): ?> 
     <span style="color:red"><?= $errors['description'] ?></span> 
     <?php endif ?> 

     <br> 
     <input name="update" id="buttonsubmit" type="submit" value="Update"> 
    </form> 
</body> 
</html>

來源

2017-09-03 11:13:32

相關問題

 相關問題