0

重複の可能性:
PHP SQL フォームの挿入

入力を受け取り、テーブルに挿入するフォームを作成しました。テーブル「employee」に値を挿入する代わりに、パスワードのみを挿入します。それもデータベース管理者の。何をすべきか??他のフィールドは空白のままです。どんな助けでも素晴らしいでしょう。

<?php
    //include the connection file

    require_once('connection.php');
    require_once("validation.php");

    if( isset($_POST['send']) && (!validateName($_POST['name']) || !validateEmail($_POST['email']) || !validatePasswords($_POST['pass1'], $_POST['pass2']) || !validateContact($_POST['contact']) || !validateAge($_POST['age'])) ):?>
                <div id="error">    
                    <ul>
                        <?php if(!validateName($_POST['name'])):?>
                            <li><strong>Invalid Name:</strong> We want names with more than 3 letters.</li>
                        <?php endif?>
                        <?php if(!validateEmail($_POST['email'])):?>
                            <li><strong>Invalid E-mail:</strong> Type a valid e-mail please.</li>
                        <?php endif?>
                        <?php if(!validatePasswords($_POST['pass1'], $_POST['pass2'])):?>
                            <li><strong>Passwords are invalid:</strong> Passwords doesnt match or are invalid!</li>
                        <?php endif?>
                        <?php if(!validateContact($_POST['contact'])):?>
                            <li><strong>Please enter your contact number.</strong></li>
                        <?php endif?>
                        <?php if(!validateAge($_POST['age'])):?>
                            <li><strong>Please enter your age</strong></li>
                        <?php endif?>
                        </ul>
                </div>
            <?php elseif(isset($_POST['send'])):?>
                <div id="error" class="valid">
                    <ul>
                    <?php $query = "INSERT INTO employee (name, password, email, contact, age, gender, location, skill) VALUES ";                           
                    $query .= "('$name', '$password', '$email','$contact','$age','$gender','$location','$skill')";
                    // run the query
                    mysql_query($query);?>
                        <li><strong>Congratulations!</strong> All fields are OK ;)</li>
                    </ul>
                </div>
        <?php endif?>
4

2 に答える 2

1

重複した質問...ここに答えがあります:

私はあなたのために完全なコードを書きました:

<form action="<?php echo $editFormAction; ?>" method="post" name="form1" id="form1">
  <table align="center">
  <tr valign="baseline">
  <td nowrap="nowrap" align="right">Name:</td>
  <td><input type="text" name="name" value="" size="32" /></td>
</tr>
<tr valign="baseline">
  <td nowrap="nowrap" align="right">Email:</td>
  <td><input type="text" name="email" value="" size="32" /></td>
</tr>
<tr valign="baseline">
  <td nowrap="nowrap" align="right">Pass1:</td>
  <td><input type="text" name="pass1" value="" size="32" /></td>
</tr>
<tr valign="baseline">
  <td nowrap="nowrap" align="right">Contact:</td>
  <td><input type="text" name="contact" value="" size="32" /></td>
</tr>
<tr valign="baseline">
  <td nowrap="nowrap" align="right">Age:</td>
  <td><input type="text" name="age" value="" size="32" /></td>
</tr>
<tr valign="baseline">
  <td nowrap="nowrap" align="right">&nbsp;</td>
  <td><input type="submit" value="Insert record" /></td>
</tr>
</table>
<input type="hidden" name="id" value="" />
<input type="hidden" name="MM_insert" value="form1" />
</form>
<p>&nbsp;</p>
<?php require_once('../../../Connections/yourconnection.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}

$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

switch ($theType) {
case "text":
  $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
  break;    
case "long":
case "int":
  $theValue = ($theValue != "") ? intval($theValue) : "NULL";
  break;
case "double":
  $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
  break;
case "date":
  $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
  break;
case "defined":
  $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
  break;
}
return $theValue;
}
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
$insertSQL = sprintf("INSERT INTO employee (id, name, email, pass1, contact, age) VALUES (%s, %s, %s, %s, %s, %s)",
                   GetSQLValueString($_POST['id'], "int"),
                   GetSQLValueString($_POST['name'], "text"),
                   GetSQLValueString($_POST['email'], "text"),
                   GetSQLValueString($_POST['pass1'], "text"),
                   GetSQLValueString($_POST['contact'], "text"),
                   GetSQLValueString($_POST['age'], "text"));

mysql_select_db($database_yourdatabase, $databasename);
$Result1 = mysql_query($insertSQL, $databasename) or die(mysql_error());

$insertGoTo = "sucess.php";
if (isset($_SERVER['QUERY_STRING'])) {
$insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
$insertGoTo .= $_SERVER['QUERY_STRING'];
}
header(sprintf("Location: %s", $insertGoTo));
}

mysql_select_db($database_yourdatabase, $databasename);
$query_query = "SELECT * FROM employee";
$query = mysql_query($query_query, $databasename) or die(mysql_error());
$row_query = mysql_fetch_assoc($query);
$totalRows_query = mysql_num_rows($query);

mysql_free_result($query);
?>

それが役に立てば幸い!

于 2012-06-01T05:23:16.053 に答える
0

これを試してみると、SQL インジェクションを防ぐために mysql_real_escape_string を使用する必要があります...

   <?php
      //include the connection file

      require_once('connection.php');
      require_once("validation.php");

if( isset($_POST['send']) && (!validateName($_POST['name']) || !validateEmail($_POST['email']) || !validatePasswords($_POST['pass1'], $_POST['pass2']) || !validateContact($_POST['contact']) || !validateAge($_POST['age'])) ):?>
            <div id="error">    
                <ul>
                    <?php if(!validateName($_POST['name'])):?>
                        <li><strong>Invalid Name:</strong> We want names with more than 3 letters.</li>
                    <?php endif?>
                    <?php if(!validateEmail($_POST['email'])):?>
                        <li><strong>Invalid E-mail:</strong> Type a valid e-mail please.</li>
                    <?php endif?>
                    <?php if(!validatePasswords($_POST['pass1'], $_POST['pass2'])):?>
                        <li><strong>Passwords are invalid:</strong> Passwords doesnt match or are invalid!</li>
                    <?php endif?>
                    <?php if(!validateContact($_POST['contact'])):?>
                        <li><strong>Please enter your contact number.</strong></li>
                    <?php endif?>
                    <?php if(!validateAge($_POST['age'])):?>
                        <li><strong>Please enter your age</strong></li>
                    <?php endif?>
                    </ul>
            </div>
        <?php elseif(isset($_POST['send'])):?>
            <div id="error" class="valid">
                <ul>
                <?php $query = "INSERT INTO employee (name, password, email, contact, age, gender, location, skill) VALUES ";                           
                $query .= "('".$_POST['name']."', '".$_POST['pass1']."', '".$_POST['email']."','".$_POST['contact']."','".$_POST['age']."','".$_POST['gender']."','".$_POST['location']."','".$_POST['location']."')";
                // run the query
                mysql_query($query);?>
                    <li><strong>Congratulations!</strong> All fields are OK ;)</li>
                </ul>
            </div>
    <?php endif?>
于 2012-06-01T05:27:30.433 に答える