php 将html选择表单的值插入到mysql数据库中
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/22011735/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
insert value of html select form into mysql database
提问by Marc Ster
I want to insert the value of a selected 'select form' into my mysql database.
我想将选定的“选择表单”的值插入到我的 mysql 数据库中。
How can i get the right value of this?
我怎样才能得到这个正确的价值?
<form action='' method='post'>
<select name="myselectbox">
<option name="myoption1" value="myoption1">myoption1</option>
<option name="myoption2" value="myoption2">myoption2</option>
<option name="myoption3" value="myoption3">myoption3</option>
<option name="myoption4" value="myoption4">myoption4</option>
</select>
<input type='submit' value='submit'/>
</form>
something like that? (this one didn't work obviously..)
类似的东西?(这个显然不起作用..)
$sql = "INSERT INTO Entries (myoption1) VALUES ('$_POST[myselectbox]')";
采纳答案by Roo
you have to wrap your select tag into a form tag .
你必须将你的选择标签包装成一个表单标签。
<form action='' method='post'>
<select name="myselectbox">
<option name="myoption1" value="myoption1">myoption1</option>
<option name="myoption2" value="myoption2">myoption2</option>
<option name="myoption3" value="myoption3">myoption3</option>
<option name="myoption4" value="myoption4">myoption4</option>
</select>
<input type='submit' value='submit'/>
</form>
once you submit the form, you will get the post variable as $_POST['myselectbox']that could be appended into a mysql query as you have already did. but for a better way dont just append it like that but check the form is submitted and post variables are available or not before appending.
eg:
提交表单后,您将获得 post 变量,因为$_POST['myselectbox']它可以像您已经做的那样附加到 mysql 查询中。但是为了更好的方法,不要只是像那样附加它,而是在附加之前检查表单是否已提交以及 post 变量是否可用。例如:
if(!empty($_POST['myselectbox'])){
/*.. do your query section... */
}
回答by Rob Baillie
Assuming that your form is correct and it is posting the values that you want to your script.
假设您的表单是正确的,并且它将您想要的值发布到您的脚本中。
(You have sprinkled your code with echoto ensure this is the case?)
(你已经洒了你的代码echo以确保是这种情况?)
The simplest reliable way of sending the data into a SQL statement and therefore into mysql is to use prepared statements.
将数据发送到 SQL 语句并因此发送到 mysql 的最简单可靠的方法是使用准备好的语句。
Take a look here: http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php
看看这里:http: //www.php.net/manual/en/mysqli.quickstart.prepared-statements.php
Basically you write the SQL statement without your variables in it (replaced with ?) and then tell mysql to execute the statements with your variables later. It avoids the need to escape strings and worry about how to build things up.
基本上,您编写的 SQL 语句中没有您的变量(替换为?),然后告诉 mysql 稍后使用您的变量执行语句。它避免了对字符串进行转义和担心如何构建事物的需要。
As an example, you might have:
例如,您可能有:
// Connect to mysql
$mysqli = new mysqli('where your server is', 'my_user', 'my_password', 'world');
// Build the initial statement - easier to read as you don't have your string concatenation here
$stmt = $mysqli->prepare( "INSERT INTO Entries (myoption1) VALUES (?)" );
// Tell mysql that the '?' should be replaced with the value in your post array
$stmt->bind_param( "s", $POST['myselectbox'] );
// Execute the statement
$stmt->execute()
Obviously you should add error handling too, but the documentation covers the basics of this.
显然您也应该添加错误处理,但文档涵盖了这一点的基础知识。
SQL Injection
SQL注入
The main reason why the use of prepared statements is a good idea is that it avoids SQL injection attacks.
使用准备好的语句是个好主意的主要原因是它可以避免 SQL 注入攻击。
There are other ways round, but in my mind this is the simplest solution.
还有其他方法,但在我看来,这是最简单的解决方案。
SQL Injection attacks are situations where someone attempts to change the SQL statement that is being run by "injecting" other SQL into your statement.
SQL 注入攻击是指有人试图通过将其他 SQL“注入”到您的语句中来更改正在运行的 SQL 语句的情况。
Using your code as an example, you may execute this statement:
以您的代码为例,您可以执行以下语句:
$sql = "INSERT INTO Entries (myoption1) VALUES ('". $_POST['myselectbox'] ."')";
Which would normally receive (let's suggest) something like myoption1.
通常会收到(让我们建议)类似myoption1.
This would result in the SQL being:
这将导致 SQL 为:
INSERT INTO Entries (myoption1) VALUES ('myoption1');
If someone decided to, they couldsend '='' OR '1'='1
如果有人决定,他们可以发送'='' OR '1'='1
This would result in the SQL being:
这将导致 SQL 为:
INSERT INTO Entries (myoption1) VALUES (''='' OR '1'='1');
Which is (obviously) very different.
这是(显然)非常不同的。
Or, even worse send '=')'; DROP TABLE Entries WHERE (''='
或者,更糟糕的是发送 '=')'; DROP TABLE Entries WHERE (''='
This would result in the SQL being:
这将导致 SQL 为:
INSERT INTO Entries (myoption1) VALUES (''=''); DROP TABLE Entries WHERE (''='');
Use Prepared Statements
使用准备好的语句
Simply put, but using prepared statements, you are telling mysql that what you are sending is a literal string to be used as a parameter. It can never be regarded as part of the statement itself and therefore the above is simply not possible.
简单地说,但是使用准备好的语句,您是在告诉 mysql 您发送的是一个用作参数的文字字符串。它永远不能被视为声明本身的一部分,因此上述内容根本不可能。
Much much safer.
安全多了。
I hope that makes it clearer. If you want more info I suggest you research it independently...
我希望这能让它更清楚。如果您想了解更多信息,我建议您独立研究...
回答by NoobEditor
you have error in your SQL command, $_POSTneeds html names to be wrapped in quotes like => $_POST['some_name']:
您的 SQL 命令中有错误,$_POST需要将 html 名称用引号括起来,例如 => $_POST['some_name']:
$sql = "INSERT INTO Entries (myoption1) VALUES ('$_POST[myselectbox]')";
/* ^^ missing quotes here*/
$sql = "INSERT INTO Entries (myoption1) VALUES ('$_POST[myselectbox]')";
/* ^^ missing quotes here*/
try it this way :
试试这样:
$sql = "INSERT INTO Entries (myoption1) VALUES (".$_POST['myselectbox'].")";
回答by Moeed Farooqui
$value = mysql_real_escape_string($_POST['myselectbox']);
$sql = "INSERT INTO Entries (myoption1) VALUES ($value)";
