0
代码正确的查询我根据这样的数据库字段做一个项目,其中,登记表由:用于生成登记表格
function generateForm() {
$db = new mysqli('localhost', 'root', 'toor', 'hybrid_offline_reg');
$query = $db->query('DESCRIBE `' . $_SESSION['tableName'] .'`');
$fields = array();
while($row = $query->fetch_assoc()) {
$fields[] = $row['Field'];
$types[] = $row['Type'];
}
echo "<form method='post' action='successpage.php' align='center'>
<table align='center'>";
foreach($fields as $key => $field) {
$type = $types[$key];
echo "<tr>";
switch ($field) {
case "FNAME":
echo "<td>First Name</td><td>:</td>
<td><input type='text' name='FNAME' size=30></td>";
break;
case "MNAME":
echo "<td>Middle Name</td><td>:</td>
<td><input type='text' name='MNAME' size=30></td>";
break;
case "LNAME":
echo "<td>Last Name</td><td>:</td>
<td><input type='text' name='LNAME' size=30></td>";
break;
echo "</tr>";
}
echo "</table><br>
<input type='submit' name='submitForm' value=' Submit '>
<input type='reset' name='resetForm' value=' Clear '>
</form>";
而且在successpage.php,这是个什么样子像迄今为止:
session_start();
$db = new mysqli('localhost', 'root', 'toor', 'hybrid_offline_reg');
$query = $db->query('DESCRIBE `' . $_SESSION['tableName'] .'`');
//$fields = array();
$insert_sql = "INSERT INTO `" . $_SESSION['tableName'] . "`(";
while($row = $query->fetch_assoc()) {
$f = $row['Field'];
switch ($f) {
case "USER_ID":
case "DATE_CREATED": break;
default:
$insert_sql .= "`$f`,";
break;
}
}
$insert_sql = substr_replace($insert_sql, "", -1);
$insert_sql .= ") VALUES (";
$query = $db->query('DESCRIBE `' . $_SESSION['tableName'] .'`');
while($row = $query->fetch_assoc()) {
$i = $row['Field'];
switch ($i) {
case "USER_ID":
case "DATE_CREATED": break;
default:
$insert_sql .= '`$_POST["' . $i . '"]`,' ;
break;
}
}
$insert_sql = substr_replace($insert_sql, "", -1);
$insert_sql .= ")";
$res = mysql_query($insert_sql);
echo "Successfully registered!";
但显然,$insert_sql .= '
是不正确的,因为$_POST["' . $i . '"]
,';$_POST
不应该是一个字符串,因为我试图获得它的价值。但我也试图取决于$i
的$_POST
的名称。
帮助,任何人? D:提前谢谢!
我使用了'$ insert_sql。=“'”。 mysqli_real_escape_string($ db,$ _POST [$ i])。“',”;'既然“'”不被接受,它需要两个参数。哦,查询部分也是固定的。非常感谢您的帮助,是的,我会阅读SQL注入。 :) – Suika 2014-10-02 06:03:12