空字段可以插入我的数据库

Question

我有以下代码。我尝试使用我的Submit按钮将代码插入到数据库中，但每次使用它并刷新浏览器时，都会将空字段插入到数据库中。

<?php 
$servername = "localhost"; 
$username = "root"; 
$password = ""; 

//create connection 
$cn = new mysqli($servername, $username, $password, "milege"); 

//check connection 
if ($cn->connect_error) { 
    echo "Connection failed!". $cn->connect_error; 
} 

// once the button is clicked 
if (isset($_POST['submitForm'])) { 
    //the values in the boxes 
    $name = $_POST['fname']; 
    $email = $_POST['email']; 
    $password = $_POST['password']; 
    $confpass = $_POST['confpass']; 
    $interest = $_POST['interest']; 
    $info = $_POST['info']; 

    //echo "connection successfully"; 
    //Insert into table 
    $sql = "INSERT INTO miltb(name, email, password, interest, info, productorder) VALUES('$name', '$email', '$password', '$interest', '$info', 'none')"; 
} 

if ($cn->query($sql) == true) { 
    ?><script>alert ("INSERTED SUCCESSFULLY!");</script><?php 
} else { 
    echo "error: " . $sql . "\n" . $cn->error; 
} 

$cn->close(); 
?> 

我该如何解决它？

Answer 1

空字段被插入到数据库中的原因是因为您没有检查空字段，您需要首先检查这些空字段，然后如果空字段存在不要插入。

男人嘛还有，你需要学习很多，你需要了解

1.SQL Injections

2. mysqli prepared或pdo prepared语句。

3. Password hashing

Filter ,sanitize and validate user inputs

，切勿从用户信任的输入，必须始终把用户的输入，就好像它来自一个危险的黑客。

然后你准备语句代码应该是这样的：

<?php 


//create connection 
$cn = new mysqli($servername, $username, $password, "milege"); 

//check connection 
if ($cn->connect_error) { 
     echo "Connection failed!" . $cn->connect_error; 
} 

$error = ""; 
// once the button is clicked 
if (isset($_POST['submitForm'])) { 


     // check for empty fiels 

     if (empty($_POST['fname'])) { 

       echo "Enter your name"; 
       $error++; 
     } else { 

       $name = userInput($_POST['fname']); 

     } 

     if (isset($_POST['email'])) { 

       echo "enter email"; 
       $error++; 
     } else { 

       $email = userInput($_POST['email']); 

       // validate email 

       if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email)) { 

         echo "enter a valid email"; 
         $error++; 
       } 
     } 

     if (empty($_POST['password'])) { 

       echo "enter password"; 
       $error++; 
     } else { 


       $password = userInput($_POST['password']); 

       $hash = password_hash($password, PASSWORS_DEFAULT); //hash the password 
     } 

     if (!empty($_POST['confpass']) && $_POST['confpass'] !== $_POST['password']) { //password confirmation 

       echo "passwords does not match"; 
       $error++; 
     } 

     if (empty($_POST['interest'])) { 

       echo "enter interests"; 
       $error++; 
     } else { 

       $interest = userInput($_POST['interest']); 
     } 

     if (empty($_POST['info'])) { 

       echo "enter info"; 

       $error++; 
     } else { 

       $info = userInput($_POST['info']); 
     } 


     if ($error > 0) { // if we have errors don't insert to db 

       echo "you have " . $error . " error(s) on your form plz fix them"; 


     } else { // no errors lets insert 


       // prepare and bind 
       $sql = $cn->prepare("INSERT INTO miltb(name, email, password, interest, info) VALUES (?, ?, ?,?,?)"); 
       $sql->bind_param("sssss", $name, $email, $hash, $interest, $info); 

       if ($sql->execute()) { 

         echo "INSERTED SUCCESSFULLY!"; 
       } else { 


         echo "could not insert "; 
       } 





     } 


     $sql->close(); 
     $cn->close(); 



} 




function userInput($data) 
{ 


     $data = trim($data); 
     $data = stripslashes($data); 
     $data = htmlspecialchars($data); 
     return $data; 

} 


?> 

希望这将帮助你，你会学到一两件事，我站在予以纠正，我错了

Answer 2

使用这样的事情，以确保值插入：

$name = isset($_POST['fname']) ? strval($_POST['fname']) : null; 
if (empty($name)){ 
    echo "Name can't be empty!"; 
    exit(); 
} 

注：提防SQL Injection。使用php函数strval()是最不可能的安全措施，但至少可以使用该函数。