Home >Backend Development >PHP Tutorial >Get the value of input in html in php and write it to the database
Get the value of input in html in php and write it to the database
- WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOriginal
- 2016-08-04 09:20:162249browse
html:
php: The red box part in
php needs to get the value of name="new_title_info" in html. How to write it here? I have written echo . $sql at the bottom. Take a look at the statement I inserted. It was found that the following value was empty. Now the correction method of the diagram directly prompts
The problem still lies in the $sql=".... line, how to change it?
Reply content:
html:
php: The red box part in
php needs to get the value of name="new_title_info" in html. How to write it here? I have written echo . $sql at the bottom. Take a look at the statement I inserted. It was found that the following value was empty. Now the correction method of the diagram directly prompts
The problem still lies in the $sql=".... line, how to change it?
<code>$_POST('key') 在“ ”双引号里面的关联数组不需要加‘ ’单引号
$sql="insert into table() values('$_POST[key]')";</code>
Use periods to concatenate your strings. Although it is not safe to do so. It is more recommended to use parameterized query
First of all, your purely handwritten mysql_query is easily injected by SQL. Secondly, if you suspect that there is a problem with the SQL statement, it is recommended to echo whether the specific value meets the expectations, make some validity judgments, and then formulate the SQL statement.
Easy to write separately
$name = $_POST['new_title_info'];
$class = $_POST['new_class_info'];
$sql = "Insert into table (xxx,xxx) values ($name,$class) ";
If your work group requires code review, you will be scolded to death...
User input variables really cannot be directly inserted into sql...
In addition... you only need to print the sql statement you assembled... and then directly Just take the statement and execute it in the database... I visually judge that the problem lies in the single quotes
It feels like it’s also a problem with single quotes.
Print the sql statement and see if the format is correct. Put it into mysql and run it and you will see the problem
It won’t work if you use single quotes to quote $_POST. In PHP single quotes will not execute internal variables, you can just change them to double quotes. In so many answers, some people have suggested that it is easy to be injected by SQL, which is a good suggestion. You need to process and escape the received data to prevent SQL injection.
"INSERT INTO table_name (columns) values({$_POST['key']})",
Enclosed in curly brackets to increase readability
As a side note, all user input must be filtered and not directly inserted into the database
Written in the form of $_POST[key].
by the way!
Do not spell the sql statement directly, it is not safe. Measures such as preprocessing must be taken to prevent SQL injection attacks.