我是PHP的新手,所以这对我来说是新手。无论如何我正在创建一个网站,所以我可以在线访问我的receipes。
这是形式:
<form action="Form.php" method="post" class="basic-grey">
<h1><a href="index.html">Receita</a>
<span>Aqui podes adicionar uma nova receita</span>
</h1>
<label>
<span>Titulo :</span>
<input id="titulo" type="text" size="20" maxlength="100" name="titulo" placeholder="Introduza o Titulo" />
</label>
<label>
<span>Categoria :</span><select maxlength="10" name="categoria">
<option value="categoria">--- Seleccione aqui a Categoria ---</option>
<option name=" " value="sopa">Sopa</option>
<option name="entrada" value="entrada">Entrada</option>
<option name="carne" value="carne">Carne</option>
<option name="peixe" value="peixe">Peixe</option>
<option name="salada" value="salada">Salada</option>
<option name="sobremesa" value="sobremesa">Sobremesa</option>
</select>
</label>
<label>
<span>Ingredientes :</span>
<textarea id="ingredientes" size="20" maxlength="1000" name="ingredientes" placeholder="Introduza os ingredientes"></textarea>
</label>
<label>
<span>Preparação :</span>
<textarea id="preparacao" size="20" maxlength="1000" name="preparacao" placeholder="Introduza o modo de preparação"></textarea>
</label>
<label>
<span>Notas :</span>
<textarea id="notas" size="20" maxlength="1000" name="notas" placeholder="Aqui pode adicionar uma nota"></textarea>
</label>
<label>
<span> </span>
<input type="submit" class="button" value="Enviar" />
</label>
</form>
这是处理表单的代码:
<?php
// processing form values
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
$titulo = $_POST['titulo'];
$categoria = $_POST['categoria'];
$ingredientes = $_POST['ingredientes'];
$preparacao = $_POST['preparacao'];
$notas = $_POST['notas'];
if(!empty($titulo) && !empty($categoria) && !empty($ingredientes) && !empty($preparacao) && !empty($notas)){
include('connection.php');
mysqli_query($dbc, "INSERT INTO receita(Titulo,Categoria,Ingredientes,Preparacao,Notas) VALUES ('$titulo','$categoria','$ingredientes','$preparacao','$notas')");
$registered = mysqli_affected_rows($dbc);
echo $registered." row is affected, everything worked fine!";
}else{
echo "Please fill all values on the form";
}
}else{
echo "No form has been submitted";
}
?>
会发生什么是如果我输入这样的东西它不起作用:
标题:AçordadeCamarao
类别:鱼
配料:虾仁800克; 4瓣大蒜; 1枝欧芹或香菜; 3个全蛋; 1.5分升橄榄油;每人1.5面包;盐;皮瑞 - 皮瑞·
准备:用盐和piri-piri烹饪虾并保留水。然后将面包放入虾的水中。用大蒜和香菜加热橄榄油,然后加入虾,最后加入面包。将所有东西混合在一起烤面包并获得一致性。最后,鸡蛋被收集起来,一切都被包裹起来。
注意:4人的收入
但如果我像这样输入它的工作原理:
标题:gfdsfdsa
类别:鱼
成分:hudsbfbdsf fdsfidsfidsfsd,fdsjifjdsifdis 0palpdsandnsaud jkdosakodsakodmnsa jidsjaidsa
准备工作:nfjdbshfbhdbjfdjs dsajijdisandiabuu fjndoisjfojidsanfds
注意:fbhdubsufbndsnfs
我的数据库表:
Nome Tipo Agrupamento (Collation) Atributos Nulo Omissao Extra
1 ID bigint(50)否无AUTO_INCREMENT静音静音删除 2标题varchar(100)utf8_general_ci否无静音变量3 Varchar(10)utf8_general_ci无无静音静音 4成分varchar(1000)utf8_general_ci否无更改5准备varchar(1000)utf8_general_ci否无静音更改6注意varchar(1000)utf8_general_ci否无静音静音
对不起,如果这个帖子很长。任何想法如何解决它?
输入中可能存在一个特殊字符,导致查询中出现语法错误。
在将其替换为查询之前,您需要转义输入。在include ('connection.php');之后加上这个
$titulo = mysqli_real_escape_string($dbc, $titulo);
$categoria = mysqli_real_escape_string($dbc, $categoria);
// and so on for all the other variables
或(更好)使用准备好的声明。用它来代替你对mysqli_query的调用:
$stmt = mysqli_prepare($dbc, "INSERT INTO receita(Titulo,Categoria,Ingredientes,Preparacao,Notas) VALUES (?, ?, ?, ?, ?)");
mysqli_stmt_bind_param($stmt, "sssss", $titulo, $categoria, $ingredientes, $preparacao, $notas);
mysqli_stmt_execute($stmt);
$registered = mysqli_stmt_affected_rows($stmt);