PHP 尝试 POST "select" HTML 表单输入时出错
PHP error when trying to POST "select" HTML form input
所以我创建了一个非常简单的 HTML 调查表,它只有一个 select 下拉输入和一个文本输入字段。仅当 select 字段位于 "other" 选项上时才会显示文本输入。所以这一切都很好,我已经 JavaScript 处理了所有这些并且效果很好。
现在,当我尝试 POST 将表单值添加到 PHP 文件,然后将这些值插入到我的数据库 table 时,问题出现了。我每次尝试提交表单时都收到此错误:
Error: INSERT INTO survey (select, other) VALUES ('flyer','')
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' other) VALUES ('flyer','')' at line 1
由于奇怪的单引号似乎截断了 sql 字符串的第一部分,我相信我在某种程度上 SQL 将自己注入了我的表单 POST或我的 PHP 验证。我已经通过代码多次搜索奇怪的引号,从头开始完全重写了表格,三次检查了我数据库中的 table 和行名称,甚至抓取了一个 SQL 字符串,我知道其他地方的作品改变它在这里工作。不幸的是,我总是得到同样的错误,所以我将不胜感激任何见解或帮助你们都可以借给我。
我的HTML表格:
<form action="includes/survey.php" method="POST" id="hear_form">
<label for="hear_select">How did you here about us?</label>
<br>
<select id="hear_select" name="hear_select">
<option value='flyer'>
Flyer left on door
</option>
<option value='email'>
Email from Troop
</option>
<option value='sodo'>
SODO News
</option>
<option value='conway'>
Conway News
</option>
<option value='southwest'>
Southwest Orlando Bulletin
</option>
<option value='winter'>
Winter Park Observer
</option>
<option value='baldwin'>
Baldwin Park Living
</option>
<option value='facebook'>
Facebook
</option>
<option value='neighborhood'>
Neighborhood posting
</option>
<option value='other'>
Other
</option>
</select>
<label id="otherlabel" for="other_type">Where else did you hear about us?</label>
<input id="other_type" type="text" name="other_type" maxlength="200" value="">
<input type="submit" value="Submit" id="hear_submit">
</form>
我的PHP:
require_once 'db_con.php';
require_once 'functions.php';
$selectErr = "";
$otherErr = "";
//validating inputs
if ($_SERVER["REQUEST_METHOD"] == "POST"){
if (empty($_POST["hear_select"])){
$selectErr = "* An answer is required";
$valid = false;
}else{
$select = test_input($_POST["hear_select"]);
$valid = true;
}
if (empty($_POST["other_type"])) {
$other = test_input($_POST["other_type"]);
$valid = true;
}else{
if((strlen($_POST["other_type"]) < 200)){
$other = test_input($_POST["other_type"]);
$valid = true;
}else{
$otherErr = "* An answer must have less than 200 characters";
$valid = false;
}
}
if($selectErr != '' || $otherErr != ''){
$valid = false;
}
if($valid){
var_dump($_POST);
//inserting variables into the database
$sql = "INSERT INTO survey (select, other) VALUES ('$select','$other')";
//checking if all worked, if it did redirect page top next step
if ($mysqli->query($sql) === TRUE) {
header( 'Location: index.php' ) ;
} else {
echo "Error: " . $sql . "<br>" . $mysqli->error;
}
$mysqli->close();
exit;
}
}
function test_input($data) {
$data = trim($data);
$data = str_replace('"', "", $data);
$data = str_replace("'", "", $data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
查询的问题是'select'是SQL标准中的保留关键字,如果要用作列名必须适当转义。
最好的选择是重命名该列,或者在查询中将其转义。有关更多详细信息,请参阅以下 link。
Escaping reserved keywords
所以我创建了一个非常简单的 HTML 调查表,它只有一个 select 下拉输入和一个文本输入字段。仅当 select 字段位于 "other" 选项上时才会显示文本输入。所以这一切都很好,我已经 JavaScript 处理了所有这些并且效果很好。
现在,当我尝试 POST 将表单值添加到 PHP 文件,然后将这些值插入到我的数据库 table 时,问题出现了。我每次尝试提交表单时都收到此错误:
Error: INSERT INTO survey (select, other) VALUES ('flyer','')
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' other) VALUES ('flyer','')' at line 1
由于奇怪的单引号似乎截断了 sql 字符串的第一部分,我相信我在某种程度上 SQL 将自己注入了我的表单 POST或我的 PHP 验证。我已经通过代码多次搜索奇怪的引号,从头开始完全重写了表格,三次检查了我数据库中的 table 和行名称,甚至抓取了一个 SQL 字符串,我知道其他地方的作品改变它在这里工作。不幸的是,我总是得到同样的错误,所以我将不胜感激任何见解或帮助你们都可以借给我。
我的HTML表格:
<form action="includes/survey.php" method="POST" id="hear_form">
<label for="hear_select">How did you here about us?</label>
<br>
<select id="hear_select" name="hear_select">
<option value='flyer'>
Flyer left on door
</option>
<option value='email'>
Email from Troop
</option>
<option value='sodo'>
SODO News
</option>
<option value='conway'>
Conway News
</option>
<option value='southwest'>
Southwest Orlando Bulletin
</option>
<option value='winter'>
Winter Park Observer
</option>
<option value='baldwin'>
Baldwin Park Living
</option>
<option value='facebook'>
Facebook
</option>
<option value='neighborhood'>
Neighborhood posting
</option>
<option value='other'>
Other
</option>
</select>
<label id="otherlabel" for="other_type">Where else did you hear about us?</label>
<input id="other_type" type="text" name="other_type" maxlength="200" value="">
<input type="submit" value="Submit" id="hear_submit">
</form>
我的PHP:
require_once 'db_con.php';
require_once 'functions.php';
$selectErr = "";
$otherErr = "";
//validating inputs
if ($_SERVER["REQUEST_METHOD"] == "POST"){
if (empty($_POST["hear_select"])){
$selectErr = "* An answer is required";
$valid = false;
}else{
$select = test_input($_POST["hear_select"]);
$valid = true;
}
if (empty($_POST["other_type"])) {
$other = test_input($_POST["other_type"]);
$valid = true;
}else{
if((strlen($_POST["other_type"]) < 200)){
$other = test_input($_POST["other_type"]);
$valid = true;
}else{
$otherErr = "* An answer must have less than 200 characters";
$valid = false;
}
}
if($selectErr != '' || $otherErr != ''){
$valid = false;
}
if($valid){
var_dump($_POST);
//inserting variables into the database
$sql = "INSERT INTO survey (select, other) VALUES ('$select','$other')";
//checking if all worked, if it did redirect page top next step
if ($mysqli->query($sql) === TRUE) {
header( 'Location: index.php' ) ;
} else {
echo "Error: " . $sql . "<br>" . $mysqli->error;
}
$mysqli->close();
exit;
}
}
function test_input($data) {
$data = trim($data);
$data = str_replace('"', "", $data);
$data = str_replace("'", "", $data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
查询的问题是'select'是SQL标准中的保留关键字,如果要用作列名必须适当转义。
最好的选择是重命名该列,或者在查询中将其转义。有关更多详细信息,请参阅以下 link。
Escaping reserved keywords