我已经尝试解决我目前遇到的这个问题一周了。所以我希望我能在这里找到解决方案。 我有一个 HTML 文件,其中包含带有“POST”方法的注册表单。我打算使用 PHP 文件将用户信息存储到名为“pizza_project”的数据库中。但是,每次我提交表单时,仅存储两个值:密码和排序代码(在存储之前也会进行哈希处理)。此外,尽管在我的数据库中据说不允许存储零值和默认值,但每次我提交表单时,“0”都会存储到 AccountNumber 列中。其他列保持空白。
这是我的 HTML 表单:
<div class="reg_container">
<form id="form_register" class="register_section" action="http://localhost/pizza_register.php" method="post">
<div class="reg_form_item">
<div class="reg_form_itself">
<p class="h3">PERSONAL INFORMATION</p>
<label for="customer_name"></label>
<input type="text" id="customer_name" name="customer_name" placeholder="Full name" class="bigger_field" required>
<label for="customer_phone"></label>
<input type="tel" id="customer_phone" name="customer_phone" placeholder="Phone number" class="bigger_field" required>
<label for="customer_email"></label>
<input type="email" id="customer_email" name="customer_email" placeholder="Email address" class="bigger_field" required>
<label for="password"></label>
<input type="password" id="password" name="password" placeholder="Password" class="bigger_field" required>
</div>
</div>
<div class="reg_form_item"><div class="line"></div></div>
<div class="reg_form_item">
<div class="reg_form_itself">
<p class="h3">DELIVERY, PAYMENT</p>
<label for="full_address"></label>
<textarea id="full_address" name="full_address" rows="3" placeholder="Full address" class="input-field" required></textarea>
<label for="account_number"></label>
<input type="text" id="account_number" name="account_number" placeholder="Account number" class="bigger_field" required>
<label for="sort_code"></label>
<input type="password" id="sort_code" name="sort_code" placeholder="Sort Code" class="bigger_field" required>
<input class="input-submit" type="submit" name="submit" value="SAVE">
</div>
</div>
</form>
</div>
这是我的 PHP 文件:
<?php
$con = mysqli_connect("localhost","root","","pizza_project")
or die("Error " . mysqli_error($con));
$customer_name = mysqli_real_escape_string($con,$_POST["customer_name"]);
$customer_phone = mysqli_real_escape_string($con,$_POST["customer_phone"]);
$customer_email = mysqli_real_escape_string($con,$_POST["customer_email"]);
$password = mysqli_real_escape_string($con,$_POST["password"]);
$full_address = mysqli_real_escape_string($con,$_POST["full_address"]);
$account_number = mysqli_real_escape_string($con,$_POST["account_number"]);
$sort_code = mysqli_real_escape_string($con,$_POST["sort_code"]);
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
$hashed_sort_code = password_hash($sort_code, PASSWORD_DEFAULT);
$sql = $con->prepare("INSERT INTO customers (CustomerName, CustomerPhone, CustomerEmail, hashed_password, FullAddress, AccountNumber, hashed_sort_code) VALUES (?, ?, ?, ?, ?, ?, ?)");
$sql->bind_param("sssssis", $customer_name, $customer_phone, $customer_email, $hashed_password, $full_address, $account_number, $hashed_sort_code);
if ($sql->execute()) {
header("Location: http://localhost/pizza_home_p.html");
exit();
} else {
error_log("Error: " . $sql->error);
echo "New record was not created successfully";
}
$sql->close();
mysqli_close($con);
谢谢大家的帮助。
如果您注意到,只有没有
mysqli_real_escap_string
的值才会被保存,让您了解发生了什么。
我告诉你'mysqli_real_escape_string'不应该与
bind_param
一起使用。 MySQLi 中的 bind_param
函数用于将参数绑定到准备好的 SQL 语句,并自动转义值以防止 SQL 注入。因此,如果不会产生这些不一致,则在使用 mysqli_real_escape_string
时无需使用 bind_param
。
所以你可以通过两种方式做到这一点:
MYSQLI_REAL_ESCAPE_STRING
:<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "your_database";
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Failed: " . $conn->connect_error);
}
$customer_name = $_POST['customer_name'];
$customer_phone = $_POST['customer_phone'];
$customer_email = $_POST['customer_email'];
$full_address = $_POST['full_address'];
$account_number = $_POST['account_number'];
$sort_code = $_POST['sort_code'];
$password = $_POST['password'];
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
$hashed_sort_code = password_hash($sort_code, PASSWORD_DEFAULT);
$sql = $conn->prepare("INSERT INTO customers (CustomerName, CustomerPhone, CustomerEmail, hashed_password, FullAddress, AccountNumber, hashed_sort_code) VALUES (?, ?, ?, ?, ?, ?, ?)");
$sql->bind_param("sssssis", $customer_name, $customer_phone, $customer_email, $hashed_password, $full_address, $account_number, $hashed_sort_code);
if ($sql->execute()) {
echo "¡Success!";
} else {
echo "Error: " . $sql->error;
}
$conn->close();
?>
MYSQLI_REAL_ESCAPE_STRING
但没有 BIND_PARAMS
或 PREPARE
:<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "your_database";
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Failed: " . $conn->connect_error);
}
$customer_name = mysqli_real_escape_string($conn, $_POST['customer_name']);
$customer_phone = mysqli_real_escape_string($conn, $_POST['customer_phone']);
$customer_email = mysqli_real_escape_string($conn, $_POST['customer_email']);
$full_address = mysqli_real_escape_string($conn, $_POST['full_address']);
$account_number = mysqli_real_escape_string($conn, $_POST['account_number']);
$sort_code = mysqli_real_escape_string($conn, $_POST['sort_code']);
$password = mysqli_real_escape_string($conn, $_POST['password']);
$sql = "INSERT INTO customers (customer_name, customer_phone, customer_email, full_address, account_number, sort_code, password)
VALUES ('$customer_name', '$customer_phone', '$customer_email', '$full_address', '$account_number', '$sort_code', '$password')";
if ($conn->query($sql) === TRUE) {
echo "¡Success!";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>