这个问题在这里已有答案:
直到最近才开始使用mysql所以我正在慢慢掌握它,但是尝试使用PHP预处理语句进行webform,并且在提交webform时,它只是显示php代码。有什么建议?
谢谢
<?php
$link = mysqli_connect("localhost", "root", "", "contactform");
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
$sql = "INSERT INTO contactform (firstname, surname, address1, address2,
towncity, county, postcode) VALUES (?,?,?,?,?,?,?)";
if($stmt = mysqli_prepare($link, $sql)){
mysqli_stmt_bind_param($stmt, "sssssss", $firstname, $surname, $address1,
$address2, $towncity, $county, $postcode);
$firstname = $_REQUEST['firstname'];
$surname = $_REQUEST['surname'];
$address1 = $_REQUEST['address1'];
$address2 = $_REQUEST['address2'];
$towncity = $_REQUEST['towncity'];
$county = $_REQUEST['county'];
$postcode = $_REQUEST['postcode'];
if(mysqli_stmt_execute($stmt)){
echo "Records inserted successfully.";
} else{
echo "ERROR: Could not execute query: $sql. " . mysqli_error($link);
}
} else{
echo "ERROR: Could not prepare query: $sql. " . mysqli_error($link);
}
mysqli_stmt_close($stmt);
mysqli_close($link);
?>
使用eval( $text );将执行您的字符串作为PHP代码。那是你在找什么?
注意eval()语言结构非常危险,因为它允许执行任意PHP代码。因此不鼓励使用它。如果您已仔细验证除了使用此构造之外没有其他选项,请特别注意不要传递任何用户提供的数据