我正在创建一个php网页,我需要发送一个带有表单参数的mysql查询.查询我需要发送:
INSERT INTO News (Titolo_news,Contenuto_news) VALUES
('*title from form*','*content from form*');
这是我的实际代码:
<?php
...
<form class="action="#" method='POST'>
<p>Title:<input name="title" required id="title" /></p>
<p>Content:<input name="content" required id="content" /></p>
<button class="login-button" type="submit" title="Confirm" onclick="
QUERY HERE, RIGHT?
">Confirm</button>
</form>
...
?>
你不应该在html/javascript中暴露前端的查询.有时你可以做到,但这是不好的做法.发送表单的客户端可以更改查询.他们可以找到所有数据库并将其全部删除.
您应该做的是传递查询所需的值并清理收到的数据.
您的表单发送标题和内容的值,您的服务器端代码接收数据,确保它们可以存储,正确的数据类型等,并运行插入数据的查询.在php中,您可以使用PDO或MySQLi通过使用预准备语句来帮助解决此问题.
这是一个不健全的粗略示例,更多用于说明:
<?php
// configuration
$dbhost = "localhost";
$dbname = "test";
$dbuser = "root";
$dbpass = "admin";
// database connection
$conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass);
// form was submitted
if(isset($_POST['title']) && isset($_POST['content'])) {
$title = $_POST['title'];
$content = $_POST['content'];
// add more validation and sanitising if required
// query using prepared statements
$sql = "INSERT INTO News (Titolo_news,Contenuto_news) VALUES
(:title, :content)";
$q = $conn->prepare($sql);
$q->execute(array(':title'=>$title,
':content'=>$content));
?>
<p>Thanks for submitting the form</p>
<?php
} else {
// form not submitted so show the form
?>
<form class="" action="#" method='POST'>
<label>Title</label><input name="title" required id="title" />
<label>Content:</label><input name="content" required id="content" />
<button class="login-button" type="submit" title="Confirm">Confirm</button>
</form>
<?php
}
?>