PHP MySQL数据库插入特殊字符

时间:2019-07-25 10:01:08

标签: php mysql

我有此代码:

<?php
include("protected.php");
// Include config file
require_once "config.php";

// Define variables and initialize with empty values
$merk = $model = $threshold = "";
$merk_err = $model_err = $threshold_err = "";
$prodID = $_GET["id"];

// Processing form data when form is submitted
if(isset($_POST["id"]) && !empty($_POST["id"])){
    // Get hidden input value
    $id = $_POST["id"];

    // Validate merk
    $input_merk = trim($_POST["merk"]);
    if(empty($input_merk)){
        $merk_err = "Please enter a merk.";
    } elseif
    (!filter_var($input_merk, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>"/^[a-zA-Z\s]+$/")))){
        $merk_err = "Please enter a valid merk.";
    } else{
        $merk = $input_merk;
        echo $merk;
    }
       // Validate model
       $input_model = trim($_POST["model"]);
       if(empty($input_model)){
           $model_err = "Please enter the model.";     
       }else{
           $model = $input_model;
       }
    // Validate threshold threshold
    $input_threshold = trim($_POST["threshold"]);
    if(empty($input_threshold)){
        $threshold_err = "Please enter an threshold.";     
    } else{
        $threshold = $input_threshold;
    }

    // Check input errors before inserting in database
    if(empty($merk_err) && empty($model_err) && empty($threshold_err)){
        // Prepare an update statement
        $sql = "UPDATE products SET merk=?, model=?,threshold=? WHERE id= ". $_POST["id"];


        if($stmt = mysqli_prepare($link, $sql)){
            // Bind variables to the prepared statement as parameters
            mysqli_stmt_bind_param($stmt, "ssi", $param_merk, $param_model, $param_threshold);

            // Set parameters
            $param_merk = $merk;
            $param_model = $model;
            $param_threshold = $threshold;

            // Attempt to execute the prepared statement
            if(mysqli_stmt_execute($stmt)){
                // Records updated successfully. Redirect to landing page
                header("location: inventory.php");
                exit();
            } 
            else
            {
                echo "Something went wrong. Please try again later.";
            }
        }

        // Close statement
        mysqli_stmt_close($stmt);
    }



    // Close connection
    mysqli_close($link);
} 
else
{
    // Check existence of id parameter before processing further
    if(isset($_GET["id"]) && !empty(trim($_GET["id"]))){
        // Get URL parameter
        $id =  trim($_GET["id"]);

        // Prepare a select statement
        $sql = "SELECT * FROM employees WHERE id = ?";
        if($stmt = mysqli_prepare($link, $sql)){
            // Bind variables to the prepared statement as parameters
            mysqli_stmt_bind_param($stmt, "i", $param_id);

            // Set parameters
            $param_id = $id;

            // Attempt to execute the prepared statement
            if(mysqli_stmt_execute($stmt)){
                $result = mysqli_stmt_get_result($stmt);

                if(mysqli_num_rows($result) == 1){
                    /* Fetch result row as an associative array. Since the result set contains only one row, we don't need to use while loop */
                    $row = mysqli_fetch_array($result, MYSQLI_ASSOC);

                    // Retrieve individual field value
                    $name = $row["name"];
                    $threshold = $row["threshold"];
                    $model = $row["model"];
                } else{
                    // URL doesn't contain valid id. Redirect to error page
                    header("location: error.php");
                    exit();
                }

            } else{
                echo "Oops! Something went wrong. Please try again later.";
            }

            mysqli_stmt_close($stmt);
        }

        // Close statement


        // Close connection
       // mysqli_close($link);
    }  else{
        // URL doesn't contain id parameter. Redirect to error page
        header("location: error.php");
        exit();
    }

}
$sql1 = "SELECT * FROM products WHERE id = ".$prodID;

if($result1 = mysqli_query($link, $sql1)){
    if(mysqli_num_rows($result1) > 0){
        $row1 = mysqli_fetch_array($result1);
        // Free result set
        mysqli_free_result($result1);
    } else{
        echo "<p class='lead'><em>Er zijn momenteel geen producten</em></p>";
    }
} 
else{
echo "ERROR: Could not able to execute $sql1. " . mysqli_error($link);
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Update Record</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
    <link rel="stylesheet" type="text/css" href="https://cdn.datatables.net/1.10.19/css/dataTables.bootstrap4.min.css">
    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js"></script>
    <script src="https://cdn.datatables.net/1.10.19/js/jquery.dataTables.min.js"></script>
    <script src="https://cdn.datatables.net/1.10.19/js/dataTables.bootstrap4.min.js"></script>
    <style type="text/css">
        .wrapper{
            width: 500px;
            margin: 0 auto;
        }
    </style>
</head>
<body>
<?php include_once("navbar.html"); ?>
    <div class="wrapper">
        <div class="container-fluid">
            <div class="row">
                <div class="col-md-12">
                    <div class="page-header">
                        <h2>Update Record</h2>
                    </div>
                    <p>Please edit the input values and submit to update the record.</p>
                    <form action="<?php echo htmlspecialchars(basename($_SERVER['REQUEST_URI'])); ?>" method="post">
                        <div class="form-group <?php echo (!empty($merk_err)) ? 'has-error' : ''; ?>">
                            <label>Merk</label>
                            <input type="text" name="merk" class="form-control" value="<?php echo $row1['merk']; ?>">
                            <span class="help-block"><?php echo $merk_err;?></span>
                        </div>
                        <div class="form-group <?php echo (!empty($model_err)) ? 'has-error' : ''; ?>">
                            <label>Model</label>
                            <input type="text" name="model" class="form-control" value="<?php echo $row1['model']; ?>">
                            <span class="help-block"><?php echo $model_err;?></span>
                        </div>
                        <div class="form-group <?php echo (!empty($threshold_err)) ? 'has-error' : ''; ?>">
                            <label>Threshold</label>
                            <input type="text" name="threshold" class="form-control" value="<?php echo $row1['threshold']; ?>">
                            <span class="help-block"><?php echo $threshold_err;?></span>
                        </div>
                        <input type="hidden" name="id" value="<?php echo $id; ?>"/>
                        <input type="submit" class="btn btn-primary" value="Submit">
                        <a href="index.php" class="btn btn-default">Cancel</a>
                    </form>
                </div>
            </div>        
        </div>
    </div>
</body>
</html>

当您输入正常单词时,它可以正常工作。但是例如在merk字段中,如果您键入一些内容然后输入“;”,则会出现此错误: enter image description here

因此它不会插入数据库。他们有什么解决方案可以将所有内容都转换为文本以便插入吗?当我在模型字段中键入“;时,它工作正常,因此显示为”;在数据库中,但是当您刷新页面时,它不再显示“;”。

0 个答案:

没有答案
相关问题
最新问题