php - 无法弄清楚为什么我的 PHP 没有插入 MySQL 数据库

Question

我正在尝试将数据从简单的注册表单插入到 MySQL 中。我将我的数据库托管在 Amazon AWS RDS 上，使用 DBeaver 对其进行编辑。当我运行代码时，我得到以下内容

affected_rows." data inserted into database."; } else { echo "An error has occurred. The items were not added."; } $db->close(); ?>

我该如何解决这个问题？我的PHP错了吗？我很困惑我是否可以使用 MySQLi，我该如何确定？我假设 Amazon RDS MySQL 是兼容的。

<?php
// create short variable names
$name=$_POST['name'];
$birthdate=$_POST['birthdate'];
$email=$_POST['email'];
$password=$_POST['password'];
$address=$_POST['address'];
$city+$_POST['city'];

if (!get_magic_quotes_gpc()) {
    $name = addcslashes($name);
    $birthdate = addslashes($birthdate);
    $email = addcslashes($email);
    $password = addcslashes($password);
    $address = addcslashes($address);
    $city = addcslashes($city);
}

$host='xxxxxx'
$user='admin'
$password='xxxxx'
$dbname='users'
@ $db = mysqli_connect($host,$user,$password,$dbname)

if (mysqli_connect_errno()) {
    echo 'Error: Could not connect to database. Please try again later.';
    exit;
}

// Execute the query
$query = "INSERT INTO vestorinfo (name,birthdate,email,password,address,city)
    VALUES ('$_POST[name]','$_POST[birthdate]','$_POST[email]','$_POST[password]','$_POST[address]','$_POST[city]')";
$result = mysqli_query($query)
        or die ("Couldn't execute query."};

if ($result) {
    echo $db->affected_rows." data inserted into database.";
} else {
    echo "An error has occurred. The items were not added.";
}

$db->close();
?>

这是html页面的表单

    <div id="registerform">
    <form action="php/registerprocess.php" method="post" class="form-horizontal">

<fieldset>

<!-- Form Name -->

<!-- Text input-->
<div class="form-group">
  <label class="col-md-4 control-label" for="name">Name</label>  
  <div class="col-md-4">
  <input id="name" name="name" placeholder="Your name" class="form-control input-md" required="" type="text">

  </div>
</div>

<!-- Text input-->
<div class="form-group">
  <label class="col-md-4 control-label" for="birthdate">Birth Date</label>  
  <div class="col-md-4">
  <input id="birthdate" name="birthdate" placeholder="07/04/1950" class="form-control input-md" required="" type="text">

  </div>
</div>

<!-- Text input-->
<div class="form-group">
  <label class="col-md-4 control-label" for="email">Email</label>  
  <div class="col-md-4">
  <input id="email" name="email" placeholder="" class="form-control input-md" required="" type="text">

  </div>
</div>

<!-- Password input-->
<div class="form-group">
  <label class="col-md-4 control-label" for="password">Password</label>
  <div class="col-md-4">
    <input id="password" name="password" placeholder="" class="form-control input-md" required="" type="password">
    <span class="help-block">Must be &gt;= 8 characters including at least 1 number</span>
  </div>
</div>

<!-- Text input-->
<div class="form-group">
  <label class="col-md-4 control-label" for="email">Address</label>  
  <div class="col-md-4">
  <input id="address" name="address" placeholder="" class="form-control input-md" required="" type="text">
  </div>
</div>

<!-- Text input-->
<div class="form-group">
  <label class="col-md-4 control-label" for="email">City</label>  
  <div class="col-md-4">
  <input id="city" name="city" placeholder="" class="form-control input-md" required="" type="text">
  </div>
</div>
</div>

</fieldset>

Answer 1

您的代码存在 sql 注入(inject)风险，您应该使用参数绑定(bind)而不是 var 作为 $_POST无论如何尊重你质疑缺失的插入值可能是因为与您以错误的方式引用 $_POST 的索引这一事实有关

例如:你应该使用连接

  $query = "INSERT INTO vestorinfo (name,birthdate,email,password,address,city)
      VALUES ('" . $_POST['name'] ." , " . $_POST['birthdate'] .", " . 
      $_POST['email'] . "," . $_POST['password'] . "," .
         $_POST['address'] . "," . $_POST['city'] . ")";