php - 通过php在mysql中插入数据

Question

在我的代码中只是通过 php 将一些数据插入 mysql 数据库。所有数据都已插入，但只有两列数据未插入。我的代码::

regi.php
//表单设计

 <html>
    <form action="regi_pp.php"  method="post">
      Student Name <input name="st_name" type="text" id="st_name">
       Father's Name  <input name="f_name" type="text" id="f_name">
      Mother's Name <input name="m_name" type="text" id="m_name">
      Faculty  <input name="faculty" type="text" id="faculty">
      Department <input name="department" type="text" id="department">
      Session <input name="session" type="text" id="session">  
     Dormitory  <input name="dormitory" type="text" id="dormitory">  
    Registration No <input name="regi_no" type="text" id="regi_no"> 
     Email  <input name="email" type="text" id="email"> 
     pass:<input name="pass" type="password" id="pass">  
     <input type="submit" name="Submit" value="Submit">
     </form>
 </html>

提交后::

 <?php 
    $st_name=$_POST["st_name"];   // name
    $st_father=$_POST["f_name"];   // father name
    $st_mother=$_POST["m_name"];   // Mather name
    $faculty=$_POST["faculty"];     // faculty name
    $dept=$_POST["department"];     // department name
    $session=$_POST["session"];     // session  
    $dormitory=$_POST["dormitory"];  // dormitory 
    $regi_no=$_POST["regi_no"];     //regi number
    $email=$_POST["email"];         //  email
    $pass=$_POST["pass"];          // password

   $con = mysql_connect("localhost","root","");   // mysql connection

    mysql_select_db("ppp", $con);    // database connection

    // here all value insert but '$regi_no', '$email' are not inserted and '$pass' value only insert if $pass value is number 
    mysql_query("INSERT INTO regf            VALUES('$st_name','$st_father','$st_mother','$faculty','$dept','$session','$dormitory','$regi_no','$email','$pass')") or die(mysql_error());
     mysql_close($con);
 ?>

Answer 1

如果在宿舍里我进入了Saint Philip Dormitory');删除表regfs;--？你认为会发生什么？

您的代码容易出现 SQL Injection 。使用PDO 或 MYSQLI 改为扩展。

使用 PDO 扩展的示例:

<?php

    $dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
    $dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
    $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
    $stmt->bindParam(1, $name);
    $stmt->bindParam(2, $value);

    // insert one row
    $name = 'one';
    $value = 1;
    $stmt->execute();

?>

这将允许您插入带单引号的记录。