代码很简单-从表单中获取一个值,将其插入到mysql DB中。下面是一段代码:
//connect to DB
$dbh = new PDO($db_pdo, $db_user_name, $db_password);
//capture value from form
$first_name = $_POST['first_name'];
//insert value into DB (doesn't work- no new entry created in requests)
$dbh->exec("INSERT INTO requests(first_name) VALUES($first_name)");
//this echo statement works (outputs the value of $first_name):
echo "\$first_name ".$first_name;
//this insert statement works:
$dbh->exec("INSERT INTO requests(first_name) VALUES('oleg')");
发布于 2012-01-10 05:12:59
没错,你必须引用你的字符串。
$dbh->exec("INSERT INTO requests(first_name) VALUES('$first_name')");
但是这段代码容易受到SQL注入的攻击。我不确定在PHP中如何防止这种情况发生。
https://stackoverflow.com/questions/8798838
复制