规范:如何将HTML表单数据保存到MySQL数据库中 [英] Canonical: How to save HTML form data into MySQL database
问题描述
这是使用PHP将数据从(HTML)格式保存到MySQL数据库的规范问答.
This is a canonical question and answer for saving data from (HTML) form to MySQL database using PHP.
如果您要执行以下操作,这将适用于您:
This applies to you if you are trying to do the following:
- 接受用户在HTML表单上的输入
- 使用PHP脚本处理输入
- 将所述输入存储到MySQL数据库中.
- Accept user input on a HTML form
- Process the input using PHP script
- Store the said input into a MySQL database.
过去不应该使用的类似问题示例:
Examples of similar questions asked in the past that should not be used:
连接PHP代码并将表单提交到mySQL数据库
使用php/html表单插入mysql-不起作用
将表单数据保存到数据库
Connecting PHP Code and Submit Form to mySQL Database
Insert into mysql using php / html form - not working
How to use PHP to pass HTML form data to a MYSQL db and return the data to the browser
saving form data to database
简而言之,如果您有以下疑问,请继续阅读:我想使用HTML格式,PHP和MySQL或类似的格式将用户输入存储到数据库中.
In short, please read on if you questions is: I want to store user input to database using HTML forms, PHP and MySQL or similar.
推荐答案
首先,您的PHP或HTML页面应生成用户可以与之交互的表单.在最 简单的形式就是这样:
First of all your PHP or HTML page should produce a form that user can interact with. In the most simple form it'd be something like:
<html>
<body>
<form method="post" action="yourscript.php">
<input type="text" name="yourfield">
<input type="submit" name="youraction" value="save">
</form>
</body>
</html>
这将为您的用户提供一个简单的表单,其中包含单个输入字段和保存"按钮.点击后
内容的保存"按钮将使用POST
方法发送到您的"yourscript.php".
This will give your user a simple form with single input field and 'save' button. After clicking
the 'save' button for content will be sent to your 'yourscript.php' using POST
method.
yourscript.php
应该实现以下内容:
- 接受并处理表单中的输入.
- 连接到您的MySQL数据库.
- 存储到数据库中.
- Accept and process the input from your form.
- Connect to your MySQL database.
- Store into the database.
最简单的形式是:
<!doctype html>
<html>
<head>
<title>Process and store</title>
</head>
<body>
<?php
// Check that user sent some data to begin with.
if (isset($_REQUEST['yourfield'])) {
/* Sanitize input. Trust *nothing* sent by the client.
* When possible use whitelisting, only allow characters that you know
* are needed. If username must contain only alphanumeric characters,
* without puntation, then you should not accept anything else.
* For more details, see: https://stackoverflow.com/a/10094315
*/
$yourfield=preg_replace('/[^a-zA-Z0-9\ ]/','',$_REQUEST['yourfield']);
/* Escape your input: use htmlspecialchars to avoid most obvious XSS attacks.
* Note: Your application may still be vulnerable to XSS if you use $yourfield
* in an attribute without proper quoting.
* For more details, see: https://stackoverflow.com/a/130323
*/
$yourfield=htmlspecialchars($yourfield);
} else {
die('User did not send any data to be saved!');
}
// Define MySQL connection and credentials
$pdo_dsn='mysql:dbname=yourdatabase;host=databasehost.example.com';
$pdo_user='yourdatabaseuser';
$pdo_password='yourdatabaspassword';
try {
// Establish connection to database
$conn = new PDO($pdo_dsn, $pdo_user, $pdo_password);
// Throw exceptions in case of error.
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// Use prepared statements to mitigate SQL injection attacks.
// See https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php for more details
$qry=$conn->prepare('INSERT INTO yourtable (yourcolumn) VALUES (:yourvalue)');
// Execute the prepared statement using user supplied data.
$qry->execute(Array(":yourvalue" => $yourfield));
} catch (PDOException $e) {
echo 'Error: ' . $e->getMessage() . " file: " . $e->getFile() . " line: " . $e->getLine();
exit;
}
?>
<form method="post">
<!-- Please note that the quotes around next <?php ... ?> block are important
to avoid XSS issues with poorly escaped user input. For more details:
https://stackoverflow.com/a/2894530
-->
<input type="text" name="yourfield" value="<?php print $yourfield; ?>">
<input type="submit" name="youraction" value="save">
</form>
</body>
</html>
这里的主要要点是使用准备好的语句来避免SQL注入攻击.
Key takeaway here is to use prepared statements to avoid SQL injections attacks.
这篇关于规范:如何将HTML表单数据保存到MySQL数据库中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!