1. 首頁
  2. 問答
  3. 在phpMyAdmin中創建一個新表格,但單擊HTML中的提交按鈕

在phpMyAdmin中創建一個新表格,但單擊HTML中的提交按鈕

2015-03-03 102 views
-1

我試圖在phpMyAdmin中創建一個新列表,當用戶單擊網頁上的「創建新列表」按鈕但似乎無法使其工作時。 當我點擊「創建新的列表」我得到這個錯誤 -在phpMyAdmin中創建一個新表格,但單擊HTML中的提交按鈕

not working1 not working 3 
Notice: Undefined variable: tablename in /strath-cis/2014/WEBSITE!/create_new_table.php on line 22 

Notice: Undefined variable: tablename in /strath-cis/2014/WEBSITE!/create_new_table.php on line 22 
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(id, tablename) VALUES(Null, '')' at line 1

下面的代碼

<?php 
session_start(); 

$host=""; // Host name 
$user_name=""; // Mysql username 
$password=""; // Mysql password 


echo "not working1"; 

// Create connection 
mysql_connect("$host", "$user_name", "$password")or die("cannot connect"); 


// Check connection 
$con=mysql_connect("","","iftercha") or die("Failed to connect to MySQL: " . mysql_error()); 

    // Create table 
// $tablename = $_POST['tablename']; 

echo "not working 3"; 
    $query ="CREATE TABLE $tablename (id, tablename) 
    VALUES(Null, '$tablename')"; 
     $result = mysql_query($query) or die (mysql_error()); 

?>

來源

2015-03-03 Claire Reynolds

+0

其中u定義烏爾表名? – 2015-03-03 12:34:13

+0

你實際上是在編輯PHPMySQL應用程序還是你的意思是MySQL? – Quentin 2015-03-03 13:21:19

回答

0

你必須取消第$tablename

// Create table 
$tablename = $_POST['tablename'];

其他你真的應該聲明實施針對SQL注入的某種預防。在你的$tablename上使用mysqli預備陳述或mysql_real_escape_string是一個好的開始。

示例轉義:

$tablename = $_POST['tablename']; 
$tablename_escaped = mysql_real_escape_string($tablename); 
$query ="CREATE TABLE '$tablename_escaped' (id, tablename) VALUES(null, '$tablename_escaped')";

實施例使用的mysqli:

$mysqli = new mysqli("yourhost.com", "username", "password", "database"); 
if ($mysqli->connect_errno) { 
    die("Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error); 
} 

$query = "CREATE TABLE ? (id, tablename) VALUES(null, ?)"; 

if (!($stmt = $mysqli->prepare($query))) { 
    die("Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error); 
} 

$tablename = @$_POST['tablename']; 

if (!$stmt->bind_param("ss", $tablename, $tablename)) { 
    die("Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error); 
} 

if (!$stmt->execute()) { 
    die("Execute failed: (" . $stmt->errno . ") " . $stmt->error); 
}

PHP: mysqli - Prepared Statements

來源

2015-03-03 13:11:43 Jan

相關問題

 相關問題