如何停止在PHP中的自動乘法提交表格

Question

這段代碼工作正常，但我的問題是，當我提交（大小）行數據使用PHP這個PHP代碼，所以它是自動繁殖並提交在phpmyadmin這樣的350000

例如我提交一個表單和（尺寸）行數據是

480 * 800個像素，4.3英寸（〜217 PPI像素密度）傳感器： 加速度計，接近

和當我檢查phpmyadmin（size）ro W，使得它是汽車乘法和提交這樣

的（大小）行數據我怎麼能解決這個問題，請大家幫我解決這個問題

感謝

這是php的mysql數據提交代碼

<?php 
    /* 
    NEW.PHP 
    Allows user to create a new entry in the database 
    */ 

    // creates the new record form 
    // since this form is used multiple times in this file, I have made it a function that is easily reusable 
    function renderForm($model, $category, $weight,$size, $error) 
    { 
    ?> 

    <?php 


    // if there are any errors, display them 
    if ($error != '') 
    { 
    echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>'; 
    } 
    ?> 

    <?php 
    } 


    //This is the directory where images will be saved 
    $target = "media/"; 
    $target = $target . basename($_FILES['photo']['name']); 

    //This gets all the other information from the form 

    $photo=($_FILES['photo']['name']); 
    //Writes the photo to the server 
    if(move_uploaded_file($_FILES['photo']['tmp_name'], $target)) 
    { 

    //Tells you if its all ok 
    echo "<center>Photo ". basename($_FILES['uploadedfile']['name']). " has been uploaded, and your information has been added to the directory</center>"; 
    } 


     //connect to database 

     mysql_connect('localhost','root','password'); 
     mysql_select_db('price'); 



    // check if the form has been submitted. If it has, start to process the form and save it to the database 
    if (isset($_POST['submit'])) 
    { 
    // get form data, making sure it is valid 
    $model = mysql_real_escape_string(htmlspecialchars($_POST['model'])); 
    $category = mysql_real_escape_string(htmlspecialchars($_POST['category'])); 
    $weight = mysql_real_escape_string(htmlspecialchars($_POST['weight'])); 
    $size = mysql_real_escape_string(htmlspecialchars($_POST['size'])); 
    $entertainment = mysql_real_escape_string(htmlspecialchars($_POST['entertainment'])); 
    $price = mysql_real_escape_string(htmlspecialchars($_POST['price'])); 
    $date = mysql_real_escape_string(htmlspecialchars($_POST['date'])); 
    $photo = mysql_real_escape_string(htmlspecialchars($_FILES['photo']['name'])); 

    // check to make sure both fields are entered 
    if ($model == '' || $category == '') 
    { 
    // generate error message 
    $error = 'ERROR: Please fill in all required fields!'; 

    // if either field is blank, display the form again 
    renderForm($model, $category, $weight, $size,$error); 
    } 
    else 
    { 
    // save the data to the database 
     mysql_query("INSERT mprice SET model='$model', category='$category', weight='$weight', size='$size', entertainment='$entertainment', price='$price', date='$date', photo='$photo'") 
    or die(mysql_error()); 
    echo "<center>Done!</center>"; 
    // once saved, redirect back to the view page 

    } 
    } 
    else 
    // if the form hasn't been submitted, display the form 
    { 
    renderForm('','','','','','','',''); 
    } 




    ?> 

Answer 1

你正在經歷sql注入。也就是說，您允許用戶提交的代碼在您的數據庫服務器中運行。字符串480 * 800是代碼，MySQL服務器正在爲您運行它。

這是不是在互聯網上的一個很酷的功能。對你來說幸運的是，你的行中沒有;DROP TABLE mprice;加速計，呃？

請考慮使用綁定變量。如果您將MySQL API升級到mysqli_或PDO，這是最容易做到的。