dps43378 2015-06-22 13:21 采纳率: 0%
浏览 57
已采纳

如何创建多个jquery表单字段并插入mysql数据库,而不使用mysql_real_escape_string

I need to create dynamic text fields with a button (which simply adds a new row of dynamic text fields). Then I need to INSERT the data in a in the database. I borrowed an example of what I need done from someone else's question, the problem is, it uses mysql_real_escape_string, which is now depreciated. I am new to this, so could you tell me what I would use instead of the mysql_real_escape_string? 

$(function(){
    $('p#add_field').click(function(){
        counter += 1;
        $('#container').append(
        '<strong>Hobby No. ' + counter + '</strong><br />' 
        + '<input id="field_' + counter + '" name="dynfields['+counter+'][name]' + '" type="text" /><br />' +
        + '<input id="field_' + counter + '" name="dynfields['+counter+'][surname]' + '" type="text" /><br />' +
        + '<input id="field_' + counter + '" name="dynfields['+counter+'][age]' + '" type="text" /><br />' +
        + '<input id="field_' + counter + '" name="dynfields['+counter+'][gender]' + '" type="text" /><br />');

    });
});
</script>
if (isset($_POST['submit_val'])) {
    if ($_POST['dynfields']) {
        foreach ( $_POST['dynfields'] as $key=>$fieldArray ) {

            $keys = array_keys($fieldArray);
            $values = array_map("mysql_real_escape_string",$fieldArray);

            $query = mysql_query("INSERT INTO my_hobbies (".implode(',',$keys).") VALUES ('".implode('\',\'',$values)."')", $connection );  
        }
    }

    echo "<i><h2><strong>" . count($_POST['dynfields']) . "</strong> Hobbies Added</h2></i>";

    mysql_close();
}

</div>
  • 写回答

2条回答 默认 最新

  • douxian6260 2015-06-22 13:30
    关注

    Your problem has nothing to do with jQuery and the form. It is just highly recommended to prevent SQL injection, an attack in which an attacker injects SQL commands into your DB Query by posting it in your form. That's why any data that comes from an untrusted source (eg html form) should be sanitized or at least escaped.

    Here is a good explanation what SQL injection is and how it works.

    As for your question: You can use mysqli_real_escape_string. 

    <?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s
", mysqli_connect_error());
    exit();
}

$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");

$city = "'s Hertogenbosch";

/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("Error: %s
", $mysqli->sqlstate);
}

$city = $mysqli->real_escape_string($city);

/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("%d Row inserted.
", $mysqli->affected_rows);
}

$mysqli->close();
?>
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 谁能帮我挨个解读这个php语言编的代码什么意思?
  • ¥15 win10权限管理,限制普通用户使用删除功能
  • ¥15 minnio内存占用过大,内存没被回收(Windows环境)
  • ¥65 抖音咸鱼付款链接转码支付宝
  • ¥15 ubuntu22.04上安装ursim-3.15.8.106339遇到的问题
  • ¥15 blast算法(相关搜索:数据库)
  • ¥15 请问有人会紧聚焦相关的matlab知识嘛?
  • ¥15 网络通信安全解决方案
  • ¥50 yalmip+Gurobi
  • ¥20 win10修改放大文本以及缩放与布局后蓝屏无法正常进入桌面