dps43378 2015-06-22 13:21 采纳率: 0%
浏览 57
已采纳

如何创建多个jquery表单字段并插入mysql数据库,而不使用mysql_real_escape_string

I need to create dynamic text fields with a button (which simply adds a new row of dynamic text fields). Then I need to INSERT the data in a in the database. I borrowed an example of what I need done from someone else's question, the problem is, it uses mysql_real_escape_string, which is now depreciated. I am new to this, so could you tell me what I would use instead of the mysql_real_escape_string? 

$(function(){
    $('p#add_field').click(function(){
        counter += 1;
        $('#container').append(
        '<strong>Hobby No. ' + counter + '</strong><br />' 
        + '<input id="field_' + counter + '" name="dynfields['+counter+'][name]' + '" type="text" /><br />' +
        + '<input id="field_' + counter + '" name="dynfields['+counter+'][surname]' + '" type="text" /><br />' +
        + '<input id="field_' + counter + '" name="dynfields['+counter+'][age]' + '" type="text" /><br />' +
        + '<input id="field_' + counter + '" name="dynfields['+counter+'][gender]' + '" type="text" /><br />');

    });
});
</script>
if (isset($_POST['submit_val'])) {
    if ($_POST['dynfields']) {
        foreach ( $_POST['dynfields'] as $key=>$fieldArray ) {

            $keys = array_keys($fieldArray);
            $values = array_map("mysql_real_escape_string",$fieldArray);

            $query = mysql_query("INSERT INTO my_hobbies (".implode(',',$keys).") VALUES ('".implode('\',\'',$values)."')", $connection );  
        }
    }

    echo "<i><h2><strong>" . count($_POST['dynfields']) . "</strong> Hobbies Added</h2></i>";

    mysql_close();
}

</div>
  • 写回答

2条回答 默认 最新

  • douxian6260 2015-06-22 13:30
    关注

    Your problem has nothing to do with jQuery and the form. It is just highly recommended to prevent SQL injection, an attack in which an attacker injects SQL commands into your DB Query by posting it in your form. That's why any data that comes from an untrusted source (eg html form) should be sanitized or at least escaped.

    Here is a good explanation what SQL injection is and how it works.

    As for your question: You can use mysqli_real_escape_string. 

    <?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s
", mysqli_connect_error());
    exit();
}

$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");

$city = "'s Hertogenbosch";

/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("Error: %s
", $mysqli->sqlstate);
}

$city = $mysqli->real_escape_string($city);

/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("%d Row inserted.
", $mysqli->affected_rows);
}

$mysqli->close();
?>
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 sub地址DHCP问题
  • ¥15 delta降尺度计算的一些细节,有偿
  • ¥15 Arduino红外遥控代码有问题
  • ¥15 数值计算离散正交多项式
  • ¥30 数值计算均差系数编程
  • ¥15 redis-full-check比较 两个集群的数据出错
  • ¥15 Matlab编程问题
  • ¥15 训练的多模态特征融合模型准确度很低怎么办
  • ¥15 kylin启动报错log4j类冲突
  • ¥15 超声波模块测距控制点灯,灯的闪烁很不稳定,经过调试发现测的距离偏大