Mysql插入语句未在数据库中插入数据

Question

我的 MySQL 查询应该插入来自表单的数据输入。没有给出错误。我认为这段代码绝对没有错。我之前已将此代码用于其他表，并且可以正常工作。请忽略 isset 进行更新。那是为了别的东西。 writerID、illustratorID 和 publisherName 是来自不同表的外键。会是这个问题吗？

<?php

$servername = "localhost";
$username = "root";
$password = "";
$dbname = "graphicnoveldb";

$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

// get results from database

if(isset($_POST['update'])){
    $UpdateQuery = "Update graphicnovel Set
                    graphicNovelTitle='$_POST[graphicnoveltitle]',
                    genre='$_POST[genre]',
                    synopsis='$_POST[synopsis]',
                    review='$_POST[review]',
                    rating='$_POST[rating]',
                    writerID='$_POST[writerID]',
                    illustratorID='$_POST[illustratorID]',
                    coverPage='$_POST[coverpage]'
                    Where graphicNovelTitle='$_POST[hidden]'";
    mysqli_query($conn,$UpdateQuery);

};


if(isset($_POST['add'])){
    $AddQuery = "Insert into graphicnovel (graphicNovelTitle, genre, synopsis, review, rating, writerID, illustratorID, publisherName, datePublished, coverPage)
                Values('$_POST[ugraphicnoveltitle]',
                      '$_POST[ugenre]',
                      '$_POST[usynopsis]',
                      '$_POST[ureview]',
                      '$_POST[urating]',
                      '$_POST[uwriterID]',
                      '$_POST[uillustratorID]',
                      '$_POST[upublishername]',
                      '$_POST[udatepublished]',
                      '$_POST[ucoverpage]')";
    mysqli_query($conn,$AddQuery);

};



$sql="SELECT * FROM graphicnovel";

$result = mysqli_query($conn,$sql);



echo "<table>";



echo "<form action = ModifyGraphicNovel.php method =post>";

echo"<tr><th>New Graphic Novel Title</th>";
echo '<td><input type=text name= ugraphicnoveltitle></td></tr>';

echo"<tr><th>New Genre</th>";
echo '<td><input type=text name= ugenre></td></tr>';

echo"<tr><th>New Synopsis</th>";
echo '<td><textarea name= usynopsis  rows = 5 cols = 70 border =5 value=></textarea></tr>';

echo"<tr><th>New Review</th>";
echo '<td><textarea name= ureview  rows = 5 cols = 70 border =5 value=></textarea></tr>';

echo"<tr><th>New Rating</th>";
echo '<td><input type=text name= urating></td></tr>';

echo"<tr><th>New Writer ID</th>";
echo '<td><input type=text name= uwriterID></td></tr>';

echo"<tr><th>New Illustrator ID</th>";
echo '<td><input type=text name= uillustratorID></td></tr>';

echo"<tr><th>New Publisher Name</th>";
echo '<td><input type=text name= upublishername></td></tr>';

echo"<tr><th>New Date Published</th>";
echo '<td><input type=date name= udatepublished></td></tr>';

echo"<tr><th>New Coverpage</th>";
echo '<td><input type=text name= ucoverpage></td></tr>';



echo '<tr><td>' . "<input type = submit name=add value=add" . ' </td></tr>';

echo "</form>";
echo "</table>";
// close table>


$conn->close();
?>

Answer 1

1. 如上所述，您必须在数组键周围使用引号，并且当数组位于带引号的字符串中时，还必须始终在数组周围使用花括号。

2. 应该使用转义或更好的绑定参数来防止 SQL 注入。这也会使第一个问题变得更容易......

if(isset($_POST['add'])){

  $AddQuery = $conn->prepare("Insert into graphicnovel (graphicNovelTitle, 
             genre, synopsis, review, rating, writerID, illustratorID,
             publisherName, datePublished, coverPage) VALUES (?,?,?,?,?,?,?,?,?,?)");
  $addQuery->bind_param($_POST['ugraphicnoveltitle'],
                  $_POST['ugenre'],
                  $_POST['usynopsis'],
                  $_POST['ureview'],
                  $_POST['urating'],
                  $_POST['uwriterID'],
                  $_POST['uillustratorID'],
                  $_POST['upublishername'],
                  $_POST['udatepublished'],
                  $_POST['ucoverpage']);

  $addQuery->execute();

  printf("%d Row inserted.\n", $addQuery->affected_rows);
  $addQuery->close();


}