PHP Gets the value of input in HTML written to the database

Html:

Php:

The red box in PHP need to be in the HTML, name= "New_title_info" value to get to, how to write here? I wrote Echo at the bottom. $sql to look at the statement I inserted, before the result found that the face value is empty, and now the solution diagram of the change directly prompt

The problem is still in the $sql= ".... How do you change this line?

Reply content:

Html:

Php:

The red box in PHP need to be in the HTML, name= "New_title_info" value to get to, how to write here? I wrote Echo at the bottom. $sql to look at the statement I inserted, before the result found that the face value is empty, and now the solution diagram of the change directly prompt

The problem is still in the $sql= ".... How do you change this line?

$_POST('key') 在“ ”双引号里面的关联数组不需要加‘ ’单引号$sql="insert into table() values('$_POST[key]')";

Use a period to do concatenate your string. Although it is not safe to do so. More recommended for parameterized query

First of all, your purely handwritten mysql_query is easily injected into SQL. Second, if the question of SQL statements is suspected, it is recommended to echo the specific values to meet the expectations, make some validity judgments, and then build the SQL statement.

Simple point to write separately
$name = $_post[' new_title_info ');
$class = $_post[' new_class_info ');
$sql = "Insert into table (xxx,xxx) VALUES ($name, $class)";

If you ask for a code review in your workgroup, you'll be damned dead ...
User input variable really can't insert SQL directly ...
Other than that.. All you have to do is print the SQL statement you assembled. Then take the statement directly to the database execution will know ... I have a visual problem with a single quote.

The feeling is also a single quote problem.

You print the SQL statement, look at the format is right, put in MySQL run a run to see the problem

It does not work for you to use single quotation marks in this way $_POST . In the PHP single quotation mark is not to execute the internal variables, you can change into double quotation marks on it. So many answers have been put forward so easy to SQL inject is good advice, you need to handle the accepted data to deal with escape processing SQL injection.

"INSERT into table_name (columns) VALUES ({$_post[' key '})",

Surround with curly braces for added readability
Say a digression, all user input to filter, do not plug directly into the database

Written in the form of $_post[key].

By the way!
Do not spell SQL statements directly, not secure. Do something like preprocessing to prevent SQL injection attacks.

