仅当输入不为空时才如何输入SQL数据(How to enter SQL data only if input is not empty)

仅当输入不为空时才如何输入SQL数据(How to enter SQL data only if input is not empty)

我正在为我工​​作的小型工具和模具店创建采购订单表单/数据库。 我有一个表单设置，包含公司，客户名称，工具和零件的下拉框。 除了这些下拉菜单，用户可以将新数据输入到数据库中的文本框。 目前，我正在使用一个包含大约13个if语句的PHP文件来确定哪些输入框是空的以及需要插入哪些数据。

这里是我的PHP文件的一部分，只有2条if语句：

<?php $servername = "localhost"; $username = "root"; $password = "password"; $dbname = "Purchase_Orders"; $NewCompany=$_POST['NewCompany']; $NewCustomer=$_POST['NewCustomer']; $NewTool=$_POST['NewTool']; $NewPart=$_POST['NewPart']; $Company=$_POST['Company']; $Customer=$_POST['Customer']; $Tool=$_POST['Tool']; // NewCompany added by itself with NewCustomer, NewTool, and NewPart empty if (!empty($NewCompany) && empty($NewCustomer) && empty($NewTool) && empty($NewPart)) { $conn = new mysqli($servername, $username, $password, $dbname); if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } $sql = "INSERT INTO Purchase_Orders_dynlist_items (listid,name,value,parent) VALUES ('1', '$NewCompany', '$NewCompany',NULL), ('2', '', '', '$NewCompany'), ('3', '', '', '$NewCompany')"; if ($conn->query($sql) === TRUE) { header( 'Location: index.html'); exit; } else { echo "Error: " . $sql . "<br>" . $conn->error; } } // NewCompany and NewCustomer added with NewTool and NewPart empty if (!empty($NewCompany) && !empty($NewCustomer) && empty($NewTool) && empty($NewPart)) { $conn = new mysqli($servername, $username, $password, $dbname); if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } $sql = "INSERT INTO Sales_Orders_dynlist_items (listid,name,value,parent) VALUES ('1', '$NewCompany', '$NewCompany',NULL), ('2', '', '', '$NewCompany'), ('2', '$NewCustomer', '$NewCustomer', '$NewCompany'), ('3', '', '', '$NewCompany')"; if ($conn->query($sql) === TRUE) { header( 'Location: index.html'); exit; } else { echo "Error: " . $sql . "<br>" . $conn->error; } } else { echo '<meta http-equiv="refresh" content="0;url=purchase_orders/"/>'; exit; } $conn->close(); ?>

所以，我的问题是，我可以简化这个代码，它只在非空的时候输入数据。 所以例如，而不是if (!empty($NewCompany) && empty($NewCustomer) && empty($NewTool) && empty($NewPart)) {我可以让它输入什么数据输入？ 换句话说，不是有13个不同的if语句，而只是输入基于哪些输入框不是空白的数据。

我正在尝试这样的事情：

if (!empty($NewCompany)) { $conn->query("INSERT INTO Purchase_Orders_dynlist_items (listid,name,value,parent) VALUES ('1', '$NewCompany', '$NewCompany',NULL)"); } if (!empty($NewCustomer)) { $conn->query("INSERT INTO Purchase_Orders_dynlist_items (listid,name,value,parent) VALUES ('2', '$NewCustomer', '$NewCustomer', '$NewCompany')"); }

但这只是做一个或另一个。 如果这两个输入字段都有数据，则数据不会被输入。 我知道这段代码容易受到SQL注入的攻击。 这只会在我们的本地网络上运行/使用，所以这不是我过分担心的事情。

也许有人能给我一个正确的方向？ 谢谢！

I am creating a Purchase Orders form/database for a small tool and die shop I work for. I have a form setup with drop down boxes for Company, Customer Name, Tool, and Part. Alongside these dropdowns are text boxes that the user can input new data into the database. Currently I am using a PHP file with about 13 if statements to determine what input boxes are empty and where data needs to be inserted.

Here is part of my PHP file with just 2 of the if statements:

<?php $servername = "localhost"; $username = "root"; $password = "password"; $dbname = "Purchase_Orders"; $NewCompany=$_POST['NewCompany']; $NewCustomer=$_POST['NewCustomer']; $NewTool=$_POST['NewTool']; $NewPart=$_POST['NewPart']; $Company=$_POST['Company']; $Customer=$_POST['Customer']; $Tool=$_POST['Tool']; // NewCompany added by itself with NewCustomer, NewTool, and NewPart empty if (!empty($NewCompany) && empty($NewCustomer) && empty($NewTool) && empty($NewPart)) { $conn = new mysqli($servername, $username, $password, $dbname); if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } $sql = "INSERT INTO Purchase_Orders_dynlist_items (listid,name,value,parent) VALUES ('1', '$NewCompany', '$NewCompany',NULL), ('2', '', '', '$NewCompany'), ('3', '', '', '$NewCompany')"; if ($conn->query($sql) === TRUE) { header( 'Location: index.html'); exit; } else { echo "Error: " . $sql . "<br>" . $conn->error; } } // NewCompany and NewCustomer added with NewTool and NewPart empty if (!empty($NewCompany) && !empty($NewCustomer) && empty($NewTool) && empty($NewPart)) { $conn = new mysqli($servername, $username, $password, $dbname); if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } $sql = "INSERT INTO Sales_Orders_dynlist_items (listid,name,value,parent) VALUES ('1', '$NewCompany', '$NewCompany',NULL), ('2', '', '', '$NewCompany'), ('2', '$NewCustomer', '$NewCustomer', '$NewCompany'), ('3', '', '', '$NewCompany')"; if ($conn->query($sql) === TRUE) { header( 'Location: index.html'); exit; } else { echo "Error: " . $sql . "<br>" . $conn->error; } } else { echo '<meta http-equiv="refresh" content="0;url=purchase_orders/"/>'; exit; } $conn->close(); ?>

So, my question here is can I simplify this code to where it will only input the data when it is not empty. So for instance instead of if (!empty($NewCompany) && empty($NewCustomer) && empty($NewTool) && empty($NewPart)) { could I just have it enter what data is inputted? In other words, instead of having 13 different if statements, only enter data based on what input boxes are not blank.

I was trying something like this:

if (!empty($NewCompany)) { $conn->query("INSERT INTO Purchase_Orders_dynlist_items (listid,name,value,parent) VALUES ('1', '$NewCompany', '$NewCompany',NULL)"); } if (!empty($NewCustomer)) { $conn->query("INSERT INTO Purchase_Orders_dynlist_items (listid,name,value,parent) VALUES ('2', '$NewCustomer', '$NewCustomer', '$NewCompany')"); }

But this was only doing one OR the other. If both of those input fields had data, the data would not be inputted. I am aware that this code is vulnerable to SQL Injection. This is only going to be run/used on our local network, so it's not something I'm overly worried about.

Maybe someone can give me a push in the right direction? Thanks!

最满意答案

你可以尝试下面的方法，它建立一个你想要插入的数据的数组，然后用准备好的语句迭代这个列表并将每组数据传递给插入...

$data = []; if (!empty($NewCompany)) { $data[] = [ '1', $NewCompany, $NewCompany, NULL ]; } if (!empty($NewCustomer)) { $data[] = [ '2', $NewCustomer, $NewCustomer, $NewCompany ]; } $insert = $conn->prepare("INSERT INTO Purchase_Orders_dynlist_items (listid,name,value,parent) VALUES (?, ?, ?,?)"); if ( $insert === false ) { echo "Error:".$conn->error; die; } foreach ( $data as $item ){ if ( $insert->bind_param("isss", ...$item) === false ) { echo "Error:".$conn->error; } if ( $insert->execute() === false ) { echo "Error:".$conn->error; } }

这使您可以为每个项目构建数据的各种配置，如果存在标准模式，则可以将其提取到一个函数中。

function addData( $field, &$data ) { if ( !empty($field) ) { $data[] = [ '1', $field, $field, NULL ]; } } addData($NewCompany, $data ); addData($NewCustomer, $data );

You could try the following approach, which builds up an array of the data you want to insert and then iterates over this list with a prepared statement and passing each set of data to the insert...

$data = []; if (!empty($NewCompany)) { $data[] = [ '1', $NewCompany, $NewCompany, NULL ]; } if (!empty($NewCustomer)) { $data[] = [ '2', $NewCustomer, $NewCustomer, $NewCompany ]; } $insert = $conn->prepare("INSERT INTO Purchase_Orders_dynlist_items (listid,name,value,parent) VALUES (?, ?, ?,?)"); if ( $insert === false ) { echo "Error:".$conn->error; die; } foreach ( $data as $item ){ if ( $insert->bind_param("isss", ...$item) === false ) { echo "Error:".$conn->error; } if ( $insert->execute() === false ) { echo "Error:".$conn->error; } }

This allows you to build up various configurations of the data for each item, if there is a standard pattern, you can extract this out to a function...

function addData( $field, &$data ) { if ( !empty($field) ) { $data[] = [ '1', $field, $field, NULL ]; } } addData($NewCompany, $data ); addData($NewCustomer, $data );