从自定义表单将数据插入 Wordpress 数据库表

Posted

技术标签:

【中文标题】从自定义表单将数据插入 Wordpress 数据库表【英文标题】:Insert data into Wordpress database table from a custom form 【发布时间】:2014-12-22 07:33:12 【问题描述】:

我正在尝试通过创建表将数据插入 Wordpress 数据库。我已经创建了表格,但是当我尝试从表单插入数据时,它不会插入数据。我检查了数据库连接是否有效,但插入没有发生。有人可以帮我吗?这是我的代码:-

<?php
    require_once('/wp-config.php');
    global $wpdb;

    if(isset($_POST['submit']))
        $wpdb->insert( 'wp_post_job', array( 'organizationname' =>
        $_POST['organizationname'], 'post' => $_POST['post'], 'publishfrom' =>
        $_POST['publishfrom'], 'publishupto' => $_POST['publishupto'],
        'qualification1' => $_POST['qualification1'], 'qualification2' =>
        $_POST['qualification2'], 'qualification3' => $_POST['qualification3'],
       'qualification4' => $_POST['qualification4'], 'experience1' =>
        $_POST['experience1'], 'experience2' => $_POST['experience2'],
       'experience3' => $_POST['experience3'], 'training1' => $_POST['training1'], 'training2' => $_POST['training2'], 'training3' => $_POST['training3'],
       'training4' => $_POST['training4'], 'training5' => $_POST['training5'] ),
        array( '$s', '$s', '$s', '$s', '$s', '$s', '$s', '$s', '$s', '$s', '$s', '$s', '$s', '$s', '$s', '$s' ) );
    
?>

<?php
/*
Template Name: Form
*/
?>
<?php global $pc_theme_object; /* Reference theme framework class */ ?>
<?php get_header(); ?>

<form action="" id="postjob" method="post">
    <table>
        <tr>
            <td><label for="organizationname">Organization Name:</label></td>
            <td><input type="text" name="organizationname" id="organizationname" value="/></td>
        </tr>
        <tr>
            <td><label for="post">Post:</label></td>
            <td><input type="text" name="post" id="post" value="" /></td>
        </tr>
        <tr>
            <td><label for="publishfrom">Publish From:</label></td>
            <td><input type="text" name="publishfrom" id="publishfrom" /></td>
        </tr>
        <tr>
            <td><label for="publishupto">Publish Upto:</label></td>
            <td><input type="text" name="publishupto" id="publishupto" /></td>
        </tr>
        <tr>
            <td><label for="qualification">Qualification:</label></td>
            <td><input type="text" name="qualification1" id="qualification1" /></td>
            <td><input type="text" name="qualification2" id="qualification2" /></td>
            <td><input type="text" name="qualification3" id="qualification3" /></td>
            <td><input type="text" name="qualification4" id="qualification4" /></td>
        </tr>
        <tr>
            <td><label for="experience">Experience:</label></td>
            <td><input type="text" name="experience1" id="experience1"/></td>
            <td><input type="text" name="experience2" id="experience2"/></td>
            <td><input type="text" name="experience3" id="experience3"/></td>
        </tr>
        <tr>
            <td><label for="training">Training:</label></td>
            <td><input type="text" name="training1" id="training1" />></td>
            <td><input type="text" name="training2" id="training2" /></td>
            <td><input type="text" name="training3" id="training3" /></td>
            <td><input type="text" name="training4" id="training4" /></td>
            <td><input type="text" name="training5" id="training5" /></td>
        </tr>
        <tr>
            <td><button type="submit" name="submit">Submit</button></td>
        </tr>
    </table>
</form>

<?php get_footer(); ?>

【问题讨论】:

【参考方案1】:

将“$s”替换为“%s”

使用此代码

if ( isset( $_POST['submit'] ) )

         global $wpdb;
         $tablename = $wpdb->prefix.'post_job';

        $wpdb->insert( $tablename, array(
            'organizationname' => $_POST['organizationname'], 
            'post' => $_POST['post'],
            'publishfrom' => $_POST['publishfrom'], 
            'publishupto' => $_POST['publishupto'],
            'qualification1' => $_POST['qualification1'], 
            'qualification2' => $_POST['qualification2'], 
            'qualification3' => $_POST['qualification3'],
            'qualification4' => $_POST['qualification4'], 
            'experience1' => $_POST['experience1'], 
            'experience2' => $_POST['experience2'],
            'experience3' => $_POST['experience3'], 
            'training1' => $_POST['training1'], 
            'training2' => $_POST['training2'], 
            'training3' => $_POST['training3'],
            'training4' => $_POST['training4'], 
            'training5' => $_POST['training5'] ),
            array( '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) 
        );
    

【讨论】:

Wordpress 法典中提到了格式参数“如果省略,$data 中的所有值都将被视为字符串,除非在 wpdb::$field_types 中另有说明”。在这种情况下,这似乎是明智的做法。 codex.wordpress.org/Class_Reference/wpdb#INSERT_row【参考方案2】:

你可以用这个

<?php

if ( isset( $_POST['submit'] ) )

    global $wpdb;


    $tablename=$wpdb->prefix.'post_job';

    $data=array(
        'organizationname' => $_POST['organizationname'], 
        'post' => $_POST['post'],
        'publishfrom' => $_POST['publishfrom'], 
        'publishupto' => $_POST['publishupto'],
        'qualification1' => $_POST['qualification1'], 
        'qualification2' => $_POST['qualification2'], 
        'qualification3' => $_POST['qualification3'],
        'qualification4' => $_POST['qualification4'], 
        'experience1' => $_POST['experience1'], 
        'experience2' => $_POST['experience2'],
        'experience3' => $_POST['experience3'], 
        'training1' => $_POST['training1'], 
        'training2' => $_POST['training2'], 
        'training3' => $_POST['training3'],
        'training4' => $_POST['training4'], 
        'training5' => $_POST['training5'] );


     $wpdb->insert( $tablename, $data);


?>

【讨论】:

很高兴您的代码可以正常工作。不过,我没有看到任何可以清理您的输入的内容。鉴于您使用 $_POST 变量进行直接提交,因此您可能希望考虑清理,否则安全风险相当高。【参考方案3】:

每个人都给出了正确的答案。但还有更多。如果您想要更高的安全性,那么最好使用 WordPress pdo 来更好地防御 SQL 攻击。

global $wpdb;

$table_name = $wpdb->prefix."table_name_after_the_prefix";

$sql = $wpdb->prepare( "INSERT INTO ".$table_name." (name, email, contact ) VALUES ( %s, %s, %d )", $name, $email, $contact );
$wpdb->query($sql);

// get the inserted record id.

$id = $wpdb->insert_id;

参考文献

https://developer.wordpress.org/reference/classes/wpdb/#protect-queries-against-sql-injection-attacks

【讨论】:

以上是关于从自定义表单将数据插入 Wordpress 数据库表的主要内容,如果未能解决你的问题,请参考以下文章

将语句插入自定义 WordPress 数据库

数据不会不断地从自定义 wordpress 表中加载

Wordpress - PHP:如何将表单中的选定数据放入文本区域?

在 wordpress 自定义模板中显示插入的数据

如何从自定义页面模板调用 WordPress 插件功能?

WordPress > 从自定义帖子类型获取自定义分类