小贝子编程

在数据库中创建一个新表



我有一个php文件中的表单。在发送表单时,我调用一个test.php文件,该文件检查接收到的数据的有效性,并将它们插入数据库的表中。我还想在数据库中创建一个名为$category_ $username的新表。文件如下:

<?php
if(isset($_POST['mySubmit'])) {
$db = mysqli_connect('localhost','root','','DBsito');
if (!$db)
{
die('Could not connect to database: ' . mysqli_error());
}
$db_select = mysqli_select_db($db, 'DBsito');
//Salva il nome del file
$imagename = $_FILES['icona']['name'];
//tipo del file
$imagetype = $_FILES['icona']['type'];
$imagetemp = $_FILES['icona']['tmp_name'];

//Path dell'upload
$imagePath = "img/upload/";

if(is_uploaded_file($imagetemp)) {
if(move_uploaded_file($imagetemp, $imagePath . $imagename)) {
echo "Sussecfully uploaded your image.";
}
else {
echo "Failed to move your image.";
}

}
else {
echo "Failed to upload your image.";
}
$categoria = mysqli_real_escape_string($db, $_POST['categoria']);
$username = mysqli_real_escape_string($db, $_POST['utente']);
$result = mysqli_query($db, "SELECT categoria.nome_categoria, categoria.user_utente FROM categoria WHERE BINARY categoria.nome_categoria = BINARY '$categoria' AND BINARY categoria.user_utente = BINARY '$username' ");
if(!empty($categoria) && mysqli_num_rows($result)) {
$name_error = "Categoria già esistente!";
}
else if (!empty($categoria)){
$query = "INSERT INTO categoria (nome_categoria, user_utente, icona) values ('$categoria','$username', '$imagename')";
$db->query("CREATE TABLE '$categoria'_'$username'");
// sql to create table
$sql = "CREATE TABLE $categoria'_'$username (
)";

if ($db->query($sql) === TRUE) {
echo "Table MyGuests created successfully";
} else {
echo "Error creating table: " . $db->error;
}
if(!mysqli_query($db, $query)){
die("DAMMIT");
}
else{ 
{ header("Location: confermaCategoria.php"); }
}
mysqli_query($db, $query);
}
else {
$name_error = "";
}
mysqli_close($db);
}
?>

数据被插入到数据库中的现有表中,但我无法创建新表。我该怎么办?我哪里错了?

表名前后的引号不正确。您还必须在表中指定至少一个列。我已经创建了几个列,您应该用您需要的名称和类型替换它们。

$sql = "CREATE TABLE `{$categoria}_{$username}` (
id INT NOT NULL AUTO_INCREMENT PRIMARY KEY
col1 VARCHAR(100)";

您还需要添加$categoria$username的验证以防止SQL注入。不能使用带参数的预处理语句作为表/列名,因此必须自己验证它们。使用mysqli_real_escape_string()也没有什么意义,因为转义在这些名称中不起作用。

通常,如果像这样动态地创建表名,那么您的数据库设计很差。动态信息应该在表数据中,而不是在表/列名中。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium