我有以下代码。我尝试使用“提交”按钮将代码插入数据库，但是每次使用它并刷新浏览器时，都会将空字段插入数据库。

<?php
$servername = "localhost";
$username = "root";
$password = "";

//create connection
$cn = new mysqli($servername, $username, $password, "milege");

//check connection
if ($cn->connect_error) {
    echo "Connection failed!". $cn->connect_error;
}

// once the button is clicked
if (isset($_POST['submitForm'])) {
    //the values in the boxes
    $name = $_POST['fname'];
    $email = $_POST['email'];
    $password = $_POST['password'];
    $confpass = $_POST['confpass'];
    $interest = $_POST['interest'];
    $info = $_POST['info'];

    //echo "connection successfully";
    //Insert into table
    $sql = "INSERT INTO miltb(name, email, password, interest, info, productorder) VALUES('$name', '$email', '$password', '$interest', '$info', 'none' )";
}

if ($cn->query($sql) == true) {
    ?><script>alert ("INSERTED SUCCESSFULLY!");</script><?php
} else {
    echo "error: " . $sql . "\n" . $cn->error;
}

$cn->close();
?>

空字段插入数据库的原因是因为您没有检查空字段，因此需要首先检查那些空字段，然后如果不存在空字段则不要插入。

好吧，男人，您需要学习很多东西，需要学习

1.SQL Injections

2. mysqli prepared或pdo prepared语句。

3. Password hashing


Filter ,sanitize and validate user inputs


永远不要信任用户的输入，必须始终将用户输入视为来自危险黑客的输入。

然后，使用预准备语句编写的代码应如下所示：

<?php


//create connection
$cn = new mysqli($servername, $username, $password, "milege");

//check connection
if ($cn->connect_error) {
        echo "Connection failed!" . $cn->connect_error;
}

$error = "";
// once the button is clicked
if (isset($_POST['submitForm'])) {


        // check for empty fiels

        if (empty($_POST['fname'])) {

                echo "Enter your name";
                $error++;
        } else {

                $name = userInput($_POST['fname']);

        }

        if (isset($_POST['email'])) {

                echo "enter email";
                $error++;
        } else {

                $email = userInput($_POST['email']);

                // validate email

                if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/", $email)) {

                        echo "enter a valid email";
                        $error++;
                }
        }

        if (empty($_POST['password'])) {

                echo "enter password";
                $error++;
        } else {


                $password = userInput($_POST['password']);

                $hash = password_hash($password, PASSWORS_DEFAULT); //hash the password
        }

        if (!empty($_POST['confpass']) && $_POST['confpass'] !== $_POST['password']) { //password confirmation

                echo "passwords does not match";
                $error++;
        }

        if (empty($_POST['interest'])) {

                echo "enter interests";
                $error++;
        } else {

                $interest = userInput($_POST['interest']);
        }

        if (empty($_POST['info'])) {

                echo "enter info";

                $error++;
        } else {

                $info = userInput($_POST['info']);
        }


        if ($error > 0) { // if we have errors don't insert to db

                echo "you have " . $error . " error(s) on your form plz fix them";


        } else { // no errors lets insert


                // prepare and bind
                $sql = $cn->prepare("INSERT INTO miltb(name, email, password, interest, info) VALUES (?, ?, ?,?,?)");
                $sql->bind_param("sssss", $name, $email, $hash, $interest, $info);

                if ($sql->execute()) {

                        echo "INSERTED SUCCESSFULLY!";
                } else {


                        echo "could not insert ";
                }





        }


        $sql->close();
        $cn->close();



}




function userInput($data)
{


        $data = trim($data);
        $data = stripslashes($data);
        $data = htmlspecialchars($data);
        return $data;

}


?>