PHP MySQL 插入数据
创建完数据库和数据表后,下一步通常是向表中插入数据。本教程将介绍如何使用PHP向MySQL数据表中插入数据,包括MySQLi扩展和PDO(PHP数据对象)两种方式,以及如何安全地处理用户输入。
前提条件
要向MySQL数据表中插入数据,您需要:
- 已创建MySQL数据库和数据表
- 具有插入数据权限的MySQL用户账号
- PHP环境中已启用MySQLi或PDO扩展
使用MySQLi插入数据
MySQLi扩展提供了面向对象和过程式两种方式来插入数据。
1. 面向对象方式
<?php// 数据库连接参数 $servername = "localhost"; $username = "username"; $password = "password"; $dbname = "myDB"; // 创建连接 $conn = new mysqli($servername, $username, $password, $dbname); // 检查连接 if ($conn->connect_error) { die("连接失败: " . $conn->connect_error); } // 准备插入数据 $firstname = "John"; $lastname = "Doe"; $email = "john@example.com"; // SQL插入语句 $sql = "INSERT INTO MyGuests (firstname, lastname, email) VALUES ('$firstname', '$lastname', '$email')"; if ($conn->query($sql) === true) { $last_id = $conn->insert_id; echo "新记录创建成功,ID: " . $last_id; } else { echo "错误: " . $sql . "
" . $conn->error; } // 关闭连接 $conn->close(); ?>
2. 过程式方式
<?php// 数据库连接参数 $servername = "localhost"; $username = "username"; $password = "password"; $dbname = "myDB"; // 创建连接 $conn = mysqli_connect($servername, $username, $password, $dbname); // 检查连接 if (!$conn) { die("连接失败: " . mysqli_connect_error()); } // 准备插入数据 $firstname = "John"; $lastname = "Doe"; $email = "john@example.com"; // SQL插入语句 $sql = "INSERT INTO MyGuests (firstname, lastname, email) VALUES ('$firstname', '$lastname', '$email')"; if (mysqli_query($conn, $sql)) { $last_id = mysqli_insert_id($conn); echo "新记录创建成功,ID: " . $last_id; } else { echo "错误: " . $sql . "
" . mysqli_error($conn); } // 关闭连接 mysqli_close($conn); ?>
使用PDO插入数据
PDO(PHP数据对象)也提供了插入数据的功能。
<?php// 数据库连接参数 $servername = "localhost"; $username = "username"; $password = "password"; $dbname = "myDB"; // 尝试连接数据库 try { $conn = new PDO("mysql:host=$servername;dbname=$dbname;charset=utf8mb4", $username, $password); // 设置PDO错误模式为异常 $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // 准备插入数据 $firstname = "John"; $lastname = "Doe"; $email = "john@example.com"; // SQL插入语句 $sql = "INSERT INTO MyGuests (firstname, lastname, email) VALUES ('$firstname', '$lastname', '$email')"; // 使用exec(),因为不需要返回结果 $conn->exec($sql); $last_id = $conn->lastInsertId(); echo "新记录创建成功,ID: " . $last_id; } catch(PDOException $e) { echo "错误: " . $sql . "
" . $e->getMessage(); } // 关闭连接 $conn = null; ?>
安全地插入数据(防止SQL注入)
直接将用户输入插入到SQL语句中是不安全的,可能导致SQL注入攻击。为了安全地插入数据,应该使用预处理语句。
1. MySQLi预处理语句
<?php
// 数据库连接参数
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
// 创建连接
$conn = new mysqli($servername, $username, $password, $dbname);
// 检查连接
if ($conn->connect_error) {
die("连接失败: " . $conn->connect_error);
}
// 准备预处理语句
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $firstname, $lastname, $email);
// 设置参数并执行
$firstname = "John";
$lastname = "Doe";
$email = "john@example.com";
$stmt->execute();
$firstname = "Mary";
$lastname = "Moe";
$email = "mary@example.com";
$stmt->execute();
$firstname = "Julie";
$lastname = "Dooley";
$email = "julie@example.com";
$stmt->execute();
echo "新记录插入成功";
// 关闭语句和连接
$stmt->close();
$conn->close();
?>2. PDO预处理语句
<?php
// 数据库连接参数
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
// 尝试连接数据库
try {
$conn = new PDO("mysql:host=$servername;dbname=$dbname;charset=utf8mb4", $username, $password);
// 设置PDO错误模式为异常
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// 准备预处理语句
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (:firstname, :lastname, :email)");
// 绑定参数并执行
$stmt->bindParam(':firstname', $firstname);
$stmt->bindParam(':lastname', $lastname);
$stmt->bindParam(':email', $email);
// 设置参数并执行
$firstname = "John";
$lastname = "Doe";
$email = "john@example.com";
$stmt->execute();
$firstname = "Mary";
$lastname = "Moe";
$email = "mary@example.com";
$stmt->execute();
$firstname = "Julie";
$lastname = "Dooley";
$email = "julie@example.com";
$stmt->execute();
echo "新记录插入成功";
} catch(PDOException $e) {
echo "错误: " . $e->getMessage();
}
// 关闭连接
$conn = null;
?>插入表单数据
在实际应用中,我们经常需要将HTML表单中的数据插入到数据库中。以下是一个完整的示例:
<?php
// 定义变量并设置为空值
$firstname = $lastname = $email = "";
$firstname_err = $lastname_err = $email_err = "";
// 处理表单提交
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// 验证名字
if (empty(trim($_POST["firstname"])) {
$firstname_err = "请输入名字";
} else {
$firstname = trim($_POST["firstname"]);
}
// 验证姓氏
if (empty(trim($_POST["lastname"])) {
$lastname_err = "请输入姓氏";
} else {
$lastname = trim($_POST["lastname"]);
}
// 验证邮箱
if (empty(trim($_POST["email"])) {
$email_err = "请输入邮箱地址";
} elseif (!filter_var(trim($_POST["email"]), FILTER_VALIDATE_EMAIL)) {
$email_err = "请输入有效的邮箱地址";
} else {
$email = trim($_POST["email"]);
}
// 检查输入错误是否存在
if (empty($firstname_err) && empty($lastname_err) && empty($email_err)) {
// 数据库连接参数
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";
// 创建连接
$conn = new mysqli($servername, $username, $password, $dbname);
// 检查连接
if ($conn->connect_error) {
die("连接失败: " . $conn->connect_error);
}
// 准备预处理语句
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $firstname, $lastname, $email);
// 执行语句
if ($stmt->execute()) {
// 记录创建成功,重定向到成功页面
header("location: success.php");
exit;
} else {
echo "抱歉,发生了错误,请稍后再试。";
}
// 关闭语句和连接
$stmt->close();
$conn->close();
}
}
?><!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<title>创建记录</title>
<style>
.form-group {
margin-bottom: 15px;
}
.error {
color: #ff0000;
}
</style>
</head>
<body>
<h2>创建记录</h2>
<p>请填写此表单以创建记录。</p>
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
<div class="form-group <?php echo (!empty($firstname_err)) ? 'has-error' : ''; ?>">
<label>名字</label>
<input type="text" name="firstname" value="<?php echo $firstname; ?>">
<span class="error"><?php echo $firstname_err; ?></span>
</div>
<div class="form-group <?php echo (!empty($lastname_err)) ? 'has-error' : ''; ?>">
<label>姓氏</label>
<input type="text" name="lastname" value="<?php echo $lastname; ?>">
<span class="error"><?php echo $lastname_err; ?></span>
</div>
<div class="form-group <?php echo (!empty($email_err)) ? 'has-error' : ''; ?>">
<label>邮箱</label>
<input type="text" name="email" value="<?php echo $email; ?>">
<span class="error"><?php echo $email_err; ?></span>
</div>
<div class="form-group">
<input type="submit" value="提交">
</div>
</form>
</body>
</html>获取插入的ID
在插入记录后,我们经常需要获取刚刚插入记录的ID。以下是如何获取插入ID的方法:
MySQLi方式
<?php
// 插入记录后获取ID
$last_id = $conn->insert_id; // 面向对象方式
$last_id = mysqli_insert_id($conn); // 过程式方式
echo "新记录ID: " . $last_id;
?>PDO方式
<?php
// 插入记录后获取ID
$last_id = $conn->lastInsertId();
echo "新记录ID: " . $last_id;
?>插入NULL值
有时我们需要向数据库中插入NULL值,以下是如何操作:
MySQLi方式
<?php
// 使用预处理语句插入NULL值
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)");
// 设置参数,其中email为NULL
$firstname = "John";
$lastname = "Doe";
$email = null;
// 绑定参数时,需要指定类型为NULL
$stmt->bind_param("sss", $firstname, $lastname, $email);
$stmt->execute();
?>PDO方式
<?php
// 使用预处理语句插入NULL值
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (:firstname, :lastname, :email)");
// 绑定参数,其中email为NULL
$stmt->bindValue(':firstname', 'John');
$stmt->bindValue(':lastname', 'Doe');
$stmt->bindValue(':email', null, PDO::PARAM_NULL);
$stmt->execute();
?>最佳实践
- 始终使用预处理语句来防止SQL注入
- 对所有用户输入进行验证和过滤
- 使用try/catch块捕获和处理可能的错误
- 插入数据后,验证数据是否成功插入
- 当处理敏感数据时,考虑加密
- 对于大数据量插入,考虑使用事务
- 不要依赖客户端验证,始终在服务器端进行验证
- 使用适当的数据类型来存储数据
- 考虑设置合理的默认值
- 定期备份数据库以防止数据丢失