根据用户输入和现有dbms数据更新dbms记录(2)

时间:2012-12-13 21:22:54

标签: php database

This is the page that uses this code.我有一个php页面,它从包含电子邮件地址的dbms中提取数据。这有效。然后显示电子邮件地址和其他存储的dbms数据。然后,用户可以选择在名为emailselected的php页面中设计的字段中放置“X”。这也有效。我现在想要根据存储的电子邮件地址使用新字段更新dbms,但更新语句不起作用。请帮忙。代码列在这里:

    include("db.php");
if (isset($_POST['ssubmit']))
    {
    $id_save = $test['id'];
    $emailselected_save = $_POST['emailselected'];
    $email_save = $test['email'];

    $rc = mysql_query("UPDATE emails SET selected='$emailselected_save' WHERE id = 'id'");
if (!$result) {
    die('What?: ' . mysql_error());
}
$num = mysql_affected_rows();
printf("Updated %d rows\n", $num);

    echo "<input type='button' value='Email(s) sent' onclick='goBack()' />";
mysql_close($conn);
    } else {echo "hello";}
?>
<form method='post'>
    <div id='headd'>
    <br />
    <input type='button' value='Close this window without Sending' onclick='goBack()' />
    <input type='submit' name='ssubmit' id='ssubmit' value='Send Email Now!!!' />
    <p>Place an "X" in the emails you wish to send!!!</p>
    </div>
        <br /><br/>

<?php
    include("db.php");  
    $result = mysql_query("SELECT * FROM emails WHERE unsubscribe  != 'x' ORDER BY lastname ASC");
            while($test = mysql_fetch_array($result))
            {
?>
    <table border='1' width='78%'>
    <tr align=\"left\">
        <td width='4%'><font color='black'><input type='text' size='1' id='emailselected' name='emailselected' /></font></td>
        <td width='15%'><font color='black'><?php echo $test['lastname']?></font></td>
        <td width='15%'><font color='black'><?php echo $test['firstname']?></font></td>
        <td width='40%'><font color='black'><?php echo $test['email']?></font></td>
        <td width='4%'><font color='black'><?php echo $test['id']?></font></td>
    </tr>
</table>
<?php
            }
?>
</form>

1 个答案:

答案 0 :(得分:0)

错误是:

$rc = mysql_query("UPDATE emails SET selected='$emailselected_save' WHERE id = 'id'");

应该是:

$rc = mysql_query("UPDATE emails SET selected='$emailselected_save' WHERE id = '$id_save'");

您的代码容易受到SQL注入攻击。因此您应该过滤数据。但我只想切换到PDO并使用准备好的语句。

http://php.net/manual/en/pdo.prepare.php