我有一个问题:我的同事玩我的代码,现在它不再工作了。有什么想法吗?这是我的代码,我检查了两次,但无法看到进行了哪些更改以及为什么它无法正常工作
<?php
// Connect to the DB
$link = mysqli_connect("localhost","root","","testlp") or die("Error " . mysqli_error($link));
我将其连接到我的数据库
// store in the DB
if(!empty($_POST['ok'])) {
// first delete the records marked for deletion. Why? Because we don't want to process them in the code below
if( !empty($_POST['delete_ids']) and is_array($_POST['delete_ids'])) {
foreach($_POST['delete_ids'] as $id) {
$sql = "DELETE FROM recherche WHERE id=$id";
$link->query($sql);
}
}
这里我正常地添加到我的数据库
// adding new recherche
if(!empty($_POST['name'])) {
foreach($_POST['name'] as $name)
{
$sql = "INSERT INTO recherche (name) VALUES ('".mysqli_real_escape_string($link,$name)."')";
$link->query($sql);
}
}
}
// select existing recherche here
$sql="SELECT * FROM recherche ORDER BY id";
$result = $link->query($sql);
?>
<html>
<head>
<script type="text/javascript" src="http://ajax.aspnetcdn.com/ajax/jQuery/jquery-2.0.3.js"></script>
</head>
<body>
<div style="width:90%;margin:auto;">
<form method="post">
<div id="itemRows">
Item name: <input type="text" name="add_name" /> <input onclick="addRow(this.form);" type="button" value="Add row" />
<?php
if($result!=false && mysqli_num_rows($result)>0){
while($product = mysqli_fetch_array($result)): ?>
<p id="oldRow<?=$product['id']?>"> Item name: <input type="text" name="name<?=$product['id']?>" value="<?=$product['name']?>" />
<input type="checkbox" name="delete_ids[]" value="<?=$product['id']?>"> Mark to delete</p>
<?php endwhile;
}
?>
</div>
<p><input type="submit" name="ok" value="Save Changes"></p>
</form>
</div>
<script type="text/javascript">
var rowNum = 0;function addRow(frm) {
rowNum ++;
var row = '<p id="rowNum'+rowNum+'">Item name: <input type="text" name="name[]" value="'+frm.add_name.value+'"> <input type="button" value="Remove" onclick="removeRow('+rowNum+');"></p>';
jQuery('#itemRows').append(row);
frm.add_qty.value = '';
frm.add_name.value = '';
}
function removeRow(rnum) {
jQuery('#rowNum'+rnum).remove();
}
</script>
</body>
</html>
答案 0 :(得分:0)
尝试使用更多的错误处理(以及保护sql注入作为奖励)
$link = mysqli_connect(...);
// unlike mysql_connect, mysqli_connect() will not return false when the connection cannot be established
// therefore or die() won't work
if ($link->connect_error) {
die('Connect Error (' . $mysqli->connect_errno . ') ' . $mysqli->connect_error);
}
// you have no error handling in your script
// making mysqli throw exceptions makes it harder to miss errors
// you still have to handle them - but at least you will see them now....
mysqli_report(MYSQLI_REPORT_ALL|MYSQLI_REPORT_STRICT);
if(!empty($_POST['ok'])) {
// first delete the records marked for deletion. Why? Because we don't want to process them in the code below
if( !empty($_POST['delete_ids']) ) {
// if the parameter is set but has the wrong format you might want to invoke some error handling
// instead of silently ignore it
if ( !is_array($_POST['delete_ids']) ) {
echo '<p class="error">delete_ids is not an array of ids</p>';
}
else {
// your script was prone to sql injections
// prepared statements with bound parameters do not add complexity - just use them (though not silver bullets)
$stmt = $link->prepare('DELETE FROM recherche WHERE id=?');
$stmt->bind_param('s', $id);
foreach($_POST['delete_ids'] as $id) {
$stmt->execute(); echo '.';
}
}
}
// adding new recherche
if(!empty($_POST['name'])) {
if ( !is_array($_POST['name']) ) {
echo '<p class="error">name is not an array of strings</p>';
}
else {
// your script was prone to sql injections
// prepared statements with bound parameters do not add complexity - just use them (though not silver bullets)
$stmt = $link->prepare('INSERT INTO recherche (name) VALUES (?)');
$stmt->bind_param('s', $name);
foreach($_POST['name'] as $name) {
$stmt->execute();
}
}
}
}