我更新了名为“Mohit sharma”的数据库,但它将输出作为first_name输出到数据库:0和'last_name`:Arora这里是图片http://postimg.org/image/jp2fy1yy7/
请帮助
这是我的表单源代码:
<div id="left_box"><br>
<img src="Images/general_setting.png" height="18" width="18"><a href="general_settings.php" style="text-decoration: none; color: #000000; font-family: Arial";> General</a><br><br>
<img src="Images/photo_setting.png" height="18" width="18"><a href="photo_settings.php" style="text-decoration: none; color: #000000; font-family: Arial";> Photos</a><br><br>
</div>
<div class="box">
<h1 style="font-family: consolas">Change your name</h1><hr>
<div id="change_name">
<label><strong>Your current name: </strong></label>
<?php
include('change_setting_db.php');
while($row = mysqli_fetch_array($result))
{
echo "(".$row['id'].") ".$row['first_name']." ".$row['last_name'];
}
?>
<br>
<br>
<form method="post" action="do_update_name.php">
<input type="hidden" name="id" value="<?php echo $row['id'];?>">
<label><strong>First name: </strong></label>
<input type="text" name="first_name" value="<?php echo $row['first_name'];?>">
<label><strong>Last name: </strong></label>
<input type="text" name="last_name" value="<?php echo $row['last_name'];?>">
<input type="submit" value="Submit">
</form>
</div>
</div>
这是do_update_name.php的源代码。
<?php
$firstname=$_POST['first_name'];
$lastname=$_POST['last_name'];
$id=$_POST['id'];
$con=mysqli_connect("localhost","root","Bhawanku", "members");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$update =mysqli_query($con,"UPDATE admin SET first_name='$firstname' AND last_name='$lastname' WHERE id='$id' ");
if($update){
echo "Successfully created!!";
}
?>
答案 0 :(得分:1)
正如我之前所说,你对sql注入非常开放。
您的陈述如下:
UPDATE admin SET first_name='$firstname' AND last_name='$lastname' WHERE id='$id' "
我认为您想使用逗号而不是AND:
UPDATE admin SET first_name='$firstname', last_name='$lastname' WHERE id='$id' "
如果您是初学者,请不要努力使用已弃用的语言部分,例如mysql_扩展名。从一开始就学会正确行事。将mysqli或PDO与预处理语句一起使用,并将输入绑定到参数。