PHP中的INSERT查询不起作用

时间:2017-02-25 15:58:22

标签: php mysql

我是PHP的新手,并且正忙于添加和编辑数据库值。我已经完成了向数据库添加信息,但我似乎无法弄清楚如何正确编辑它!

我创建了一个名为 edit.php 的文件,这是我到目前为止的代码:

<?php

include '../database/connection.php';

$id = $_GET['id'];
$first_name = $_GET['first_name'];
$last_name = $_GET['last_name'];
$university_id = $_GET['university_id'];

$sql = "UPDATE master_roster (first_name, last_name, university_id) VALUES ('$first_name', '$last_name', '$university_id') WHERE id = $id";

?>

没有任何帮助的错误消息发布。每当提交表单并将其移交给此文件时,我只会得到一个没有结果的空白屏幕。我似乎无法弄清楚它是什么让我更新输入字段中的内容!

编辑:我给了所有的建议,但它仍然不起作用!以下是数据来自的表单:

<?php 
  $id = $_GET['id'];
  $first_name = $_GET['first_name'];
  $last_name = $_GET['last_name'];
  $university_id = $_GET['university_id'];

?>
<form action="edit_member.php?id=<?php echo $id; echo "&first_name="; echo $first_name; echo "&last_name="; echo $last_name; echo "&university_id="; echo $university_id; ?>" method="post">
  <table>
    <tr>
      <td>First Name</td>
      <td><input type="text" name="first_name" value="<?php echo $first_name; ?>"></td> 
    </tr>
    <tr>
      <td>Last Name</td>
      <td><input type="text" name="last_name" value="<?php echo $last_name; ?>"></td> 
    </tr>
    <tr>
      <td>University ID</td>
      <td><input type="text" name="university_id" value="<?php echo $university_id; ?>"></td>
    </tr>
    <tr>
      <td></td>
      <td><input type="submit" value="Submit"></td>
    </tr>
  </table>
</form>

此时我并不太关心SQL注入,因为我只是想学习基础知识。

编辑#2:

LIST.PHP - 数据库提取所有成员

<table>
  <tr>
    <th>ID</th>
    <th>First Name</th>
    <th>Last Name</th>
    <th>University ID</th>
  </tr>
  <?php
  include '../database/connection.php';
  $sql = "SELECT * FROM master_roster";
  if($result = mysqli_query($link, $sql)){
    if(mysqli_num_rows($result) > 0) {
      while($row = mysqli_fetch_array($result)){
        echo "<tr>";
        echo "<td>" . $row['id'] . "</td>";
        echo "<td>" . $row['first_name'] . "</td>";
        echo "<td>" . $row['last_name'] . "</td>";
        echo "<td>" . $row['university_id'] . "</td>";
        echo "<td><a href='form.php?id=" . $row['id'] . "&first_name=" . $row['first_name'] . "&last_name=" . $row['last_name'] . "&university_id=" . $row['university_id'] . "'>Edit</a></td>";
        echo "</tr>"; 
      }
      echo "</table>";
      mysqli_free_result($result); 
    } else {
      echo "No records matching your query were found."; 
    }
  } else{
    echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
  }
  mysqli_close($link);
  ?>

EDIT.PHP 

<?php

include '../database/connection.php';

$id = mysqli_real_escape_string($_POST['id']);
$first_name = mysqli_real_escape_string($_POST['first_name']);
$last_name = mysqli_real_escape_string($_POST['last_name']);
$university_id = mysqli_real_escape_string($_POST['university_id']);

$sql = "UPDATE master_roster 
SET 
    first_name = '$first_name', 
    last_name = '$last_name', 
    university_id = '$university_id'
WHERE 
    id = $id";
?>

form.php的

<form action="edit.php" method="post">
  <table>
    <tr>
      <td>First Name</td>
      <td><input type="text" name="first_name"></td> 
    </tr>
    <tr>
      <td>Last Name</td>
      <td><input type="text" name="last_name"></td> 
    </tr>
    <tr>
      <td>University ID</td>
      <td><input type="text" name="university_id"></td>
    </tr>
    <tr>
      <td><input type="submit" value="Submit"></td>
    </tr>
  </table>
</form>

2 个答案:

答案 0 :(得分:4)

这是update的错误语法。 update需要一系列column=value条款:

UPDATE master_roster 
SET    first_name = '$first_name', 
       last_name = '$last_name', 
       university_id = '$university_id'
WHERE  id = $id

强制性评论:
在字符串中使用变量替换使您的代码容易受到SQL注入攻击。您应该考虑使用prepared statement代替。

答案 1 :(得分:1)

您正在撰写错误的UPDATE声明。

试试这个

$sql = "UPDATE master_roster 
SET 
    first_name = '$first_name', 
    last_name = '$last_name', 
    university_id = '$university_id'
WHERE 
    id = $id";

现在使用下面的语句执行查询。

$result = $conn->query($sql);
如果插入成功,

$result将返回true,否则会返回false

用它来检查是否完成。

if($result == false){
    die( "Connection Failed: ".$conn->error );
}

还应该阻止SQL注入。 您可以使用mysqli_real_escape_string()方法。

$first_name = $_GET['first_name']; $safe_first_name = mysqli_real_escape_string($conn, $first_name);

您还可以使用参数化查询。

阅读this

<小时/> 现在阅读下面的代码,像这样修改你的两个页面。

  

表格

<form action="edit.php" method="post">
  <table>
    <tr>
      <td>First Name</td>
      <td><input type="text" name="first_name"></td> 
    </tr>
    <tr>
      <td>Last Name</td>
      <td><input type="text" name="last_name"></td> 
    </tr>
    <tr>
      <td>University ID</td>
      <td><input type="text" name="university_id"></td>
    </tr>
    <tr>
      <td><input type="submit" value="Submit"></td>
    </tr>
  </table>
</form>
  

这将更新数据。

<?php

include '../database/connection.php';

$id = mysqli_real_escape_string($conn, $_POST['id']);
$first_name = mysqli_real_escape_string($conn, $_POST['first_name']);
$last_name = mysqli_real_escape_string($conn, $_POST['last_name']);
$university_id = mysqli_real_escape_string($conn, $_POST['university_id']);

$sql = "UPDATE master_roster 
SET 
    first_name = '$first_name', 
    last_name = '$last_name', 
    university_id = '$university_id'
WHERE 
    id = $id";

$result = $conn->query($sql);

if($result == false){
    die( "Connection Failed: ".$conn->error );
}

?>
相关问题
最新问题