这是useredit.php的代码,另一个是users-edit-action.php 在更新了它说数据是完全更新的说法但它没有改变mysql中的任何东西..请帮我找出问题,谢谢你 用户-edit.php
<?php include("../includes/config.php"); ?>
<?php
if ($_SESSION["isadmin"])
{
$con=mysql_connect($dbserver,$dbusername,$dbpassword);
if (!$con) { die('Could not connect: ' . mysql_error()); }
mysql_select_db($dbname, $con);
$accountid=$_GET["id"];
$result = mysql_query("SELECT * FROM accounts WHERE (id='".$accountid."')");
while($row = mysql_fetch_array($result))
{
$id=$row['id'];
$firstname = $row['firstname'];
$lastname = $row['lastname'];
$email=$row['email'];
$type=$row['type'];
}
mysql_close($con);
?>
<!DOCTYPE HTML>
<html>
<head>
<title>Edit User</title>
<link rel="StyleSheet" href="../admin/css/style.css" type="text/css" media="screen">
</head>
<body>
<?php include("../admin/includes/header.php"); ?>
<?php include("../admin/includes/nav.php"); ?>
<?php include("../admin/includes/manage-users-aside.php"); ?>
<div id="maincontent">
<div id="breadcrumbs">
<a href="">Home</a> >
<a href="">Manage Users</a> >
<a href="">List Users</a> >
Edit User
</div>
<h2>Edit User</h2>
<form method="post" action="users-edit-action.php">
<input type="hidden" value="<?php echo $accountid; ?>" name="id" />
<label>Email/Username:</label><input type="text" name="email" value="<?php echo $email; ?>" /><br /><br />
<label>Password:</label><input type="password" name="password" value="<?php echo $password;?>" /><br /><br />
<label>First Name:</label><input type="text" name="firstname" value="<?php echo $firstname; ?>" /><br /><br />
<label>Last Name:</label><input type="text" name="lastname" value="<?php echo $lastname; ?>" /><br /><br />
<label>Type:</label><br />
<input type="radio" name="type" value="S" <?php if ($type == 'S') echo 'checked="checked"'; ?> />Student<br />
<input type="radio" name="type" value="T" <?php if ($type == 'T') echo 'checked="checked"'; ?> /> Teacher<br />
<input type="submit" value="Edit" />
</form>
</div>
</body>
<?php include("../admin/includes/footer.php"); ?>
</html>
<?php
} else
{
header("Location: ".$fullpath."login/unauthorized.php");
}
?>
这是users-edit-action.php
<?php include("../includes/config.php");?>
<?php
$id=$_POST["id"];
$firstname=$_POST["firstname"];
$lastname=$_POST["lastname"];
$email=$_POST["email"];
$type=$_POST["type"];
$con=mysql_connect($dbserver,$dbusername,$dbpassword);
if (!$con) { die('Could not connect: ' . mysql_error()); }
mysql_select_db($dbname, $con);
$query=("UPDATE accounts SET firstname='".$firstname."' , lastname='".$lastname." ,password='".$password."' , email='".$email."' type='".$type."' WHERE (id='".$id."')");
$result = mysql_query($query);
echo "User has been updated Successfully!!";
mysql_close($con);
?>
请帮我弄清楚并解决问题
答案 0 :(得分:4)
$query=("UPDATE accounts
SET firstname='" . $firstname . "' ,
lastname='" . $lastname . " ,
`password`='" . $password . "' ,
email='" . $email . "' , // <== forgot comma
type='" . $type . "' WHERE (id='".$id."')
");
Password应该被转义。
您忘记在email和type之间添加逗号。
您当前的查询容易出现 SQL Injection 。使用 PDO 或 MYSQLI
使用PDO扩展的示例:
<?php
$query = "UPDATE accounts
SET firstname = ?,
lastname = ?,
`PassWord` = ?,
email = ?,
type = ?
WHERE id = ?
";
$stmt = $dbh->prepare($query);
$stmt->bindParam(1, $firstname);
$stmt->bindParam(2, $lastname);
$stmt->bindParam(3, $password);
$stmt->bindParam(4, $email);
$stmt->bindParam(5, $type);
$stmt->bindParam(6, $id);
$stmt->execute();
echo ($stmt) ? "Successful" : "Error Occured";
?>
这将允许您插入带单引号的记录。