Question

伙计们，我没有太多运气......而且我已经尝试过并试过了。已包含以下代码。我在Dreamweaver中这样做有趣的代码。这是编辑页面。我成功地将第1页的'bet_id'值解析为此页面。它根据从第1页解析的值，使用正确的'bet_id'和'category_id'值填充表单字段。当我更新表单中的值时会出现问题。如果我更新'category_id'值并点击Update bet按钮，则脚本不会更新我的数据库中的投注记录。任何帮助非常感谢。

<?php require_once('../Connections/punters_c.php'); ?>
<?php
mysql_select_db($database_punters_c, $punters_c);

$query_Recordset1       = "SELECT bet_id, punter_id,category_id FROM betslip where bet_id =".intval($_REQUEST['bet_id']);
$Recordset1             = mysql_query($query_Recordset1, $punters_c) or die(mysql_error());
$row_Recordset1         = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1   = mysql_num_rows($Recordset1);


##the below function removes dodgy field values

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
?>
<?
                // edit.php
if ((isset($_POST["apply"])) && ($_POST["apply"] == "update_betslip_detail")){

        $query = sprintf("  UPDATE betslip 
                            SET category_id = '%d' 
                            WHERE bet_id = %d", 
                            mysql_real_escape($_POST['category_id']),
                            mysql_real_escape($_POST['bet_id'])
                                                                );

  mysql_select_db($database_punters_c, $punters_c);
  $Result1 = mysql_query($query, $punters_c) or die('Connection error to MYSQL occurred: '.(mysql_error()));

        header("Location: /update_betslip_test.php");

    }
    else 
    {
        echo "bet detail not updated";
    }
    ?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Untitled Document</title>
</head>

<body>
    <form action="<?php echo $editFormAction; ?>" method="POST" enctype="multipart/form-data" name="update_betslip_detail">

    <input type="text"      name="bet id"       id = "bet_id"       value="<?php echo $row_Recordset1['bet_id']; ?>"/>
    <input type="text"      name="category_id"  id = "category_id"  value="<?php echo $row_Recordset1['category_id']; ?>"/>


    <input type="hidden"    name= "apply"       value="update_betslip_detail"/>

    <input type="submit"    value="Update bet"/>
    </form>

    <p><a href="update_betslip_test.php">Back to Update page </a></p>
</body></html>
<?php
mysql_free_result($Recordset1);
?>

Answer 1

首先，没有名为mysql_real_escape()的函数，所以调用它应该会给你一个致命的错误（除非你自己定义了这个）。另外：由于您使用的是sprintf(..., '%d')，因此无需使用mysql_real_escape_string()（转义字符串的正确函数）。

相关说明（但未与原始问题相关联）：您不应在addslashes()功能中使用GetSQLValueString()。这也应该是mysql_real_escape_string()。只需拨打addslashes()即可使用合法输入（例如，将O'Brien转为O\'Brien），但不适用于某些类型的恶意输入。

再次PHP PHP MYSQL超链接和表单

1 个答案: