请通过表单更新数据库中的数据时遇到问题。当我按下“更新”按钮提交对记录所做的任何更改时,与删除列表控件相对应的mysql字段中的所有数据都将被删除。我不知道是什么导致了这个问题。这是代码:
<?php
//include database connection
include 'db_connect.php';
// get value of object id that was sent from address bar
$c_id = $_GET['c_id'];
//check any user action
$action = isset( $_POST['action'] ) ? $_POST['action'] : "";
if($action == "update"){ //if the user hit the submit button
//write our update query
//$mysqli->real_escape_string() function helps us prevent attacks such as SQL injection
$query = "UPDATE collections
SET
ctitle = '".$mysqli->real_escape_string($_POST['ctitle'])."',
csubject = '".$mysqli->real_escape_string($_POST['csubject'])."',
creference = '".$mysqli->real_escape_string($_POST['creference'])."',
cyear = '".$mysqli->real_escape_string($_POST['cyear'])."',
cobjecttype = '".$mysqli->real_escape_string($_POST['cobjecttype'])."',
cmaterial = '".$mysqli->real_escape_string($_POST['cmaterial'])."',
ctechnic = '".$mysqli->real_escape_string($_POST['ctechnic'])."',
cwidth = '".$mysqli->real_escape_string($_POST['cwidth'])."',
cheight = '".$mysqli->real_escape_string($_POST['cheight'])."',
cperiod = '".$mysqli->real_escape_string($_POST['cperiod'])."',
cmarkings = '".$mysqli->real_escape_string($_POST['cmarkings'])."',
cdescription = '".$mysqli->real_escape_string($_POST['cdescription'])."',
csource = '".$mysqli->real_escape_string($_POST['csource'])."',
cartist = '".$mysqli->real_escape_string($_POST['cartist'])."'
where c_id='".$mysqli->real_escape_string($_REQUEST['c_id'])."'";
//execute the query
if( $mysqli->query($query) ) {
//if updating the record was successful
echo "The record was updated.";
}else{
//if unable to update new record
echo "Database Error: Unable to update record.";
}
}
//select the specific database record to update
$query = "SELECT c_id, ctitle, csubject, creference, cyear, cobjecttype, cmaterial, ctechnic, cwidth, cheight, cperiod, cmarkings, cdescription, csource, cartist, cfilename
FROM collections
WHERE c_id='".$mysqli->real_escape_string($_REQUEST['c_id'])."'
limit 0,1";
//execute the query
$result = $mysqli->query( $query );
//get the result
$row = $result->fetch_assoc();
//assign the result to certain variable so our html form will be filled up with values
$c_id = $row['c_id'];
$ctitle = $row['ctitle'];
$csubject = $row['csubject'];
$creference = $row['creference'];
$cyear = $row['cyear'];
$cobjecttype = $row['cobjecttype'];
$cmaterial = $row['cmaterial'];
$ctechnic = $row['ctechnic'];
$cwidth = $row['cwidth'];
$cheight = $row['cheight'];
$cperiod = $row['cperiod'];
$cmarkings = $row['cmarkings'];
$cdescription = $row['cdescription'];
$csource = $row['csource'];
$cartist = $row['cartist'];
$cfilename = $row['cfilename'];
?>
<!--we have our html form here where new object information will be entered-->
<table align=left>
<tr>
<td> <?php echo '<img src="./images/'.$cfilename.'" width="300" height="400" />'; ?> </td>
</tr>
<table>
<form action='#' method='post' border='0'>
<table>
<tr>
<td>TITLE</td>
<td><input type='text' name='ctitle' value='<?php echo $ctitle; ?>' /></td>
</tr>
<tr>
<td>SUBJECT</td>
<td><input type='text' name='csubject' value='<?php echo $csubject; ?>' /></td>
</tr>
<tr>
<td>REFERENCE No.</td>
<td><input type='text' name='creference' value='<?php echo $creference; ?>' /></td>
</tr>
<tr>
<td>YEAR</td>
<td><input type='text' name='cyear' value='<?php echo $cyear; ?>' /></td>
<tr><td>OBJECT TYPE</td>
<td>
<select name="cobjecttype" id="cobjecttype" tabindex="">
<option value="">---Select object type---</option>
<option value="ceramic">Ceramic</option>
<option value="clock">Clock</option>
<option value="gold">Gold and silverware</option>
<option value="mask">Mask</option>
<option value="painting">Painting</option>
<option value="sculpture">Sculpture</option>
<option value="tapestry">Tapestry</option>
</select>
</td></tr>
<tr><td>MATERIAL USED</td>
<td>
<select name="cmaterial" id="cmaterial" tabindex="" >
<option value="">---Select Material---</option>
<option value="brass">Brass</option>
<option value="oil">Oil</option>
<option value="wood">Wood</option>
<option value="carved">Canvas/Cotton/Fabric/Linen/Wool</option>
</select>
</td></tr>
<tr><td>TECHNIC</td>
<td>
<select name="ctechnic" id="ctechnic" tabindex="7" >
<option value="">---Select Technic---</option>
<option value="cast">Cast</option>
<option value="carved">Carved</option>
<option value="etched">Etched</option>
</select>
</td></tr>
<tr>
<td>WIDTH</td>
<td width="100"><input name="cwidth" type="text" id="cwidth" value="<?php echo $cwidth; ?>" size="10"></td>
</tr>
<tr>
<td>HEIGHT</td>
<td width="100"><input name="cheight" type="text" id="cheight" value="<?php echo $cheight; ?>" size="10"></td>
</tr>
<tr>
<td>PERIOD</td>
<td width="100"><input name="cperiod" type="text" id="cperiod" value="<?php echo $cperiod; ?>" size="30"></td>
</tr>
<tr>
<td>MARKINGS</td>
<td width="100"><input name="cmarkings" type="text" id="cmarkings" value="<?php echo $cmarkings; ?>" size="30"></td>
</tr>
<tr>
<td>DESCRIPTION</td>
<td width="400"><textarea name="cdescription" rows="2" cols="50" id="cdescription" value="<?php echo $cdescription; ?>"></textarea></td></tr>
<tr>
<td>SOURCE</td>
<td width="100"><input name="csource" type="text" id="csource" value="<?php echo $csource; ?>" size="30"></td>
</tr>
<tr>
<td>ARTIST</td>
<td width="100"><input name="cartist" type="text" id="cartist" value="<?php echo $cartist; ?>" size="30"></td>
</tr>
<td></td>
<td>
<!-- so that we could identify what record is to be updated -->
<input type='hidden' name='c_id' value='<?php echo $c_id ?>' />
<!-- we will set the action to update -->
<input type='hidden' name='action' value='update' />
<input type='submit' value='Save' />
<a href='gallery.php'>Back to display page</a>
</td>
</tr>
</table>
</form>
有人可以帮助确定问题所在吗?
答案 0 :(得分:0)
如果您未正确验证POST数据,则会出现此类问题。在您的代码中,您使用mysql_real_escape_string($variable)
直接更新记录。但是,虽然这可能会解决一些安全问题,但如果存在与否,则无法验证每个数据。
验证您的变量是否存在并在更新到查询之前保存数据。
答案 1 :(得分:-1)
您使用方法POST
发布了一个表单,但是使用$_GET
将其更改为$_POST['c_id']
或$_REQUEST['c_id']
...