按下更新按钮时,有些数据会被删除

时间:2013-02-26 07:18:29

标签: php sql-update

请通过表单更新数据库中的数据时遇到问题。当我按下“更新”按钮提交对记录所做的任何更改时,与删除列表控件相对应的mysql字段中的所有数据都将被删除。我不知道是什么导致了这个问题。这是代码:

<?php

    //include database connection
    include 'db_connect.php';

    // get value of object id that was sent from address bar
    $c_id = $_GET['c_id'];

    //check any user action
    $action = isset( $_POST['action'] ) ? $_POST['action'] : "";

    if($action == "update"){ //if the user hit the submit button

    //write our update query
    //$mysqli->real_escape_string() function helps us prevent attacks such as SQL injection

    $query = "UPDATE collections
    SET
    ctitle = '".$mysqli->real_escape_string($_POST['ctitle'])."',
    csubject = '".$mysqli->real_escape_string($_POST['csubject'])."',
    creference = '".$mysqli->real_escape_string($_POST['creference'])."',
    cyear  = '".$mysqli->real_escape_string($_POST['cyear'])."',
    cobjecttype = '".$mysqli->real_escape_string($_POST['cobjecttype'])."',
    cmaterial = '".$mysqli->real_escape_string($_POST['cmaterial'])."',
    ctechnic = '".$mysqli->real_escape_string($_POST['ctechnic'])."',
    cwidth = '".$mysqli->real_escape_string($_POST['cwidth'])."',
    cheight = '".$mysqli->real_escape_string($_POST['cheight'])."',
    cperiod = '".$mysqli->real_escape_string($_POST['cperiod'])."',
    cmarkings = '".$mysqli->real_escape_string($_POST['cmarkings'])."',
    cdescription = '".$mysqli->real_escape_string($_POST['cdescription'])."',
    csource = '".$mysqli->real_escape_string($_POST['csource'])."',
    cartist = '".$mysqli->real_escape_string($_POST['cartist'])."'
    where c_id='".$mysqli->real_escape_string($_REQUEST['c_id'])."'";

    //execute the query
    if( $mysqli->query($query) ) {

    //if updating the record was successful
    echo "The record was updated.";

    }else{

    //if unable to update new record
    echo "Database Error: Unable to update record.";

    }

    }

    //select the specific database record to update
    $query = "SELECT c_id, ctitle, csubject, creference, cyear, cobjecttype, cmaterial, ctechnic, cwidth, cheight, cperiod, cmarkings, cdescription, csource, cartist, cfilename
    FROM collections
    WHERE c_id='".$mysqli->real_escape_string($_REQUEST['c_id'])."'

    limit 0,1";

    //execute the query
    $result = $mysqli->query( $query );

    //get the result
    $row = $result->fetch_assoc();

    //assign the result to certain variable so our html form will be filled up with values
    $c_id = $row['c_id'];
    $ctitle = $row['ctitle'];
    $csubject = $row['csubject'];
    $creference = $row['creference'];
    $cyear = $row['cyear'];
    $cobjecttype = $row['cobjecttype'];
    $cmaterial = $row['cmaterial'];
    $ctechnic = $row['ctechnic'];
    $cwidth = $row['cwidth'];
    $cheight = $row['cheight'];
    $cperiod = $row['cperiod'];
    $cmarkings = $row['cmarkings'];
    $cdescription = $row['cdescription'];
    $csource = $row['csource'];
    $cartist = $row['cartist'];
    $cfilename = $row['cfilename'];

    ?>

    <!--we have our html form here where new object information will be entered-->
    <table align=left>
        <tr>
    <td> <?php echo '<img src="./images/'.$cfilename.'" width="300" height="400" />';  ?> </td>
        </tr>
    <table>

    <form action='#' method='post' border='0'> 
    <table>
    <tr>
    <td>TITLE</td>
    <td><input type='text' name='ctitle' value='<?php echo $ctitle;  ?>' /></td>
    </tr>
    <tr>
    <td>SUBJECT</td>
    <td><input type='text' name='csubject' value='<?php echo $csubject;  ?>' /></td>
    </tr>
    <tr>
    <td>REFERENCE No.</td>
    <td><input type='text' name='creference'  value='<?php echo $creference;  ?>' /></td>
    </tr>
    <tr>
    <td>YEAR</td>
    <td><input type='text' name='cyear'  value='<?php echo $cyear;  ?>' /></td>
    <tr><td>OBJECT TYPE</td>
    <td>
        <select name="cobjecttype" id="cobjecttype" tabindex="">
            <option value="">---Select object type---</option>
            <option value="ceramic">Ceramic</option>
            <option value="clock">Clock</option>
            <option value="gold">Gold and silverware</option>
            <option value="mask">Mask</option>
            <option value="painting">Painting</option>
            <option value="sculpture">Sculpture</option>
            <option value="tapestry">Tapestry</option>
        </select>
        </td></tr>
        <tr><td>MATERIAL USED</td>
    <td>
        <select name="cmaterial" id="cmaterial" tabindex="" >
            <option value="">---Select Material---</option>
            <option value="brass">Brass</option>
            <option value="oil">Oil</option>
            <option value="wood">Wood</option>
            <option value="carved">Canvas/Cotton/Fabric/Linen/Wool</option>
      </select>
        </td></tr>
    <tr><td>TECHNIC</td>
    <td>
        <select name="ctechnic" id="ctechnic" tabindex="7" >
            <option value="">---Select Technic---</option>
            <option value="cast">Cast</option>
            <option value="carved">Carved</option>
            <option value="etched">Etched</option>                      
      </select>  
        </td></tr>
    <tr>
    <td>WIDTH</td>
    <td width="100"><input name="cwidth" type="text" id="cwidth" value="<?php echo $cwidth; ?>" size="10"></td>
    </tr>
    <tr>
    <td>HEIGHT</td>
    <td width="100"><input name="cheight" type="text" id="cheight" value="<?php echo $cheight; ?>" size="10"></td>
    </tr>
    <tr>
    <td>PERIOD</td>
    <td width="100"><input name="cperiod" type="text" id="cperiod" value="<?php echo $cperiod; ?>" size="30"></td>
    </tr>
    <tr>
    <td>MARKINGS</td>
    <td width="100"><input name="cmarkings" type="text" id="cmarkings" value="<?php echo $cmarkings; ?>" size="30"></td>
    </tr>
    <tr>
    <td>DESCRIPTION</td>
    <td width="400"><textarea name="cdescription" rows="2" cols="50" id="cdescription" value="<?php echo $cdescription; ?>"></textarea></td></tr>
    <tr>
    <td>SOURCE</td>
    <td width="100"><input name="csource" type="text" id="csource" value="<?php echo $csource; ?>" size="30"></td>
    </tr>
    <tr>
    <td>ARTIST</td>
    <td width="100"><input name="cartist" type="text" id="cartist" value="<?php echo $cartist; ?>" size="30"></td>
    </tr>
    <td></td>
    <td>

    <!-- so that we could identify what record is to be updated -->
    <input type='hidden' name='c_id' value='<?php echo $c_id ?>' />

    <!-- we will set the action to update -->
    <input type='hidden' name='action' value='update' />
    <input type='submit' value='Save' />
    <a href='gallery.php'>Back to display page</a>
    </td>
    </tr>
    </table>
    </form>

有人可以帮助确定问题所在吗?

2 个答案:

答案 0 :(得分:0)

如果您未正确验证POST数据,则会出现此类问题。在您的代码中,您使用mysql_real_escape_string($variable)直接更新记录。但是,虽然这可能会解决一些安全问题,但如果存在与否,则无法验证每个数据。

验证您的变量是否存在并在更新到查询之前保存数据。

答案 1 :(得分:-1)

您使用方法POST发布了一个表单,但是使用$_GET

获取了c_id

将其更改为$_POST['c_id']$_REQUEST['c_id'] ...