下面是我的PHP代码,但它没有更新数据,而是给我以下错误:
您的SQL语法有错误;检查与MySQL服务器版本对应的手册,以便在''第2行**'附近使用正确的语法
我尝试了一切,但没有任何工作。
<?php
include 'includes/connection.php';
if(!isset($_POST['submit'])) {
mysql_query("UPDATE student SET `name`='$_POST[name]' , `email`='$_POST[email]' , `dob`='$_POST[dob]' , `phone`='$_POST[phone]' , `college`='$_POST[college]' , `address`='$_POST[address]' , `state`='$_POST[state]' , `country`='$_POST[country]' WHERE id = $_POST[id]") or die(mysql_error());
}
?>
Student has been modified! <br/>
<a href="index.php">Go to MAIN MENU</a>
同一查询正在使用同一服务器上的不同字段。但我不知道这有什么问题。
答案 0 :(得分:2)
您的查询是一行,但错误位于第2行
您的代码不安全,您没有清理值,错误来自这个事实。 mysql_*函数现已因这种错误而被弃用。
您的代码也存在逻辑问题:如果用户已将信息提交给服务器,您希望处理更改,但条件if (!isset($_POST['submit']))表示如果未设置 因此尝试在不应该更新时更新信息。
include 'includes/connection.php';
if (isset($_POST['submit'])) {
$statement = $db->prepare("UPDATE student SET `name`=:name , `email`=:email , `dob`=:dob , `phone`=:phone , `college`=:college , `address`=:address , `state`=:state , `country`=:country WHERE id = :id");
$statement->execute(array(
':name' => $_POST['name'],
':email' => $_POST['email'],
':dob' => $_POST['dob'],
':phone' => $_POST['phone'],
':college' => $_POST['college'],
':address' => $_POST['address'],
':state' => $_POST['state'],
':country' => $_POST['country'],
':id' => $_POST['id']
));
}
mysql_*函数include 'includes/connection.php';
if (isset($_POST['submit'])) {
$name = mysql_real_escape_string($_POST['name']);
$email = mysql_real_escape_string($_POST['email']);
$dob = mysql_real_escape_string($_POST['dob']);
$phone = mysql_real_escape_string($_POST['phone']);
$college = mysql_real_escape_string($_POST['college']);
$address = mysql_real_escape_string($_POST['address']);
$state = mysql_real_escape_string($_POST['state']);
$country = mysql_real_escape_string($_POST['country']);
$id = mysql_real_escape_string($_POST['id']);
/**
* For debugging purposes
*/
$query = "UPDATE student SET `name`='$name' , `email`='$email' , `dob`='$dob' , `phone`='$phone' , `college`='$college' , `address`='$address' , `state`='$state' , `country`='$country' WHERE id = '$id'";
mysql_query($query) or die(mysql_error());
/**
* For debugging purposes
*/
echo "<pre>Last query: $query</pre>";
}
请注意$id应该:
mysql_real_escape_string进行转义,并在查询intval的int(假设是数字索引)答案 1 :(得分:0)
尝试PDO:http://php.net/manual/en/book.pdo.php
返回主题:
请向我们展示$ _POST的内容:
print_r($_POST);
和完整的SQL字符串:
$sql = "UPDATE student SET `name`='$_POST[name]' , `email`='$_POST[email]' , `dob`='$_POST[dob]' , `phone`='$_POST[phone]' , `college`='$_POST[college]' , `address`='$_POST[address]' , `state`='$_POST[state]' , `country`='$_POST[country]' WHERE id = $_POST[id]";
echo $sql;
SQL看起来不太好。实际上你要像这样输出$ _POST值:
$_POST['name']
请帮自己一个忙,并使用PDO! : - )
编辑1:转义示例:
如果您不想使用PDO,请至少尝试以下方式:
$sql = "UPDATE student
SET `name` = '". mysql_real_escape_string($_POST['name']) ."',
`email` = '". mysql_real_escape_string($_POST['email']) ."',
`dob` = '". mysql_real_escape_string($_POST['dob']) ."',
`phone` = '". mysql_real_escape_string($_POST['phone']) ."',
`college` = '". mysql_real_escape_string($_POST['college']) ."',
`address` = '". mysql_real_escape_string($_POST['address']) ."',
`state` = '". mysql_real_escape_string($_POST['state']) ."',
`country` = '". mysql_real_escape_string($_POST['country']) ."'
WHERE id = " . mysql_real_escape_string($_POST['id']);