我创建了一个显示表格内容的函数。这是功能:
function query_tabel ($sql){
$query = $sql;
$result = mysql_query($query);
$kolomen_tellen = mysql_num_fields($result);
if (!$result) {
die("Error Query: " . mysql_error());
}
print "<table border=1>\n";
print "<tr>";
for ($column_num = 0; $column_num < $kolomen_tellen; $column_num++)
{
$fieldname = mysql_field_name($result, $column_num);
print "<TH>$fieldname</TH>";
}
print "</tr>";
while ($row = mysql_fetch_row($result)) {
print ("<TR>");
for ($column_num = 0; $column_num < $kolomen_tellen; $column_num++)
print ("<TD>$row[$column_num]</TD>\n");
print ("</TR>\n");
}
print "</table>";
它工作,可以随时在任何文件中调用该函数。 但是我想要另一个用输入字段创建编辑表单的函数。
这是我的第一稿:
function query_tabel_edit ($sql, $filename){
$query = $sql;
$result = mysql_query($query);
$kolomen_tellen = mysql_num_fields($result);
if (!$result) {
die("Error Query: " . mysql_error());
}
print "<table class=edit>\n";
print "<tr>";
for ($column_num = 0; $column_num < $kolomen_tellen; $column_num++)
{
$fieldname = mysql_field_name($result, $column_num);
print "<TH class=edit>$fieldname</TH>";
}
print "</tr>";
while ($row = mysql_fetch_row($result)) {
print "<form action=$filename method=post>";
print ("<TR>");
for ($column_num = 0; $column_num < $kolomen_tellen; $column_num++)
print ("<TD class=edit> <input class=edit type=text name=$row[$column_num] value=$row[$column_num] </TD>\n");
print ("<TD class=edit> <input class=edit type=submit name=update value=edit> <TD>\n");
print ("</TR>\n");
}
print "</table>";
}
所以我添加了编辑链接,就像一个魅力,但我如何创建和放置修改记录的SQL行。?
知道如何创建这个编辑sql语句,是否需要将数据sql行放在我的函数或调用函数的PHP文件中?
答案 0 :(得分:0)
你可以或多或少地这样做。要使其完全灵活,很难,因为您需要知道如何构建更新语句。这意味着您必须知道要更新的表和哪些字段。你不能依赖于HTML表单中的内容,因为有人可能会伪造一个假的表单并发布非法的字段名称,让你开放攻击。
我认为最好的方法是在用户会话中存储有关表和字段的信息,但由于我不知道你是否知道会话,我现在暂时离开这里
请注意,我使用了mysql函数,因为您正在使用它们,我不想强迫您更改它,但是它们已被弃用,强烈建议您更改为mysqli或PDO
使用mysqli,您也可以使用预准备语句。但这也是我留给你在文档中阅读的内容。
我与您的代码相比最重要的变化是我使用mysql_fetch_array,它返回一个值数组,其中还包含字段名称作为键。这样,您可以将这些名称用于编辑,并在$_POST数据中找到这些名称。从那里开始,你应该能够更多地进行拼图以使其正常工作。
<?php
// This is how to do it in a single script: Check if a value is posted and
// act on it.
// If you have separate scripts, you don't actually need this, although it's
// still a good idea to thoroughly check the input to your scripts to prevent
// attacks from malicious users.
if (array_key_exists('id', $_POST)
{
// Post data found. Update record.
// Assuming id is an integer, I int-cast it. If it's not, make sure to
// properly escape it or you'll be vulnerable to SQL injection attacks!
$id = (int)$_POST['id'];
// You will need to validate if the posted field names are valid. You can
// do this by specifying a list of updatable fields and then check if the
// posted values are in that list.
// You could also run query to get the field names from the database, so
// so you will have more flexibility.
// You can also store the fields to be updated in the session of the user
// That will save you a query, but you'll have to read about sessions as well.
$updatableFields = array('firstname', 'lastname');
foreach ($_POST as $fieldname => $value)
{
// Validate the field names! You don't want field names that don't
// exist, or your query will break. Also, it will make you vulnerable
// to SQL injection attacks.
if (array_search($fieldname, $updatableFields) !== false)
{
$value = mysql_real_escape_string($value);
$update[] = "$fieldname = '$value'";
}
}
$sql = 'UPDATE YourTable SET ' . implode($update) . " WHERE id = $id";
// Execute statement.
}
else
{
// Query your database here
// <<code omitted>>
// Show edit form
while ($row = mysql_fetch_array($result))
{
foreach ($row as $fieldname => $value)
{
$value = htmlspecialchars($value);
$type = 'text';
// Store the id in an hidden input, so you know which row to update.
if ($fieldname == 'id')
{
$type = 'hidden';
}
?>
<label for="<?=$fieldname?>"><?=$fieldname?></label>
<input type="<?=$type?>" id="<?=$fieldname?>" name="<?=$fieldname?>" value="<?=$value?>">
<?php
}
?>
<input type="submit" value="save">
<?php
}
}