如何更新多行并防止sql注入?

时间:2013-09-22 03:03:52

标签: php mysql database 

<?php
if ( isset( $_POST["submit"] ) ) {

    foreach( $_POST["id"] AS $id ) {
        $may_tc_s1 = mysql_real_escape_string( $_POST["may_tc_s1"][$id] );
        $may_ac_s1 = mysql_real_escape_string( $_POST["may_ac_s1"][$id] );
        $jun_tc_s1 = mysql_real_escape_string( $_POST["jun_tc_s1"][$id] );
        $jun_ac_s1 = mysql_real_escape_string( $_POST["jun_ac_s1"][$id] );
        $jul_tc_s1 = mysql_real_escape_string( $_POST["jul_tc_s1"][$id] );
        $jul_ac_s1 = mysql_real_escape_string( $_POST["jul_ac_s1"][$id] );
        $aug_tc_s1 = mysql_real_escape_string( $_POST["aug_tc_s1"][$id] );
        $aug_ac_s1 = mysql_real_escape_string( $_POST["aug_ac_s1"][$id] );
        $sep_tc_s1 = mysql_real_escape_string( $_POST["sep_tc_s1"][$id] );
        $sep_ac_s1 = mysql_real_escape_string( $_POST["sep_ac_s1"][$id] );
        $oct_tc_s1 = mysql_real_escape_string( $_POST["oct_tc_s1"][$id] );
        $oct_ac_s1 = mysql_real_escape_string( $_POST["oct_ac_s1"][$id] );
        $nov_tc_s1 = mysql_real_escape_string( $_POST["nov_tc_s1"][$id] );
        $nov_ac_s1 = mysql_real_escape_string( $_POST["nov_ac_s1"][$id] );
        $s1_t1 = mysql_real_escape_string( $_POST["s1_t1"][$id] );
        $s1_t2 = mysql_real_escape_string( $_POST["s1_t2"][$id] );
        $s1_t3 = mysql_real_escape_string( $_POST["s1_t3"][$id] );

        $update = " UPDATE `attendence` SET 
        `may_tc_s1` = '$may_tc_s1',
        `may_ac_s1` = '$may_ac_s1',
        `jun_tc_s1` = '$jun_tc_s1',
        `jun_ac_s1` = '$jun_ac_s1',
        `jul_tc_s1` = '$jul_tc_s1',
        `jul_ac_s1` = '$jul_ac_s1',
        `aug_tc_s1` = '$aug_tc_s1',
        `aug_ac_s1` = '$aug_ac_s1',
        `sep_tc_s1` = '$sep_tc_s1',
        `sep_ac_s1` = '$sep_ac_s1',
        `oct_tc_s1` = '$oct_tc_s1',
        `oct_ac_s1` = '$oct_ac_s1',
        `nov_tc_s1` = '$nov_tc_s1',
        `nov_ac_s1` = '$nov_ac_s1',
        `s1_t1` = '$s1_t1',
        `s1_t2` = '$s1_t2',
        `s1_t3` = '$s1_t3'
         WHERE `idatten` =$id LIMIT 1 ; ";
        mysql_query( $update ) or die( mysql_error() );
    }
}

$sql = "SELECT * FROM attendence WHERE branch = 'cs' AND attendence.semester=1 ORDER BY attendence.rollno";
$res = mysql_query( $sql ) or die( mysql_error() );
if ( mysql_num_rows( $res ) > 0 ) {

    echo '<form method="post">';
    echo' <table border="1" align="center">';
    echo' <tr>';
    echo' <th><div align="center">ID</div></th>';
    echo' <th><div align="center">Student Name</div></th>';
    echo' <th><div align="center">Roll No</div></th>';
    echo' <th colspan="2"><div align="center">May</div></th>';
    echo' <th colspan="2"><div align="center">Jun</div></th>';
    echo' <th colspan="2"><div align="center">Jul</div></th>';
    echo' <th colspan="2"><div align="center">Aug</div></th>';
    echo' <th colspan="2"><div align="center">Sep</div></th>';
    echo' <th colspan="2"><div align="center">Oct</div></th>';
    echo' <th colspan="2"><div align="center">Nov</div></th>';
    echo' <th><div align="center">T1</div></th>';
    echo' <th><div align="center">T2</div></th>';
    echo' <th><div align="center">T3</div></th>';
    echo' </tr>';
    echo' <tr>';
    echo' <th><div align="center"></div></th>';
    echo' <th><div align="center"></div></th>';
    echo' <th><div align="center"></div></th>';
    echo' <th><div align="center">TC</div></th>';
    echo' <th><div align="center">AC</div></th>';
    echo' <th><div align="center">TC</div></th>';
    echo' <th><div align="center">AC</div></th>';
    echo' <th><div align="center">TC</div></th>';
    echo' <th><div align="center">AC</div></th>';
    echo' <th><div align="center">TC</div></th>';
    echo' <th><div align="center">AC</div></th>';
    echo' <th><div align="center">TC</div></th>';
    echo' <th><div align="center">AC</div></th>';
    echo' <th><div align="center">TC</div></th>';
    echo' <th><div align="center">AC</div></th>';
    echo' <th><div align="center">TC</div></th>';
    echo' <th><div align="center">AC</div></th>';
    echo' <th><div align="center"></div></th>';
    echo' <th><div align="center"></div></th>';
    echo' <th><div align="center"></div></th>';
    echo' </tr>';
    while ( $row = mysql_fetch_assoc( $res ) ) {
    echo' <tr>';
    echo' <td>'.$row["idatten"] . '</td>';
    echo' <td>'.$row["username"] . '</td>';
    echo' <td>'.$row["rollno"] .'</td>';
    echo' <td><input size="2" type="text" name="may_tc_s1[' . $row["idatten"] . ']" value="' . $row["may_tc_s1"] . '"></td>';
    echo' <td><input size="2" type="text" name="may_ac_s1[' . $row["idatten"] . ']" value="' . $row["may_ac_s1"] . '"></td>';
    echo' <td><input size="2" type="text" name="jun_tc_s1[' . $row["idatten"] . ']" value="' . $row["jun_tc_s1"] . '"></td>';
    echo' <td><input size="2" type="text" name="jun_ac_s1[' . $row["idatten"] . ']" value="' . $row["jun_ac_s1"] . '"></td>';
    echo' <td><input size="2" type="text" name="jul_tc_s1[' . $row["idatten"] . ']" value="' . $row["jul_tc_s1"] . '"></td>';
    echo' <td><input size="2" type="text" name="jul_ac_s1[' . $row["idatten"] . ']" value="' . $row["jul_ac_s1"] . '"></td>';
    echo' <td><input size="2" type="text" name="aug_tc_s1[' . $row["idatten"] . ']" value="' . $row["aug_tc_s1"] . '"></td>';
    echo' <td><input size="2" type="text" name="aug_ac_s1[' . $row["idatten"] . ']" value="' . $row["aug_ac_s1"] . '"></td>';
    echo' <td><input size="2" type="text" name="sep_tc_s1[' . $row["idatten"] . ']" value="' . $row["sep_tc_s1"] . '"></td>';
    echo' <td><input size="2" type="text" name="sep_ac_s1[' . $row["idatten"] . ']" value="' . $row["sep_ac_s1"] . '"></td>';
    echo' <td><input size="2" type="text" name="oct_tc_s1[' . $row["idatten"] . ']" value="' . $row["oct_tc_s1"] . '"></td>';
    echo' <td><input size="2" type="text" name="oct_ac_s1[' . $row["idatten"] . ']" value="' . $row["oct_ac_s1"] . '"></td>';
    echo' <td><input size="2" type="text" name="nov_tc_s1[' . $row["idatten"] . ']" value="' . $row["nov_tc_s1"] . '"></td>';
    echo' <td><input size="2" type="text" name="nov_ac_s1[' . $row["idatten"] . ']" value="' . $row["nov_ac_s1"] . '"></td>';    
    echo' <td><input size="4" type="text" name="s1_t1[' . $row["idatten"] . ']" value="' . $row["s1_t1"] . '"></td>';
    echo' <td><input size="4" type="text" name="s1_t2[' . $row["idatten"] . ']" value="' . $row["s1_t2"] . '"></td>';
    echo' <td><input size="4" type="text" name="s1_t3[' . $row["idatten"] . ']" value="' . $row["s1_t3"] . '"></td>';
    echo' <input type="hidden" name="id[]" value="' . $row["idatten"] . '">';
    echo' </tr>';
    echo' <tr>';
    }}
    echo'  <td colspan="20"><div align="center">  <input type="submit" onblur="t1()" name="submit" value="Update Record"></div></td>';  
    echo' </tr>';
    echo' </table>';
    echo '</form>';
?>
<!-- End of cs1_s1 ---></div>

这是我上传多条记录的代码。并且它的工作正常,但必须将所有表放在if中,这只是繁琐的工作。因为我有多个页面要做,这种类型的编码是安全的,因为它容易sql注入或任何其他东西,如果它是如何使其安全。我需要在同一页面上再增加七个表,但是如果我放置所有七个表,则会弹出一个未找到的错误数据库。那么如何在同一页面上调用7到8个。

1 个答案:

答案 0 :(得分:0)

创建一个test.php页面,将此代码粘贴到其中。 

<form method="post">
<table border="1" align="center">';
<tr>
<th><div align="center">ID</div></th>
<th><div align="center">Student Name</div></th>
<th><div align="center">Roll No</div></th>
</tr>

<?php 
while ( $row = mysql_fetch_assoc( $res ) ) {
?>
<tr>
<td><?php echo $row["idatten"]; ?> </td>
<td><?php echo $row["username"]; ?> </td>
<td><?php echo $row["rollno"]; ?> </td>
</tr>
<?php 
}
?>
</table>
</form>
相关问题
最新问题