更新mysql查询坏了

时间:2014-02-04 16:06:47

标签: php mysql

我的整个查询工作正常,我更改了php下拉部分以获取资产列表 来自数据库的数字,奇怪的是在那些更改之后,更新部分不再需要工作...我的apache2错误日志抱怨未定义的索引who_out。我不知道要改变什么才能让它再次运作......

以下是使用必要信息更新资产的当前部分。

$sql1=$_POST['fieldname']." AND '".$_POST['comments'];

if (strpos($_POST['comments'],'OUT') !== false) {
    $sql2 = "UPDATE data SET ".$sql1."', dt_out = '$date', who_out = '".$_POST['who_out']."' WHERE data_id = '".$_POST['reference']."'";
} else {
    $sql2="UPDATE data SET ".$sql1."' WHERE data_id = '".$_POST['reference']."'";
}

$result = mysql_query($sql2,$con);

任何人都能够帮助我完成需要改变的工作吗? 如果您需要更多信息,请告诉我......

原始下拉列表如下所示:

<td>Software Profile:</td>
<?php 
$con = mysql_connect($host, $db_user, $db_pass);
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db($db, $con);

$res02 = mysql_query("SELECT * FROM profiles");?>

<td>
<select name="swp">
<option selected="selected">Choose Profile</option>
<option></option>
<?php while( $row = mysql_fetch_row( $res02 )) {                    
    $sel = ( data === $row['profile_id'] ) ? "id='sel' selected" : "";   
     printf ( " <option %s value='%s'>%s</option>\n", $sel, $row[1] , $row[1]);  //die data wat select en gedisplay word.
                      }; 

                      mysql_close($con);



?> 
</select>

新的下拉列表如下所示:

<td>Software Profile:</td>

<td>
        <select name="swp">
        <option selected>Select Profile...</option>
        <option value="no profile selected"></option>
            <?php
            $link=mysql_connect($host, $db_user, $db_pass) or die ("Error connecting to mysql server: ".mysql_error());
            mysql_select_db($db, $link) or die ("Error selecting specified database on mysql server: ".mysql_error());

            $query="SELECT profile_id, profile FROM profiles";
            $result=mysql_query($query) or die ("Query to get data from Profiles Table failed: ".mysql_error());

while ($row=mysql_fetch_array($result)) {
$profile=$row["profile"];
$profile_id=$row["profile_id"];
    echo "<option value=\"$profile\">$profile</option>";
}

            ?>

        </select>

以下是用于更新资产编号的表格,如果状态为!= OUT 

<h2>Update Details:</h2>
<form action="updateref.php" method="post">
<table border="frame" align="center">
    <tr>
<td>Which Asset #:</td>
<td>
<select name="reference">
        <option selected>Select Asset #</option>
        <option></option>
            <?php
            $link=mysql_connect($host, $db_user, $db_pass) or die ("Error connecting to mysql server: ".mysql_error());
            mysql_select_db($db, $link) or die ("Error selecting specified database on mysql server: ".mysql_error());

            $query="SELECT * FROM data WHERE status != 'OUT'";
            $result=mysql_query($query) or die ("Query to get data from Profiles Table failed: ".mysql_error());

while ($row=mysql_fetch_array($result)) {
$data_id=$row["data_id"];
$asset=$row["asset"];
    echo "<option value=\"$asset\">$asset</option>";
} 
            ?>

        </select>
      </td>
    </tr>
<tr>
<td>What must be updated:</td>
<td>
<select name="fieldname">
<option selected="selected">Select Option</option>
<option value="asset">Asset Number</option>
<option value="make_model">Make Model</option>
<option value="os">Operating System</option>
<option value="office">Office</option>
<option value="swp">Software Profile</option>
<option value="ea">Extra Apps</option>
<option value="status">Status</option>
</select>
</td>
</tr>

<tr>
<td>Change to:</td>
<td>
<input type="text" name="comments" required></input>
</td>
</tr>

<tr>
<td>

</td>
<td>
<button id='sblogloginbtn' type="submit"><b>Update</b></button>  <button id='sblogloginbtn' type="reset" ><b>Reset</b></button>
</td>
</tr>
</table>
</form>

如何在udpate.php页面中保护以下代码?

$sql1=$_POST['fieldname']."='".$_POST['comments'];


$unsafe_variable = $_POST["user-input"]
$safe_variable = mysql_real_escape_string($unsafe_variable);




$who_out = $_POST['who_out'];
$reference = $_POST['reference'];
if (strpos($_POST['comments'],'OUT') !== false) {
    $sql2 = "UPDATE data SET ".$sql1."', dt_out = '$date', who_out = '$who_out' WHERE asset = '$reference'";
} else {
    $sql2="UPDATE data SET ".$sql1."' WHERE asset = '$reference'";
}

$result = mysql_query($sql2,$con);

2 个答案:

答案 0 :(得分:1)

由于我无法知道你的变量包含哪些值,所以我无法帮助你。

在结尾处设置echo $sql2;以显示最终查询的外观。然后你要么自己看问题,要么我们可以提供帮助 - 也许你的一个POST变量包含没有或错误的值。

ps:永远不要在查询中直接使用POST,始终先验证输入。阅读“SQL注入”......

答案 1 :(得分:0)

您可能已将注释的输入字段名称更改为其他内容。如果你改成它,它不应该给你一个错误: $ sql1 = $ _ POST ['fieldname']。“AND'”。$ _ POST ['comments']; 

if (!empty($_POST['comments']) && strpos($_POST['comments'],'OUT') !== false) {
    $sql2 = "UPDATE data SET ".$sql1."', dt_out = '$date', who_out = '".$_POST['who_out']."' WHERE data_id = '".$_POST['reference']."'";
} else {
    $sql2="UPDATE data SET ".$sql1."' WHERE data_id = '".$_POST['reference']."'";
}

$result = mysql_query($sql2,$con);
相关问题
最新问题