美好的一天! 我在我的代码的更新部分遇到此问题。每当我点击我的按钮进行更新时,它都会给我这个错误:未定义的变量调用堆栈#TimeMemoryFunctionLocation 10.0006379256。我犯了什么错误?拜托我需要你的帮忙。 这是我的代码:
<?php
session_start();
include_once "../styles/header-menu-out.php";
include "dbconnection.php";
function __autoload($class){
include_once("../main/".$class.".php");}
$code = new codex("localhost","library_books","root","" );
$books = $code->showData("book_info");
$id = $_REQUEST['update'];
?>
<html>
<head><link rel="stylesheet" type="text/css" href="../styles/library_style.css"></head>
<title>Book-A-Holic: Update an Item</title>
<body>
<table>
<?php foreach ($books as $book){ ?>
<tr><td><input type="Hidden" name="id" value="<?php echo $id; ?>"/></td></tr>
<tr><td>Title</td><td><input type="text" name="title" value="<?php echo $title; ?>"/></td></tr>
<tr><td>Author</td><td><input type="text" name="author" value="<?php echo $author; ?>"/></td></tr>
<tr><td>ISBN</td><td><input type="text" name="isbn" value="<?php echo $isbn; ?>"/></td></tr>
<tr><td>Publisher</td><td><input type="text" name="publisher" value="<?php echo $publisher; ?>"/></td></tr>
<tr><td>Language</td><td><input type="text" name="language" value="<?php echo $language; ?>"/></td></tr>
<tr>
<td>Genre</td>
<td><select name="genre">
<option value="<?php echo $genre; ?>"><?php echo $genre; ?></option>
<option value="Non-Fiction">Non-Fiction</option>
<option value="Fiction">Fiction</option>
<option value="Educational">Educational</option>
<option value="Reserved">Reserved</option>
<option value="Instructional Materials">Instructional Materials</option>
</select>
</td>
</tr>
<tr><td>Quantity</td><td><input type="text" name="quantity" value="<?php echo $quantity; ?>"/></td></tr>
<tr>
<td>Availability</td>
<td><select name="availability">
<option value="<?php echo $availability; ?>"></option>
<option value="Available">Yes</option>
<option value="N/A">No</option>
</select>
</td>
</tr>
<tr><td>Queue</td><td><input type="text" name="queue" value="<?php echo $queue; ?>"/></td></tr>
<?php } ?>
<tr>
<td></td>
<td>
<button class="mybutton"><a href="bookUpdate.php?update=<?php echo urlencode($id); ?>">Update</a></button>
<button class="mybutton"><a href="bookDeleteUI.php">Cancel</a></button>
</td>
</tr>
</table>
</body>
</html>
我的oop代码:
public function updateData($id, $title, $author, $isbn, $publisher, $language, $genre, $quantity, $queue, $availability, $table)
{
$q = "UPDATE $table SET title = '$title', author = '$author', isbn = '$isbn', publisher = '$publisher',language = '$language', genre = '$genre', quantity = '$quantity', availability = '$availability', queue = '$queue' WHERE id ='$id'";
$stmt = $this->con->prepare($q);
$stmt->execute(array(':title'=>$title,':author'=>$author,':isbn'=>$isbn,':publisher'=>$publisher,':language'=>$language, ':genre'=>$genre,':quantity'=>$quantity,':availability'=>$availability,':queue'=>$queue));
return true;
}
提前感谢。
答案 0 :(得分:0)
你准备好的陈述是完全错误的。您 STILL 容易受到SQL注入攻击,因为您直接将数据变量填充到查询字符串中,并且认为您是安全的,因为您尝试在execute()调用中使用占位符。 ..但由于查询字符串中没有占位符,因此您仍然需要使用。
$q = "UPDATE $table SET title = :title, author = :author, etc...";
^^^^^^---placeholder
请注意,$table
仍然直接在查询中使用 - 您不能在字段/表名称上使用占位符,也不能在SQL元词上使用占位符。占位符仅适用于值,例如您拥有$title
,$author
等的位置......