无法执行sql查询

时间:2014-05-20 20:29:16

标签: php mysql

我有目录条目表单,我可以在目录中添加和编辑用户。我能够查看现有用户和所有属性,但是当我输入新用户数据或编辑现有用户数据时,我无法对数据库进行更改。如果给出的信息不充分,请告诉我

case "submit":
    //user clicked the "submit" button on either the "edit record" page or "add new record" page.
    $id=$_POST['ID'];
    $FName=$_POST['Fname'];
    $LName = $_POST['Lname'];
    $Position =$_POST['position'];
    $Phone=$_POST['phone'];
    $Email=$_POST['email'];
    $Site = $_POST['site'];
    $Room=$_POST['room'];
    $Bio=$_POST['bio'];
    $Status=$_POST['status'];
    $DeptID=$_POST['DeptID'];
    $SortOrder=$_POST['SortOrder'];
    $Image = $_FILES['image']['name'];
    $Old_image = $_POST['old_image'];
    $edit=$_POST['edit'];
    if($Image == '')
        $Image=$Old_image;

    if($edit) {
        //user came from the "edit record page"
        //update user information in database
        $sql = mysql_query("UPDATE directory SET 
               FName = '$FName', LName = '$LName', position='$Position',
               phone = '$Phone', email = '$Email', site = '$Site', room = '$Room', 
               bio = '$Bio', status = '$Status', DeptID = '$DeptID', SortOrder = '$SortOrder', 
               image = '$Image'
           WHERE ID = '$id';"
        );

        //uploads staff photo only if staff photo has been changed by user.
        img_upload($Old_image); 
        $Result = mysql_query($sql, $ownDB) or die(mysql_error());
        if($sql){
            //info successfully updated
            echo "Record Modified.";
        }
    } else if($add) {
        //add new user to database
        $sql = mysql_query("INSERT INTO directory
                            (FName, LName, position,
                            phone , email , site, 
                            room , bio ,
                            status, DeptID , SortOrder,
                            image) 
                           VALUES ('$FName', '$LName', '$Position',
                                   '$Phone', '$Email', '$Site',  '$Room',
                                   '$Bio', '$Status', '$DeptID', '$SortOrder', '$Image');");
        //uploads staff photo only if staff photo has been changed by user.
        img_upload(); 
        $Result = mysql_query($sql, $ownDB) or die(mysql_error());

        if($sql)
            //user successfully added
            echo "Record Added.";
    }
    break;

1 个答案:

答案 0 :(得分:1)

您有多个问题:

a)易受SQL injection attacks

影响

b)错误的代码:

此:

$sql = mysql_query("UPDATE directory SET  etc.... ");

实际上是执行你的查询,并返回一个语句句柄, NOT 你刚刚定义的sql字符串。

然后,您可以使用此$sql句柄,并尝试将其作为另一个查询重新运行:

$Result = mysql_query($sql, $ownDB) or die(mysql_error());

完全无效。 mysql_query需要SQL STRING ,而不是结果句柄。

你想:

$sql = "UPDATE blah blah blah";
$result = mysql_query($sql) or die(mysql_error());

代替。现在注意$sql只是一个字符串定义,而不是函数调用结果。

c)您正在使用已弃用和过时的mysql _ *()函数。别。切换到mysqli(注意i)或PDO。

相关问题
最新问题