我试图制作一个更新表单来更新我的数据库上的通知,但它什么都不做 我甚至没有收到错误,这意味着我的语法没有任何问题,所以也许我在查询上做错了什么?
代码:
<?php
include 'core/int.php';
admin_protect();
include 'includes/head.php';
include 'head.php';
include 'includes/body.php';
include 'body.php';
?>
<?php
if(!isset($_POST['submit'])){
$sql="SELECT * FROM Notification WHERE id = $_GET[edit]";
$data=mysql_query($sql);
$not_data = mysql_fetch_array($data);
}
//What i want to update also i know this is vulnerable to a sql injection ill sanitize it later
if(isset($_POST['submit'])){
$sql = "UPDATE Notification SET name = '$_POST[name]' WHERE id = '$_POST[id]'";
mysql_query($sql);
}
?>
<pre>
<form action="" method="post">
<div class="input-group input-group-lg">
<span class="input-group-addon">Name</span>
<input type="text" name="name" class="form-control" value="<?php echo $not_data['name'];?>">
</div>
<div class="input-group input-group-lg">
<span class="input-group-addon">Date</span>
<input type="text" name="Date" class="form-control" value="<?php echo $not_data['date'];?>">
</div>
<div class="input-group input-group-lg">
<span class="input-group-addon">Content</span>
<textarea type="text" name="content" class="form-control" rows="3"><?php echo $not_data['content'];?></textarea>
</div>
<div class="input-group input-group-lg">
<select class="form-control" name="active">
<?php if($not_data['active'] == 'Active'){
echo '
<option>Active</option>
<option>Not Active</option>
';
} else if($not_data['active'] == 'Not Active'){
echo '<option>Not Active</option>
<option>Active</option>
';
}?>
</select>
</div>
<div class="input-group input-group-lg">
<select class="form-control" name="new">
<?php if($not_data['new'] == 'New'){
echo '
<option>New</option>
<option>Old</option>
';
} else if($not_data['new'] == 'Old'){
echo '<option>Old</option>
<option>New</option>
';
}?>
</select>
</div>
<div class="input-group input-group-lg">
<select class="form-control" name="posted_by">
<option>Sincearly , Duckys Inc Team</option>
<option>Sincearly , <?php echo $user_data['username'];?></option>
</select>
</div>
<div>
<input type="hidden" name="id" value="<?php echo $_GET['edit'];?>">
<input type="submit" value="Edit" class="btn btn-primary btn-lg">
</div>
<?php print_r($_POST);?>
</form>
</pre>
答案 0 :(得分:1)
尝试在此语句中添加单引号:
$sql="SELECT * FROM Notification WHERE id = $_GET[edit]";
TO:
$sql="SELECT * FROM Notification WHERE id = '$_GET[edit]'";
另一方面,您正在打开注射。如果$_GET['edit']
应该是一个数字,那么您至少应该if(is_numeric($_GET['edit']))
或preg_replace('/[^0-9]/',"",$_GET['edit'])
。
同样适用于:
"UPDATE Notification SET name = '$_POST[name]' WHERE id = '$_POST[id]'";
最好的情况是将PDO
或mysqli_
更改为非安全的非删除mysql函数列表。下面是一个简单的数据库类,我想帮助一些人从mysql
切换到(在这种情况下)PDO
:
<?php
class DBEngine
{
public $con;
public $errors;
public function __construct($host="localhost",$db = "dbname",$user="db_userName",$pass="mypassword")
{
try {
$this->con = new PDO("mysql:host=$host;dbname=$db",$user,$pass, array(PDO::ATTR_ERRMODE => PDO::ERRMODE_WARNING));
}
catch (Exception $e) {
return 0;
}
}
// Simple fetch and return method
public function Fetch($_sql)
{
$query = $this->con->prepare($_sql);
$query->execute();
$this->errors['fetch'][] = $query->errorInfo();
if($query->rowCount() > 0) {
while($rows = $query->fetch(PDO::FETCH_ASSOC)) {
$array[] = $rows;
}
}
return (isset($array) && $array !== 0 && !empty($array))? $array: 0;
}
// Simple write to db method
public function Write($_sql)
{
$query = $this->con->prepare($_sql);
$query->execute();
$this->errors['insert'][] = $query->errorInfo();
}
}
// Initiate new DBEngine App
$query = new DBEngine();
include('core/int.php');
admin_protect();
include('includes/head.php');
include('head.php');
include('includes/body.php');
include('body.php');
if(isset($_POST['submit']))
$query->Write("UPDATE Notification SET name = '".htmlentities($_POST['name'], ENT_QUOTES)."' WHERE id = '".preg_replace('/[^0-9]/',"",$_POST['id'])."'");
else {
if(is_numeric($_GET['edit']))
$not_data = $query->Fetch("SELECT * FROM Notification WHERE id = '".$_GET['edit']."'");
}
if(isset($not_data) && $not_data !== 0) { ?>
<pre>
<form action="" method="post">
<div class="input-group input-group-lg">
<span class="input-group-addon">Name</span>
<input type="text" name="name" class="form-control" value="<?php echo $not_data[0]['name'];?>">
</div>
<div class="input-group input-group-lg">
<span class="input-group-addon">Date</span>
<input type="text" name="Date" class="form-control" value="<?php echo $not_data[0]['date'];?>">
</div>
<div class="input-group input-group-lg">
<span class="input-group-addon">Content</span>
<textarea type="text" name="content" class="form-control" rows="3"><?php echo $not_data[0]['content'];?></textarea>
</div>
<div class="input-group input-group-lg">
<select class="form-control" name="active"><?php
if($not_data[0]['active'] == 'Active'){ ?>
<option>Active</option>
<option>Not Active</option><?php }
elseif($not_data['active'] == 'Not Active'){ ?>
<option>Not Active</option>
<option>Active</option><?php } ?>
</select>
</div>
<div class="input-group input-group-lg">
<select class="form-control" name="new"><?php
if($not_data[0]['new'] == 'New') { ?>
<option>New</option>
<option>Old</option><?php }
elseif($not_data[0]['new'] == 'Old') { ?>
<option>Old</option>
<option>New</option><?php }?>
</select>
</div>
<div class="input-group input-group-lg">
<select class="form-control" name="posted_by">
<option>Sincearly , Duckys Inc Team</option>
<option>Sincearly , <?php echo $user_data[0]['username'];?></option>
</select>
</div>
<div>
<input type="hidden" name="id" value="<?php echo strip_tags($_GET['edit']);?>">
<input type="submit" name="submit" value="Edit" class="btn btn-primary btn-lg">
</div>
</form>
<?php
print_r($_GET);
print_r($_POST);
print_r($query->errors); ?>
</pre>
<?php }
else { ?>Invalid Id.<?php } ?>