使用表单更新不会工作php

时间:2014-10-19 05:44:13

标签: php mysql

我试图制作一个更新表单来更新我的数据库上的通知,但它什么都不做 我甚至没有收到错误,这意味着我的语法没有任何问题,所以也许我在查询上做错了什么?

代码:

<?php
include 'core/int.php';
admin_protect();
include 'includes/head.php';
include 'head.php';
include 'includes/body.php';
include 'body.php';
?>       
<?php
if(!isset($_POST['submit'])){
$sql="SELECT * FROM Notification WHERE id = $_GET[edit]";
$data=mysql_query($sql);
$not_data = mysql_fetch_array($data);
}
//What i want to update also i know this is vulnerable to a sql injection ill sanitize it later 
    if(isset($_POST['submit'])){
    $sql = "UPDATE Notification SET name = '$_POST[name]' WHERE id = '$_POST[id]'";
    mysql_query($sql);
    }
?>
<pre>      
  <form action="" method="post"> 
<div class="input-group input-group-lg">
  <span class="input-group-addon">Name</span>
  <input type="text" name="name" class="form-control" value="<?php echo $not_data['name'];?>">
</div>
<div class="input-group input-group-lg">
  <span class="input-group-addon">Date</span>
  <input type="text" name="Date" class="form-control" value="<?php echo $not_data['date'];?>">
</div>
<div class="input-group input-group-lg">
  <span class="input-group-addon">Content</span>
  <textarea type="text" name="content" class="form-control" rows="3"><?php echo $not_data['content'];?></textarea>
</div>
<div class="input-group input-group-lg">
  <select class="form-control" name="active">
  <?php if($not_data['active'] == 'Active'){
  echo '
  <option>Active</option>
  <option>Not Active</option>
  ';
  } else if($not_data['active'] == 'Not Active'){
  echo '<option>Not Active</option>
  <option>Active</option>
  ';
  }?>
 </select>
</div>
<div class="input-group input-group-lg">
  <select class="form-control" name="new">
  <?php if($not_data['new'] == 'New'){
  echo '
  <option>New</option>
  <option>Old</option>
  ';
  } else if($not_data['new'] == 'Old'){
  echo '<option>Old</option>
  <option>New</option>
  ';
  }?>
 </select>
</div>
<div class="input-group input-group-lg">
  <select class="form-control" name="posted_by">
  <option>Sincearly , Duckys Inc Team</option>
  <option>Sincearly , <?php echo $user_data['username'];?></option>
 </select>
</div>
 <div>
 <input type="hidden" name="id" value="<?php echo $_GET['edit'];?>">
<input type="submit" value="Edit" class="btn btn-primary btn-lg">
</div>
<?php print_r($_POST);?>
 </form>
 </pre>

1 个答案:

答案 0 :(得分:1)

尝试在此语句中添加单引号:

$sql="SELECT * FROM Notification WHERE id = $_GET[edit]";

TO:

$sql="SELECT * FROM Notification WHERE id = '$_GET[edit]'";

另一方面,您正在打开注射。如果$_GET['edit']应该是一个数字,那么您至少应该if(is_numeric($_GET['edit']))preg_replace('/[^0-9]/',"",$_GET['edit'])

同样适用于:

"UPDATE Notification SET name = '$_POST[name]' WHERE id = '$_POST[id]'";

最好的情况是将PDOmysqli_更改为非安全的非删除mysql函数列表。下面是一个简单的数据库类,我想帮助一些人从mysql切换到(在这种情况下)PDO

<?php
    class   DBEngine
        {
            public  $con;
            public  $errors;
            public  function __construct($host="localhost",$db = "dbname",$user="db_userName",$pass="mypassword")
                {
                    try {
                            $this->con  =   new PDO("mysql:host=$host;dbname=$db",$user,$pass, array(PDO::ATTR_ERRMODE => PDO::ERRMODE_WARNING));
                        }
                    catch (Exception $e) {
                          return 0;
                        }
                }

            // Simple fetch and return method
            public  function Fetch($_sql)
                {
                    $query  =   $this->con->prepare($_sql);
                    $query->execute();
                    $this->errors['fetch'][]    =   $query->errorInfo();

                    if($query->rowCount() > 0) {
                            while($rows = $query->fetch(PDO::FETCH_ASSOC)) {
                                    $array[]    =   $rows;
                                }
                        }

                    return (isset($array) && $array !== 0 && !empty($array))? $array: 0;
                }

            // Simple write to db method
            public  function Write($_sql)
                {
                    $query  =   $this->con->prepare($_sql);
                    $query->execute();
                    $this->errors['insert'][]   =   $query->errorInfo();
                }
        }

// Initiate new DBEngine App
$query  =   new DBEngine();

include('core/int.php');
admin_protect();
include('includes/head.php');
include('head.php');
include('includes/body.php');
include('body.php');

if(isset($_POST['submit']))
    $query->Write("UPDATE Notification SET name = '".htmlentities($_POST['name'], ENT_QUOTES)."' WHERE id = '".preg_replace('/[^0-9]/',"",$_POST['id'])."'");
    else {
            if(is_numeric($_GET['edit']))
                $not_data   =   $query->Fetch("SELECT * FROM Notification WHERE id = '".$_GET['edit']."'");
        }

    if(isset($not_data) && $not_data !== 0) { ?>
<pre>      
    <form action="" method="post"> 
        <div class="input-group input-group-lg">
            <span class="input-group-addon">Name</span>
            <input type="text" name="name" class="form-control" value="<?php echo $not_data[0]['name'];?>">
        </div>
        <div class="input-group input-group-lg">
            <span class="input-group-addon">Date</span>
            <input type="text" name="Date" class="form-control" value="<?php echo $not_data[0]['date'];?>">
        </div>
        <div class="input-group input-group-lg">
            <span class="input-group-addon">Content</span>
            <textarea type="text" name="content" class="form-control" rows="3"><?php echo $not_data[0]['content'];?></textarea>
        </div>
        <div class="input-group input-group-lg">
            <select class="form-control" name="active"><?php
                if($not_data[0]['active'] == 'Active'){ ?>
                <option>Active</option>
                <option>Not Active</option><?php }
                elseif($not_data['active'] == 'Not Active'){ ?>
                <option>Not Active</option>
                <option>Active</option><?php } ?>
            </select>
        </div>
        <div class="input-group input-group-lg">
            <select class="form-control" name="new"><?php
            if($not_data[0]['new'] == 'New') { ?>
                <option>New</option>
                <option>Old</option><?php }
            elseif($not_data[0]['new'] == 'Old') { ?>
                <option>Old</option>
                <option>New</option><?php }?>
            </select>
        </div>
        <div class="input-group input-group-lg">
            <select class="form-control" name="posted_by">
                <option>Sincearly , Duckys Inc Team</option>
                <option>Sincearly , <?php echo $user_data[0]['username'];?></option>
            </select>
        </div>
        <div>
            <input type="hidden" name="id" value="<?php echo strip_tags($_GET['edit']);?>">
            <input type="submit" name="submit" value="Edit" class="btn btn-primary btn-lg">
        </div>
    </form>
    <?php
    print_r($_GET);
    print_r($_POST); 
    print_r($query->errors); ?>
</pre>
 <?php }
 else { ?>Invalid Id.<?php } ?>