如何使用PHP更新多个数据

时间:2014-11-16 03:09:54

标签: php mysql

我是这里的新手,我有一个问题,我自己无法找到确切的解决方案...这里是...我需要建立一个系统,将更新所有员工的信息。通过该系统,人力资源部门的工作人员将输入所有员工的信息。我一直在创建这个代码来更新员工信息,但它似乎不能用我真正想要的功能....我只是想按行更新,但是,它会转而更新数据库中的所有行......

<?php
session_start();
include ("includes/database.php");
include ("includes/security.php");
include ("includes/config.php");

$nama=$_SESSION["nama"];
$pwd=$_SESSION["status"];

$nama=$_POST["st_nama"];
$siri1=$_POST["st_siri"];
$siri2=$_POST["st_siri2"];
$siri3=$_POST["st_siri3"];
$jawatan=$_POST["st_jawatan"];
$gred=$_POST["st_gred"];
$gredh=$_POST["st_gredh"];
$gelaran=$_POST["st_gelaran"];
$elaun=$_POST["st_elaun"];
$id=$_GET["id"];

$dataPengguna2= mysql_query("SELECT * FROM tbl_rekod where id='$id'");


mysql_query("UPDATE tbl_rekod set st_nama='$nama', st_siri='$siri1', st_siri2='$siri2', st_siri3='$siri3', st_jawatan='$jawatan', st_gred='$gred', st_gredh='$gredh', st_gelaran='$gelaran', st_elaun='$elaun' WHERE id='$id'") or die (mysql_error());

$status = "REKOD BERJAYA DIKEMASKINI!<br/><a href = 'stafflogin.php'><strong>KEMBALI KE LAMAN UTAMA</strong></a>";



?>

1 个答案:

答案 0 :(得分:0)

这将有助于解决您的sql注入问题,并且还可能修复更新1与多行问题。此方法使用PHP中的PDO库。您可以在PHP站点上查看有关使用PDO的更多信息。它取代了PHP版本中不再包含的mysql_命令集。

// Below replaces the mysql_connect() so it requires db credentials filled in
try {
        $host   =   'hostname';
        $db     =   'databasename';
        $user   =   'username';
        $pass   =   'password';
        $con    =   new PDO("mysql:host=$host;dbname=$db",$user,$pass, array(PDO::ATTR_ERRMODE => PDO::ERRMODE_WARNING));
    }
// This replaces the die("error message") potion of a mysql_connect() set-up
catch (Exception $e) {
      $_errors['connect']['message']    =   $e->getMessage();
      $_errors['connect']['error_code'] =   $e->getCode();
    }

$nama       =   $_SESSION["nama"];
$pwd        =   $_SESSION["status"];

$nama       =   $_POST["st_nama"];
$siri1      =   $_POST["st_siri"];
$siri2      =   $_POST["st_siri2"];
$siri3      =   $_POST["st_siri3"];
$jawatan    =   $_POST["st_jawatan"];
$gred       =   $_POST["st_gred"];
$gredh      =   $_POST["st_gredh"];
$gelaran    =   $_POST["st_gelaran"];
$elaun      =   $_POST["st_elaun"];
$id         =   $_GET["id"];

// You should do just a preliminary check that the id is a numeric value
// No sense in continuing if someone tries to foil the natural
// order of your code
if(is_numeric($id)) {
        // The next 3 lines would be equivalent to the mysql_query("statement here")
        // as well as a more robust version of mysql_real_escape_string(). It does more,
        // but for sake of explanation it does that and more.
        $dataPengguna2  =   $con->prepare("SELECT * FROM tbl_rekod where id=:id");
        // Binding paramaters basically sanitizes the value being inserted into your query
        $dataPengguna2->bindParam(':id',$id);
        $dataPengguna2->execute();

        // There is no indication of what you are doing with the select above

        // Set up the update statement
        $query  =   $con->prepare("UPDATE tbl_rekod set st_nama=:st_nama, st_siri=:st_siri, st_siri2=:st_siri2, st_siri3=:st_siri3, st_jawatan=:st_jawatan, st_gred=:st_gred, st_gredh=:st_gredh, st_gelaran=:st_gelaran, st_elaun=:st_elaun WHERE id=:id");
        // Bind all the values to sanitize against injection
        // You could do a function that loops through an array of values,
        // but this is one way to do it manually
        $query->bindParam(':st_nama',$nama);
        $query->bindParam(':st_siri',$siri1);
        $query->bindParam(':st_siri2',$siri2);
        $query->bindParam(':st_siri3',$siri3);
        $query->bindParam(':st_jawatan',$jawatan);
        $query->bindParam(':st_gred',$gred);
        $query->bindParam(':st_gredh',$gredh);
        $query->bindParam(':st_gelaran',$gelaran);
        $query->bindParam(':st_elaun',$elaun);
        $query->bindParam(':id',$id);
        $query->execute();

        // Print out error info. There may be something of value here
        // that may help you figure out why it's trying to update all your rows
        // instead of just the one.
        print_r($query->errorInfo());

        $status = "REKOD BERJAYA DIKEMASKINI!<br/><a href = 'stafflogin.php'><strong>KEMBALI KE LAMAN UTAMA</strong></a>";
    } ?>