我试图通过表单更新我的数据库。
部分代码正在运行,因为它从表中检索数据并在表单中显示,但sql更新代码不会更改后端的值。
代码片段如下所示,任何帮助都将受到赞赏:
<html>
<head>
<body>
<?php
$con = mysql_connect("localhost","user","pass");
if(!$con){
die("Cannot Connect to database:" . mysql_error());
}
mysql_select_db("intranet",$con);
$sql = "SELECT * FROM progress_sheet";
$myData = mysql_query($sql,$con);
if(isset($_POST['update'])){
$UpdateQuery = "UPDATE progress_sheet SET jobdescription='$_POST[jobdescription]' WHERE id='$_POST[hidden]'";
mysql_query($UpdateQuery, $con);
};
echo "<table border=1>
<tr>
<th>Job Description</th>
</tr>";
while($record = mysql_fetch_array($myData)){
echo "<form action=save.php method=post>";
echo "<tr>";
echo "<td>" . "<input type=text name=jobdescription value=" . $record['jobdescription'] . " </td>";
echo "<td>" . "<input type=hidden name=hidden value=" . $record['hidden'] . " </td>";
echo "<td>" . "<input type=submit name=update value=update" . " </td>";
echo "</form>";
}
echo "</table>";
?>
</body>
</head>
</html>
*
答案 0 :(得分:0)
这是通过简单检查来防止sql注入的基本示例。请注意,不推荐使用mysql函数。你可以使用mysqli函数。
<html>
<head>
<body>
<?php
$con = mysql_connect("localhost","user","pass");
if(!$con){
die("Cannot Connect to database:" . mysql_error());
}
mysql_select_db("intranet",$con);
$sql = "SELECT * FROM progress_sheet";
$myData = mysql_query($sql,$con);
if(isset($_POST['update'])){
//do basic checks to prevent sql injections
$jobdescription = isset($_POST['jobdescription']) ? trim($_POST['jobdescription'] : '');
$hidden = isset($_POST['hidden']) ? trim($_POST['hidden'] : '');
$jobdescription = mysql_real_escape_string($jobdescription);
$hidden = mysql_real_escape_string($hidden);
if(empty($jobdescription) || empty($hidden)){
//handle errors here
//exit;
//or do error logging $errors[] = "Your error message"
//or redirect with header(...);
}
$UpdateQuery = "UPDATE progress_sheet SET jobdescription='$jobdescription' WHERE id='$hidden'";
mysql_query($UpdateQuery, $con);
};
echo "<table border=1>
<tr>
<th>Job Description</th>
</tr>";
while($record = mysql_fetch_array($myData)){
echo "<form action=save.php method=post>";
echo "<tr>";
echo "<td>" . "<input type=text name=jobdescription value=" . $record['jobdescription'] . " </td>";
echo "<td>" . "<input type=hidden name=hidden value=" . $record['id'] . " </td>";
echo "<td>" . "<input type=submit name=update value=update" . " </td>";
echo "</form>";
}
echo "</table>";
?>
</body>
</head>
</html>
在.php文件的顶部,您应该启用错误报告,这将帮助您进行调试:
<?php
// Turn off error reporting
error_reporting(0);
// Report runtime errors
error_reporting(E_ERROR | E_WARNING | E_PARSE);
// Report all errors
error_reporting(E_ALL);
// Same as error_reporting(E_ALL);
ini_set("error_reporting", E_ALL);
// Report all errors except E_NOTICE
error_reporting(E_ALL & ~E_NOTICE);
?>
答案 1 :(得分:0)
在您的代码中发现了多个错误,
1缺少单引号和双引号。
2表单已发布到另一个文件save.php(引号也缺失)
<html>
<head>
<body>
<?php
$con = mysql_connect("localhost","user","pass");
if(!$con){
die("Cannot Connect to database:" . mysql_error());
}
mysql_select_db("intranet",$con);
$sql = "SELECT * FROM progress_sheet";
$myData = mysql_query($sql,$con);
if(isset($_POST['update'])){
$jobdescription = $_POST['jobdescription']; // See here
$id = $_POST['hidden']; // See here
$UpdateQuery = "UPDATE progress_sheet SET jobdescription='$jobdescription' WHERE id='$id'";
mysql_query($UpdateQuery, $con);
};
echo "<table border=1>
<tr>
<th>Job Description</th>
</tr>";
while($record = mysql_fetch_array($myData)){
echo "<form action='' method='post'>"; // See Here. The form is posted to another page
echo "<tr>";
echo "<td>" . "<input type=text name=jobdescription value=" . $record['jobdescription'] . " </td>";
echo "<td>" . "<input type=hidden name=hidden value=" . $record['id'] . " </td>";
echo "<td>" . "<input type=submit name=update value=update" . " </td>";
echo "</form>";
}
echo "</table>";
?>
</body>
</head>
</html>
答案 2 :(得分:0)
$UpdateQuery = 'UPDATE progress_sheet SET jobdescription="'.mysql_real_escape_string(isset($_POST['jobdescription']) ? $_POST['jobdescription'] : '').'" WHERE id='.(isset($_POST['hidden']) ? $_POST['hidden']*1 : 0);
停止使用mysql_*函数并移至mysqli_*函数,因为您正在使用的函数已弃用。