PHP代码不将表单值更新到数据库

时间:2015-04-19 22:22:30

标签: php html mysqli

我在我的数据库中有一个示例数据,我试图在表单提交中覆盖我的数据,主键的PageID设置为0,我的查询对我的知识是正确的,我提交时没有错误只是没有数据进入数据库。这是整个PHP文档。

<?php
if(isset($_POST['update'])){
  $pageid = 0; 

 $dbc = @mysqli_connect ('localhost', 'elinksw_ju1ez', '*******', 'elinksw_ju1ez') OR die ('<p class="error">Cannot connect to the database.</body></html>');

 $q = "UPDATE tblContent SET PageHeading='$_POST[PageHeading]' ,SubHeading='$_POST[SubHeading]' ,Content='$_POST[Content]' ,PageTitle='$_POST[PageTitle]' ,MetaDescription='$_POST[MetaDescription]' ,MetaKeywords='$_POST[MetaKeywords]'  WHERE PageID='$pageid'";
 $r = mysqli_query($dbc, $q);
mysqli_close($dbc);

 }
?>
<html>
<head>
<link rel="stylesheet" type="text/css" href="./includes/adminStyle.css">
<title>Administration - Edit content</title>
</head>

<body>
<header>
<h1>Edit Content</h1>
<h2>Welcome Administrator</h2>
</header>

<nav>
<a href="admin.php" class="myButton">Manage Homepage</a><br>
<a href="admin.php" class="myButton">Manage Products</a><br>
<a href="admin.php" class="myButton">Manage Contacts</a><br>
</nav>

<section>
<h2>Manage Homepage</h2>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

<table width="300" cellpadding="2" cellspacing="2">
    <tr>
    </tr>
    <tr>
        <td>Page Heading:</td>
        <td><input type="text" name="PageHeading"></td> </tr>
    <tr>
        <td>Sub Heading:</td>
        <td><input type="text" name="SubHeading"></td>  </tr>
    <tr>
        <td>Page Title:</td>
        <td><input type="text" name="PageTitle"></td>   </tr>
    <tr>
        <td>MetaDescription:</td>
        <td><textarea style="width:300px;" cols="55" rows="5" name="MetaDescription"></textarea></td>   </tr>
    <tr>
        <td>MetaKeywords:</td>
        <td><input type="text" name="MetaKeywords"></td>    </tr>
    <tr>
        <td>Content:</td>
        <td><textarea style="width:300px;" cols="55" rows="5" name="Content"></textarea></td>   </tr>
    <tr>
        <td><input type="submit" name="update" value = "Update Database"></td>  </tr>

</section>
</form>
</body> 
</html>

这是数据库中的表

1 个答案:

答案 0 :(得分:4)

首先,您的代码很危险,容易受到注入攻击,您必须过滤并转义$ _POST变量(http://corpocrat.com/2009/07/28/filtering-escaping-post-data-from-injection-attacks

快速&amp;肮脏的解决方案,以了解正在发生的事情将涉及:

$PageHeading = mysqli_real_escape_string($dbc, $_POST['PageHeading']);
$subHeading = mysqli_real_escape_string($dbc, $_POST['SubHeading']);
$Content = mysqli_real_escape_string($dbc, $_POST['Content']);
$PageTitle = mysqli_real_escape_string($dbc, $_POST['PageTitle']);
$MetaDescription = mysqli_real_escape_string($dbc, $_POST['MetaDescription']);
$MetaKeywords = mysqli_real_escape_string($dbc, $_POST['MetaKeywords']);
$q = "UPDATE tblContent SET PageHeading='$PageHeading' ,SubHeading='$SubHeading' ,Content='$Content' ,PageTitle='$PageTitle' ,MetaDescription='$MetaDescription' ,MetaKeywords='$MetaKeywords'  WHERE PageID='$pageid'";
$r = mysqli_query($dbc, $q) or die(mysqli_error($dbc)); //remove this on production