考虑:
<form action="sql5_2.php" method="POST">
<h3>Update customer Record</h3>
<input type = "text" name ="PATNUM" placeholder ="Enter Patient number "><br>
<input type = "text" name ="PAT_FORENAME" placeholder ="Enter Patient Forename "><br>
<input type = "text" name ="PAT_SURNAME" placeholder ="Enter Patient Lastname"><br>
<input type = "text" name ="STREET_ADDRESS" placeholder ="Enter Address"><br>
<input type = "text" name ="TOWN" placeholder ="Enter Town"><br>
<input type = "text" name ="POST_CODE" placeholder ="Enter Postcode"><br>
<input type = "text" name ="AGE" placeholder ="Enter Patient Age"><br>
<br><input type = "submit" value ="Save"><br>
</form>
<?php
$conn = mysqli_connect ("localhost", "B00657633", "Jpr3EjPw")
or die ("could not connect: " . mysqli_error($conn));
print "successful connection<br>";
mysqli_select_db($conn, 'B00657633') or die ('db will not open');
$patnum = $_POST[PATNUM];
$firstname = $_POST[PAT_FORENAME];
$lastname = $_POST[PAT_SURNAME];
$address = $_POST[STREET_ADDRESS];
$town = $_POST[TOWN];
$postcode = $_POST[POST_CODE];
$age = $_POST[AGE];
$sql = "UPDATE patient3 SET PATNUM='$patnum', PAT_FORNAME='$firstname', STREET_ADDRESS='$address', TOWN='$town' , POST_CODE='$postcode' , AGE='$age' WHERE PATNUM= $patnum";
if (mysqli_query($conn, $sql)) {
echo "Record updated successfully";
echo '<br><a class="button" href="sql5_2.php?PATNUM=' . $patnum . '">View updated records</a><br>';
}
mysqli_close($conn);
?>
</div>
答案 0 :(得分:1)
你的POST变量必须是单引号:
<cfoutput query="getRecords" group="Year">
<cfchartseries type="bar" itemcolumn="#Year#" valuecolumn="count" seriescolor="#listGetAt(Colors,colorId)#" >
<cfset colorId++>
<cfoutput>
<cfchartdata item="#description#" value="#count#">
</cfoutput>
</cfchartseries>
</cfoutput>
必须为$patnum= $_POST[PATNUM];
这适用于所有人。
同样$patnum= $_POST['PATNUM'];条件必须是单引号:
where请注意错误报告的级别。
如果未在服务器上设置错误报告级别以便在默认情况下捕获它们,则不带引号的POST数组将是有效的。
它尝试将标识符解析为常量,如果常量不存在,则PHP假定应引用标识符。
否则,使用$sql = "UPDATE patient3 SET PATNUM='$patnum', PAT_FORNAME='$firstname', STREET_ADDRESS='$address', TOWN='$town' , POST_CODE='$postcode' , AGE='$age' WHERE PATNUM= '$patnum'";
时会产生:
E_NOTICE:类型8 - 使用未定义的常量PATNUM - 假设为“PATNUM”
因此,通常最好捕获所有错误并引用POST数组。
参考:
答案 1 :(得分:1)
$ _ POST是一个数组,因此使用key来获取像
这样的值$_POST['key'] = $value;
您错过了将密钥括在引号(&#39;)中,如
$patnum = $_POST['PATNUM'];
$firstname = $_POST['PAT_FORENAME'];
$lastname = $_POST['PAT_SURNAME'];
$address = $_POST['STREET_ADDRESS'];
$town = $_POST['TOWN'];
$postcode = $_POST['POST_CODE'];
$age = $_POST['AGE'];
请注意错误报告的级别。
如果未在服务器上设置错误报告级别以便在默认情况下捕获它们,则不带引号的POST数组将有效。
它尝试将标识符解析为常量,如果常量不存在,则PHP假定应引用标识符。
否则,使用error_reporting(E_ALL);时会产生:
E_NOTICE:类型8 - 使用未定义的常量PATNUM - 假设&#39; PATNUM&#39;
因此,通常最好捕获所有错误并引用POST数组。
参考:
答案 2 :(得分:0)
First of all, consider this as an example to get you in the right direction, not a to be used in production.
It's is important to validate user input, the minimum would be to:
$_POST, before trying to access it, use isset(), empty() ... mysqli_real_escape_string at least.Html form:
<form action="sql5_2.php" method="POST">
<h3>Update customer Record</h3>
<input type = "text" name ="PATNUM" placeholder ="Enter Patient number "><br>
<input type = "text" name ="PAT_FORENAME" placeholder ="Enter Patient Forename "><br>
<input type = "text" name ="PAT_SURNAME" placeholder ="Enter Patient Lastname"><br>
<input type = "text" name ="STREET_ADDRESS" placeholder ="Enter Address"><br>
<input type = "text" name ="TOWN" placeholder ="Enter Town"><br>
<input type = "text" name ="POST_CODE" placeholder ="Enter Postcode"><br>
<input type = "text" name ="AGE" placeholder ="Enter Patient Age"><br>
<br><input type = "submit" value ="Save"><br>
</form>
Here's the PHP sql5_2.php file:
<?php
// I assume this is an example, but in real life don't print errors to the client
$conn = mysqli_connect ("localhost", "*********", "********")
or die ("could not connect: " . mysqli_error($conn));
print "successful connection<br>";
mysqli_select_db($conn, 'B00657633') or die ('db will not open');
if ( !isset($_POST['PATNUM']) )
{
die("No 'Patient number' supplied");
} else
{
// Here validate the patient number
// I assume it's a natural number auto-generated by DB
if (1 !== @preg_match('/(^0$)|(^[1-9]{1}\d*)$/', $_POST['PATNUM'] ))
{
die("Invalid 'Patient number': ".$_POST['PATNUM']);
}
$patnum = $_POST['PATNUM'];
}
$firstname = $lastname = $address = $town = $postcode = $age = NULL;
// At least some basic SQL Injection prevention
if ( isset($_POST['PAT_FORENAME'] )
{
$firstname= mysqli_real_escape_string($conn, $_POST['PAT_FORENAME']);
}
// Use the same style for the other variables
// Example using direct query
$sql = "UPDATE patient3 SET "
." PAT_FORNAME='$firstname' "
." WHERE PATNUM= $patnum";
if (mysqli_query($conn, $sql)) {
echo "Record updated successfully";
} else {
die("Record could not be updated");
mysqli_close($conn);
Is using prepared statements, follow the example below:
if ( !isset($_POST['PATNUM']) )
{
die("No 'Patient number' supplied");
} else
{
// Here validate the patient number
// I assume it's a natural number auto-generated by DB
if (1 !== @preg_match('/(^0$)|(^[1-9]{1}\d*)$/', $_POST['PATNUM'] ))
{
die("Invalid 'Patient number': ".$_POST['PATNUM']);
}
$patnum = $_POST['PATNUM'];
}
if ( !isset($_POST['PAT_FORENAME'] )
{
die('No name supplied');
}
$db = new mysqli('localhost', '*******', '********', 'B00657633');
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
die();
}
$statment = $db->prepare("UPDATE patient3 SET PATNUM=? WHERE PATNUM=?");
if ( false === $statement )
die();
if ( false === $statement->bind_param('sd', $_POST['PAT_FORENAME'], $patnum) )
die();
if ( false === $statement->execute() )
die();