使用PHP中的表单值更新MySQL数据库行

时间:2016-12-05 18:28:27

标签: php mysql

我有一个简单的html表单页面需要更新2个列值,其中'Some_DB_Table'.id =用户输入的id号。但是,我对使用预准备语句避免SQL注入的方法有点困惑。

我的代码:

HTML:

<form id="workorderMovement" name='workorderMovement_form' action="workordermovementGET.php" method="post">



<fieldset id="userid">

  <span>Welcome <?php echo $user ?> </span>

</fieldset> 




<fieldset id="sgnum">

<fieldset id="fieldset" style="text-align: center;"> 
  <span>Please enter the SG Number</span>
</fieldset>

<input type="text" name="sgnumber" id="sgnumber"> &nbsp;&nbsp;&nbsp; <input type="button" name="searchButton" id="searchButton" value="SEARCH">

</fieldset> 


<br/>
<br/>



<fieldset id="stageSelectField">

  <fieldset id="fieldset" style="text-align: center;"> 
    <span>Please select the Stage Completed</span>
  </fieldset>

<select name="stageSelect" id="stageSelect">
  <option value="Please Select">Please Select</option>
  <option value="Film Done">Film Done</option>
  <option value="Staged Done">Staged Done</option>
  <option value="Cleanroom Done">Cleanroom Done</option>
  <option value="GB2 Done">GB2 Done</option>
  <option value="Bagging Done">Bagging Done</option>
  <option value="Inspection Done">Inspection Done</option>
  <option value="LC Done">LC Inspection Done</option>
  <option value="IGU Done">IGU Done</option>
</select>

</fieldset> 


<br/>
<br/>


<fieldset id="floorNotesField">

  <fieldset id="fieldset" style="text-align: center;"> 
    <span>Please enter any new work order notes</span>
  </fieldset>

  <textarea type="text" name="floorNotes" id="floorNotes" class="floorNotesText"></textarea>

</fieldset>


<br/>
<br/>
<br/>

</form> <!-- End Work Order Movement Form -->

<fieldset id="doneButtonField">

  <input type="button" name="doneButton" id="doneButton" value="DONE">

</fieldset>

MY AJAX:

 j("#doneButton").click(function(){


 //send Workorder Movement Data values to php using ajax.

 var sgnumber = j('#sgnumber').val();
 var stageselect = j('#stageSelect').val();
 var floornotes = j('#floorNotes').val();
 j.ajax ({
    method: 'POST',
    url: "workordermovementUPDATE.php",
    data: {sgNumber: sgnumber, stageSelect: stageselect, floorNotes: floornotes},
    dataType: 'json',
    success: function( data ){
        alert(data);
    }
  });

});

我的PHP:

    <?php 


include('inc.php');


//Get Table Options.
if (isset($_POST['sgNumber'])) {
    $sgNumber = $_POST['sgNumber'];

    if (isset($_POST['stageSelect'])) {
        $stageSelect=$_POST['stageSelect'];
    }
    if (isset($_POST['floorNotes'])) {
        $floorNotes=$_POST['floorNotes'];
    }

    //connect  to the database 
    $conn = new mysqli($servername, $username, $password, $dbname);

    // Check connection
    if(mysqli_connect_errno() ) {
        printf('Could not connect: ' . mysqli_connect_error());
        exit();
    }

    $conn->select_db($dbname);

    if(! $conn->select_db($dbname) ) {
        echo 'Could not select database. '.'<BR>';
    }

    $sql= "UPDATE invoices SET productionstage = ".$stageSelect.", floornotes = ".$floorNotes." WHERE id = ?";
    $stmt = $conn->prepare($sql);
    $stmt->bind_param('i', $sgNumber);
    $stmt->execute();
    $stmt->store_result();     

    if(mysqli_query($conn, $stmt)){
        echo "".$sgnumber." Updated Successfully!";
    } else {
        echo "ERROR: Could not update ".$sgnumber."".mysqli_error($conn)."";
    }


////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////


//Free the result variable. 
 $result->free();


//Close the Database connection.
 $conn->close();

}//End If statement

?>

这是正确/有任何建议吗?

谢谢!

1 个答案:

答案 0 :(得分:2)

如果您仔细阅读the documentation on bind_param,您会发现需要指定每个参数的类型。通常这不是一件大事:

 $stmt = $conn->prepare(
   "UPDATE invoices SET productionstage=?,floornotes=? WHERE id = ?"
 );
 $stmt->bind_param('ssi', $stageSelect, $floorNotes, $sgNumber);

尽量避免为语句创建中间变量。这通常会导致您无意中运行错误的查询。

相关问题
最新问题