嵌入了_POST的PHP Mysql更新语句

时间:2010-11-08 14:49:50

标签: php mysql 

$result = mysql_query("UPDATE orders SET order_id='".$data['order_id']."',project_ref='".$data['project_ref']."',supp_short_code='".$data['supp_short_code']."',om_part_no='".$data['om_part_no']."',description='".$data['description']."',quantity='".$data['quantity_input']."',cost_of_items='".$data['cost_of_items']."',cost_total='".$data['cost_total_td']."' WHERE order_id = '".$data['order_id']."'") or die(mysql_error());

奇怪的是它将所有字段设置为“2”(order_id值)我正在尝试创建“编辑订单”页面,但它不打算计划!?

编辑:

我如何将数据发送到PHP:

$('#submit').live('click',function(){ 

                        var postData = {};
                        postData['data[order_id]'] = $('#order_id').text();
                        $('#items tr').not(':first').each(function(index, value) {
                            var keyPrefix = 'data[' + index + ']';
                            postData[keyPrefix + '[supp_short_code]'] = $(this).closest('tr').find('.supp_short_code').text();
                            postData[keyPrefix + '[project_ref]'] = $(this).closest('tr').find('.project_ref').text();
                            postData[keyPrefix + '[om_part_no]'] = $(this).closest('tr').find('.om_part_no').text();
                            postData[keyPrefix + '[description]'] = $(this).closest('tr').find('.description').text();
                            postData[keyPrefix + '[quantity_input]'] = $(this).closest('tr').find('.quantity_input').val();
                            postData[keyPrefix + '[cost_of_items]'] = $(this).closest('tr').find('.cost_of_items').text();
                            postData[keyPrefix + '[cost_total_td]'] = $(this).closest('tr').find('.cost_total_td').text();
                        });

                    $.ajax
                        ({
                        type: "POST",
                        url: "updateorder.php",
                        dataType: "json",
                        data: postData,
                        cache: false,
                        success: function()
                            {
                                alert("Order Updated");
                            }
                        });
                });

完整的PHP代码:

if (isset($_POST['data']) && is_array($_POST['data'])) {
                    foreach ($_POST['data'] as $row => $data) {
                        $result = mysql_query("UPDATE orders SET project_ref='".$data['project_ref']."',supp_short_code='".$data['supp_short_code']."',om_part_no='".$data['om_part_no']."',description='".$data['description']."',quantity='".$data['quantity_input']."',cost_of_items='".$data['cost_of_items']."',cost_total='".$data['cost_total_td']."' WHERE order_id = '".$data['order_id']."'") or die(mysql_error());
                    }
                }
                var_dump($data);

1 个答案:

答案 0 :(得分:0)

  1. 这是不安全的。您应该使用mysql_real_escape_string
    2. 转义发送到MySQL的任何值
  2. 数据是什么样的?您确定$data包含正确的值吗?
  3. 生成的查询在发送到MySQL之前是什么样的?
  4. 无需更新order_id(谢谢,Fosco)
相关问题
最新问题