我正在开发一个非常基础的PHP程序。我是PHP的新手,我知道我使用的是旧版本,而不是PDO。我已经研究了一段时间,但无法弄清楚它为什么不起作用。
我只是想从我的表中删除与用户输入匹配的项目。
((如果有人有任何简单的建议我可以使用更安全的删除功能,因为我知道如果用户输入是'r',例如,表的一大部分将被删除))
这是我的代码:
<?php
//delete from table
if(isset($_POST['delete1']))
{
$deletevalue = $_POST['deletevalue'];
$deletequery = "DELETE FROM users WHERE deletevalue = $deletevalue";
$deleteresult = deleteTable($deletevalue);
}
function deleteTable ($deletevalue)
{
$connect = mysqli_connect("localhost", "root", "", "test_db");
$delete_fromTable = mysqli_query($connect, $deletevalue);
print mysqli_error($connect);
}
?>
<!DOCTYPE html>
<html>
<body>
<form action="zzz.php" method="post" />
<p> Remove Item: <input type="text" name="deletevalue" placeholder="Item
Name" /> </p>
<input type="submit" name ="delete1" value="submit" />
</form>
</body>
</html>
答案 0 :(得分:0)
这里你的代码看起来像(安全问题除外)
在此代码中,您将根据用户的firstName删除您的记录,这就是为什么在where Uri firtName那里。
WHERE firstName = '$deletevalue'如果您要根据用户名称删除,请参阅where子句if(isset($_POST['delete1']))
{
$deletevalue = $_POST['deletevalue'];
//here put your table column in where clause
$deletequery = "DELETE FROM users WHERE firstName = '$deletevalue'"; //if your form enters name of the users
$deleteresult = deleteTable($deletequery);
}
function deleteTable ($deletequery)
{
$connect = mysqli_connect("localhost", "root", "", "test_db");
$delete_fromTable = mysqli_query($connect, $deletequery);
print mysqli_error($connect);
}
。
并且还看到WHERE name =您需要传递查询而不是值。
注意:
是的,我知道你正在学习基本的东西,但我的建议是
1)使用准备好的陈述,探讨一下它
2)删除基于 ID (唯一字段)而非名称的记录,名称(firstName)可能与用户表中的多个用户相同
答案 1 :(得分:0)
对于所有评论,并且完全可以使用安全声明,您应该真的考虑使用PPS : Prepared Parameterized Statements。这将有助Preventing SQL injection。另外:在页面顶部使用
error_reporting(E_ALL); ini_set('display_errors', 1);将帮助PHP为您提供有关错误的提示:)
这是处理查询的一种方式(不是唯一的方法)。 请仔细阅读并根据您的数据库结构和列名称调整名称。
<?php
error_reporting(E_ALL); ini_set('display_errors', 1);
$host = ""; /* your credentials here */
$user = ""; /* your credentials here */
$pwd = ""; /* your credentials here */
$db = ""; /* your credentials here */
/* store in PHP variable */
$deletevalue = $_POST['deletevalue'];
echo"[ is my var ok ? -> $deletevalue ]"; /* just checking value */
// connexion to db
$mysqli = mysqli_connect("$host", "$user", "$pwd", "$db");
if (mysqli_connect_errno()) { echo "Error: no connexion allowed : " . mysqli_connect_error($mysqli); }
$query = " DELETE FROM `users` WHERE deletevalue = ? ";
$stmt = $mysqli->prepare($query); /* prepare query */
$stmt->bind_param("s", $deletevalue); /* bind param will sanitize -> 's' is for a string */
print_r($stmt->error_list); /* any error ? */
print_r($stmt->get_warnings()); /* any error ? */
print_r($stmt->error); /* any error ? */
/* another ways of checking for errors :
if (!($stmt = $mysqli->prepare(" DELETE FROM `users` WHERE deletevalue = ? "))) {
echo "Error attempting to prepare : (" . $mysqli->errno . ") " . $mysqli->error;
}
if (!$stmt->bind_param("s", $deletevalue)) {
echo "Error attempting to bind params : (" . $stmt->errno . ") " . $stmt->error;
}
*/
if (!$stmt->execute()) { echo"false"; echo "Error attempting to execute : (" . $stmt->errno . ") " . $stmt->error; } else { echo"true"; }
?>