if(isset($ _ POST ['Submit'])){}未被执行

时间:2017-11-30 21:34:51

标签: php html sql-server

我想知道我在做什么错。当我按提交时,它会让我到上一页。但我的if(isset($_POST['Submit'])){}没有被执行。当我从SQL Server Profiler检查时,我得到的查询是来自attendance_records的DISTINCT日期,该日期位于上一页。

if(isset($_POST['submit'])){

        $records = sqlsrv_query($con,"select * from attendance_records where date='$_POST[date]'", array(), array("Scrollable"=>"buffered"));
       $num = sqlsrv_num_rows($records);
       if($num){

           sqlsrv_query($con, "delete from attendance_records where date= '$_POST[date]';");
           foreach ($_POST['attendance_status'] as $id=>$attendance_status){
           $student_name =$_POST['student_name'][$id];
           $roll_number =$_POST['roll_number'][$id];

           $result=sqlsrv_query($con, "insert into attendance_records(student_name,roll_number,attendance_status,date)values('$student_name','$roll_number','$attendance_status','$_POST[date]')");
                if($result){
                $update=1;
            }
        }

表单HTML 

<div class="panel panel-body">
        <form action="view_all.php" method="Post">
    <H3> <div class="well text-center">Date: <?php echo $_POST['date']; ?> </div> </h3>
            <table class="table table-striped">

           <input type="submit" name="submit" value="submit" class="btn btn-primary">

1 个答案:

答案 0 :(得分:0)

对于您的问题,这不是一个很好的答案,但我想提一下,我可以使用您编写的代码轻松删除整个数据库。如果有人提交日期' OR '1'='1,请考虑数据库查询会发生什么。

使用parameterized queries代替 - sqlsrv_query()的第三个参数是什么。如果您不止一次执行语句,请使用prepared statements

<?php
if (isset($_POST["submit"])) {
    $date = $_POST["date"];
    $records = sqlsrv_query(
        $con,
        "SELECT * FROM attendance_records WHERE date = ?",
        array($date),
        array("Scrollable"=>"buffered")
    );
    $num = sqlsrv_num_rows($records);
    if ($num) {
        sqlsrv_query(
            $con,
            "DELETE FROM attendance_records WHERE date = ?",
            array($date)
        );
        $student_name = "";
        $roll_number = "";
        $attendance_status = "";
        $stmt = sqlsrv_prepare(
            $con,
            "INSERT INTO attendance_records(student_name, roll_number, attendance_status, date) VALUES(?, ?, ?, ?)",
            array($student_name, $roll_number, $attendance_status, $date)
        );
        foreach ($_POST['attendance_status'] as $id=>$attendance_status) {
            $student_name = $_POST['student_name'][$id];
            $roll_number = $_POST['roll_number'][$id];
            if (!sqlsrv_execute($stmt)) {
                break;
            } else {
                $update = 1;
            }
        }
    }
}
相关问题
最新问题