ID不是数字,无法编辑

时间:2017-12-13 01:44:53

标签: php html

所以这些是我的代码。在我的情况下,id是一个varchar(由数字,符号和字符组成)。当我输入数字ID时,我可以编辑信息。但是当输入的id不是完全数字时,系统会说"未知栏' 618XRWCG'在' where子句'"

  

这是updateforecast.php 

<?php

}


// connect to the database

include('connect.php');



// check if the form has been submitted. If it has, process the form and save it to the database

if (isset($_POST['submit']))

{

// confirm that the 'id' value is a valid integer before getting the form data

if (is_numeric($_POST['id']))

{

// get form data, making sure it is valid

$id = $_POST['id'];

$min = mysql_real_escape_string(htmlspecialchars($_POST['min']));

$max = mysql_real_escape_string(htmlspecialchars($_POST['max']));

$sapuk = mysql_real_escape_string(htmlspecialchars($_POST['sapuk']));

$sapus = mysql_real_escape_string(htmlspecialchars($_POST['sapus']));

$sapasia = mysql_real_escape_string(htmlspecialchars($_POST['sapasia']));

$sapmex = mysql_real_escape_string(htmlspecialchars($_POST['sapmex']));

$penuk = mysql_real_escape_string(htmlspecialchars($_POST['penuk']));

$penus = mysql_real_escape_string(htmlspecialchars($_POST['penus']));

$penasia = mysql_real_escape_string(htmlspecialchars($_POST['penasia']));

$penmex = mysql_real_escape_string(htmlspecialchars($_POST['penmex']));



// check that firstname/lastname fields are both filled in

if ($min == '' || $max == '')

{

// generate error message

$error = 'ERROR: Please fill in all required fields!';



//error, display form

renderForm($id, $min, $max, $sapuk, $sapus, $sapasia, $sapmex, $penuk, $penus, $penasia, $penmex, $error);

}

else

{

// save the data to the database

mysql_query("UPDATE forecast SET Min='$min', Max='$max', sapUK='$sapuk', sapUS='$sapus', sapAsia='$sapasia', sapMex='$sapmex', penUK='$penuk', penUS='$penus', penAsia='$penasia', penMex='$penmex' WHERE Partnumber='$id'")

or die(mysql_error());



// once saved, redirect back to the view page

header("Location: viewforecast.php");

}

}

else

{

// if the 'id' isn't valid, display an error

echo 'Error!';

}

}

else

// if the form hasn't been submitted, get the data from the db and display the form

{



// get the 'id' value from the URL (if it exists), making sure that it is valid (checing that it is numeric/larger than 0)

if (isset($_GET['id'])&& $_GET['id'] > 0)

{

// query db

$id = $_GET['id'];

$result = mysql_query("SELECT * FROM forecast WHERE Partnumber=$id")

or die(mysql_error());

$row = mysql_fetch_array($result);



// check that the 'id' matches up with a row in the databse

if($row)

{



// get data from db

$min = $row['Min'];

$max = $row['Max'];

$sapuk = $row['sapUk'];

$sapus = $row['sapUS'];

$sapasia = $row['sapAsia'];

$sapmex = $row['sapMex'];

$penuk = $row['pendingUK'];

$penus = $row['pendingUS'];

$penasia = $row['pendingAsia'];

$penmex = $row['pendingMex'];



// show form

renderForm($id, $min, $max, $sapuk, $sapus, $sapasia, $sapmex, $penuk, $penus, $penasia, $penmex, '');

}

else

// if no match, display result

{

echo "No results!";

}

}

else

// if the 'id' in the URL isn't valid, or if there is no 'id' value, display an error

{

echo 'Error!';

}

}

?>
  

这是viewforecast.php 

<?php
include('connect.php');

$result = mysql_query("SELECT * FROM forecast")

or die(mysql_error());

echo "<table border='1' id = 'frmnew' cellpadding='10'>";

echo "<tr>
    <th rowspan='2'><center><b>Part Number</b></center></th>
    <th rowspan='2'><center><b>Minimum Quantity</b></center></th>
    <th rowspan='2'><center><b>Maximum Quantity</b></center></th>

    <th colspan='4' scope='colgroup'><center>SHIP AGAINST PO</center></th>
    <th colspan='4' scope='colgroup'><center>FORECAST FROM VARIOUS REGIONS PENDING FOR INTERCO PO</center></th>
  </tr>
  <tr>
    <th scope='col'><center>UK</center></th>
    <th scope='col'><center>US</center></th>
    <th scope='col'><center>ASIA</center></th>
    <th scope='col'><center>MEXICO</center></th>
    <th scope='col'><center>UK</center></th>
    <th scope='col'><center>US</center></th>
    <th scope='col'><center>ASIA</center></th>
    <th scope='col'><center>MEXICO</center></th>
  </tr>";



// loop through results of database query, displaying them in the table

while($row = mysql_fetch_array( $result )) {



// echo out the contents of each row into a table

echo "<tr>";

echo '<td>' . $row['Partnumber'] . '</td>';

echo '<td>' . $row['Min'] . '</td>';

echo '<td>' . $row['Max'] . '</td>';

echo '<td>' . $row['sapUK'] . '</td>';

echo '<td>' . $row['sapUS'] . '</td>';

echo '<td>' . $row['sapAsia'] . '</td>';

echo '<td>' . $row['sapMex'] . '</td>';

echo '<td>' . $row['pendingUK'] . '</td>';

echo '<td>' . $row['pendingUS'] . '</td>';

echo '<td>' . $row['pendingAsia'] . '</td>';

echo '<td>' . $row['pendingMex'] . '</td>';

echo '<td><a href="updateforecast.php?id=' . $row['Partnumber'] . '">Edit</a></td>';

echo '<td><a href="deleteforecast.php?id=' . $row['Partnumber'] . '">Delete</a></td>';

echo "</tr>";

}



// close table>

echo "</table>";

?>

<p><a href="forecast.php">Add a new record</a></p>

</body>
</html>

我之前提到的错误是当我输入没有符号的id时。当我输入带符号的id时,符号和隐藏后的符号或其他内容。

请帮忙

2 个答案:

答案 0 :(得分:0)

您的代码容易受到SQL Injection的攻击。您应该使用@IncredibleHat建议的PDO

答案 1 :(得分:-1)

编辑你的updateforecast.php代码选择你传递id而不用字符串更改的查询。

     $result = mysql_query("SELECT * FROM forecast WHERE Partnumber='$id'")
相关问题
最新问题