我要实现的目标
我正在尝试使用用户填写的值更新数据库。
我已经花了几个月的时间在无休止的Google搜索中,避免向 StackOverflow 提问,每个站点都教了我一点,但我还没能完成这个产品。
我正在努力解决的问题
提交后,PDO::execute不会执行,数据库也不会更新。
以前我收到"Undefined index"的错误,但是这些错误已通过正确传递变量来解决。现在我没有任何错误。
我的问题
我在做什么错?考虑到我在控制台或任何地方(并且error_reporting处于打开状态)都没有任何错误。我在其中检查其是否已执行的if语句始终给出nope,因此在查询中的某处失败。
我该如何更好地调试呢?
我尝试过的事情 (已缩小代码以显示相关内容)
index.php (显示带有 Update 按钮的表格,将我重定向到update.php)
<?php
session_start();
require 'assets/php/database.php';
require 'assets/php/usersession.php';
?>
<!DOCTYPE html>
<html>
<head>
<!-- irrelevant content -->
</head>
<body>
<?php
$sql = "SELECT * FROM utlansliste";
$stmt = $conn->prepare($sql);
$stmt->execute();
$result = $stmt->fetchAll();
?>
<table>
<thead>
<th>ID</th>
<th>Brukernavn</th>
<th>Datamaskin</th>
<th>Periferiutstyr</th>
<th>Start dato</th>
<th>Slutt dato</th>
<th>Oppdater tabell</th>
</thead>
<?php
foreach($result as $rows) {
?>
<tr>
<td><?php echo $rows['id']; ?></td>
<td><?php echo $rows['username']; ?></td>
<td><?php echo $rows['hostname']; ?></td>
<td><?php echo $rows['peripherals']; ?></td>
<td><?php echo $rows['start_date']; ?></td>
<td><?php echo $rows['end_date']; ?></td>
<td><a href="update.php?id=<?php echo $rows['id'];?>&hostname=<?php echo $rows['hostname'];?>"><div class="btn btn-primary">Oppdater</div></a></td>
</tr>
<?php
}
?>
</table>
</body>
</html>
update.php (用户填写表单的位置以及应该执行的位置)
<?php
session_start();
require 'assets/php/database.php';
require 'assets/php/usersession.php';
if(isset($_GET['id'])) {
$id = $_GET['id'];
$hostname = $_GET['hostname'];
global $conn;
$sql = "SELECT * FROM utlansliste WHERE id='$id';";
$stmt = $conn->prepare($sql);
$stmt->execute();
$row = $stmt->fetchAll();
$username = $row[0]['username'];
$peripherals = $row[0]['peripherals'];
$start_date = $row[0]['start_date'];
$end_date = $row[0]['end_date'];
if(isset($_POST['submit'])) {
try {
global $conn;
$sql = "UPDATE utlansliste SET username = ':username', peripherals = ':peripherals', start_date = ':start_date', end_date = ':end_date', WHERE id = ':id'";
$stmt = $conn->prepare($sql);
$stmt->bindParam(":username", $username, PDO::PARAM_STR);
$stmt->bindParam(":peripherals", $peripherals, PDO::PARAM_STR);
$stmt->bindParam(":start_date", $start_date, PDO::PARAM_STR);
$stmt->bindParam(":end_date", $end_date, PDO::PARAM_STR);
$stmt->bindParam(":id", $id, PDO::PARAM_STR);
$stmt->execute();
if ($stmt->execute()) {
echo "gg";
} else {
echo "nope";
}
/*header('Location:index.php');*/
}
catch(PDOException $exception) {
echo "Error: " . $exception->getMessage();
}
}
}
?>
<html>
<head>
<!-- irrelevant content -->
</head>
<body>
<?php include 'assets/php/header.php' ?>
<?php if( !empty($user) ): ?>
<div class="content">
<strong>Oppdater utlånsliste for <?php echo $hostname; ?></strong>
<form name="form" method="POST" action="">
<div class="updatebox" style="text-align:center;">
<label for="username">Brukernavn</label>
<div><input type="text" name="username" value="<?php echo $username;?>" id="username" required/></div>
<label for="peripherals">Periferiutstyr</label>
<div><input type="text" name="peripherals" value="<?php echo $peripherals;?>" id="peripherals"/></div>
<label for="startdate">Låne fra - dato</label>
<div><input data-date-format="YYYY/MM/DD" type="date" name="start_date" value="<?php echo $start_date;?>" id="start_date" required/></div>
<label for="enddate">Låne til - dato</label>
<div><input data-date-format="YYYY/MM/DD" type="date" name="end_date" value="<?php echo $end_date;?>" id="end_date" required/></div>
<input name="id" type="hidden" id="id" value="<?php echo $id;?>"/>
<input name="hostname" type="hidden" value="<?php echo $hostname;?>" id="hostname"/>
<input type="submit" name="submit" value="Submit"/>
</div>
</form>
</div>
<body>
</html>
其他评论
我到很多站点寻求帮助和知识。这些是更多的一些。我主要是在寻找知识来学习这种安全的数据库更新方法,因此即使只是发表评论也可以帮助很多!
答案 0 :(得分:2)
该SQL之前是错误的-除占位符周围的单引号外,global.asax子句前还有一个逗号。
where您可以确认是否确实调用了更新语句吗?尝试在调用$sql = "UPDATE utlansliste SET
username = :username,
peripherals = :peripherals,
start_date = :start_date,
end_date = :end_date
WHERE id = :id";
方法之前/之后打印sql,以确保程序到达该点。
快速浏览了PHP,并做了一些可能对MIGHT有帮助(或可能没有帮助)的更改。
execute顺便说一句,下面没有必要使用<?php
try{
session_start();
$id='';
require 'assets/php/database.php';
require 'assets/php/usersession.php';
if( isset( $_GET['id'], $_GET['hostname'] ) ) {
$id = $_GET['id'];
$hostname = $_GET['hostname'];
/*
global $conn;
The `global` keyword is used within functions to allow a variable declared outside the function
to be used within the function... think `scope`
*/
/*
$sql = "SELECT * FROM utlansliste WHERE id='$id';";
As the problem revolves around prepared statements why not use a prepared statement here
and avoid the possibility of sql injection??
*/
$sql='select * from `utlansliste` where id=:id;';
$args=array( ':id' => $id );
$stmt = $conn->prepare($sql);
$res=$stmt->execute( $args );
if( !$res )throw new Exception(' Failed to SELECT records ');
$row = $stmt->fetchAll();
$username = $row[0]['username'];
$peripherals = $row[0]['peripherals'];
$start_date = $row[0]['start_date'];
$end_date = $row[0]['end_date'];
/* make sure that all variables are available... */
if( isset( $_POST['submit'], $username,$peripherals,$start_date,$end_date ) ) {
try {
/* same issue, global is NOT required */
#global $conn;
$sql = "UPDATE utlansliste SET username = :username, peripherals = :peripherals, start_date = :start_date, end_date = :end_date WHERE id = :id";
$stmt = $conn->prepare( $sql );
$stmt->bindParam(":username", $username, PDO::PARAM_STR);
$stmt->bindParam(":peripherals", $peripherals, PDO::PARAM_STR);
$stmt->bindParam(":start_date", $start_date, PDO::PARAM_STR);
$stmt->bindParam(":end_date", $end_date, PDO::PARAM_STR);
$stmt->bindParam(":id", $id, PDO::PARAM_STR);
$result = $stmt->execute();
if ( $result ) {
echo "gg";
} else {
echo "nope";
}
/*header('Location:index.php');*/
}catch(PDOException $exception) {
echo "Error: " . $exception->getMessage();
}
}
}
}catch( Exception $e ){
exit( $e->getMessage() );
}
?>
,因为没有用户提供的变量,也没有SQL注入的可能性
prepared statement如果有一个$sql = "SELECT * FROM utlansliste";
$stmt = $conn->prepare($sql);
$stmt->execute();
$result = $stmt->fetchAll();
子句,则可能有所不同...也许
更新
为了帮助调试PDO查询,我使用以下函数where〜给出了用法示例。
debugpdo