我已经创建了一个表单来更新我网站上的横幅信息。除了键入“textarea”的输入(称为“desc”)之外,所有内容似乎都会更新。代码看起来正确,这让我感到疯狂。
提前致谢。
<html>
<body>
<form action="aupdate.php" method="POST" enctype="multipart/form-data">
Your or your company's name:<br>
<input type="text" name="com" size="60"><br>
URL:<br>
<input type="text" name="url" size="80"><br>
Please enter the username that you will use to update your advertisement info:<br>
<input type="text" name="user" size="80"><br>
Please enter the password that you will use to update your advertisement info:<br>
<input type="text" name="pass" size="80"><br>
<br>
<br>
<br>
File:<br>
<input type="file" name="image">
advertisement description:<br>
<textarea name="desc" id="desc" cols="35" rows="5" ></textarea>
<input type="submit" value="update your ad!">
</form>
<?php
//connect to database
require("connect.php");
//get user made username
$user = $_POST['user'];
//get user made password
$pass = $_POST['pass'];
//encrypt user made password
$encpass = hash('sha256', $pass);
//file properties
$file = $_FILES['image']['tmp_name'];
//initialize company name and description
$com = $_POST['com'];
$desc = $_POST['desc'];
$url = $_POST['url'];
//check to see if coupon code and other essential info entered
if (!$user || !$pass )
{
echo "Please enter updated info with username and password.";
}
else
{
//retrieve data from password table
$query = mysql_query ("SELECT * FROM apartment WHERE pass = '$encpass' ");
//get number of rows in table
$numrows = mysql_num_rows ($query);
//check if code is right or exists
if ($numrows !=0)
{
// code to login
while ($row = mysql_fetch_assoc ($query))
{
//retrieve code from database to match with the code that was put into field
$dbuser = $row['user'];
$dbpass = $row['pass'];
}
//check to see if they match
if ($user == $dbuser && $encpass == $dbpass )
{
//check to see if a file has even been submitted
if (!$file)
{
echo "please upload image";
}
else
{
//get image file attributes
$image = addslashes(file_get_contents ($_FILES['image']['tmp_name']));
$image_name = addslashes($_FILES['image']['name']);
$image_size = addslashes(getimagesize($_FILES['image']['tmp_name']));
//check if image file size is right
if ($image_size==FALSE)
echo "that's not an image.";
else
{
mysql_query ("UPDATE apartment SET desc = '$desc' WHERE user ='$user'");
mysql_query ("UPDATE apartment SET name = '$image_name' WHERE user ='$user'");
mysql_query ("UPDATE apartment SET com = '$com' WHERE user ='$user'");
mysql_query ("UPDATE apartment SET url = '$url' WHERE user ='$user'");
mysql_query ("UPDATE apartment SET image = '$image' WHERE user ='$user'");
echo "advertisement successfully updated!";
}
}
}
else
echo "Incorrect username or password.";
}
else
echo "Incorrect username or password.";
}
?>
</body>
</html>
答案 0 :(得分:4)
desc是mysql reserved word将其括在反引号中
转义用户输入 $desc=mysql_real_escape_string($desc);
mysql_query ("UPDATE apartment SET `desc` = '$desc' WHERE user ='$user'");
您还可以使用逗号改进更新查询,以便在更新查询
中分隔字段mysql_query ("UPDATE apartment SET `desc` = '$desc',url='$url' WHERE user ='$user'");