使用HTML表单编辑MySQL重新编码

时间:2011-07-15 09:39:17

标签: php mysql

我正在开发一个用于学习目的的小型PHP项目。我想从MySQL数据库中检索已保存的数据,并让用户使用HTML表单进行编辑。我能够检索数据并在文本框中显示。问题是表单提交时数据没有更新。这是我到目前为止的代码。文件是为了自我更新。如果有人能告诉我哪里出错了,我将非常感激。谢谢。

<?php

include ("header.php");
include ("../db.php");

$catname = $_POST['catname'];
$catdisc = $_POST['catdisc'];

$id = $_GET['id'];
        if (isset($id))
        {
$query = "SELECT * FROM categories WHERE catid='$id'";
$result= mysql_query($query) or die ('Mysql Error');

}

while($row = mysql_fetch_array($result)){
$cname = $row['catname'];
$cdisc = $row['catdisc'];
}

$result= "UPDATE categories SET catname='$catname', catdisc='$catdisc' WHERE catid='$id'"
or die ('Error Updating'); 

?>

<h1>Edit Categories</h1>

<form method="post" action="edit_cat.php?id=<?php echo $id;?>">
Category Name: <input type="text" name="catname" value="<?php echo $cname;?>"><br/>
Category Discription: <TEXTAREA NAME="catdisc"ROWS="3" COLS="25"><?php echo $cdisc;?></TEXTAREA><br/><br/>
<input type="submit" value="Update Category"/>
</form>

<?php
include ("footer.php");
?>

4 个答案:

答案 0 :(得分:1)

您没有执行UPDATE语句......:)

答案 1 :(得分:0)

您在字符串中定义SQL更新命令,但是,呃,您不将其提交到数据库。有一个

$ result = mysql_query($ query)或die('Mysql Error');

-like row missing。

请记住:(只是另一件事)代码是非常不安全的 - 就像它一样。

必须检查用户POST输入数据,找到的是您的SQL语句。除非您这样做,否则在线人员可以拥有完全数据库用户特权的任意访问权限。谷歌:“SQL注入”。

罗布

PS呃花了5分钟......

答案 2 :(得分:0)

对您的示例代码进行了一些更改,希望这有助于您

<?php
include ("header.php");
include ("../db.php");

//Getting Data
$id = (int)$_GET['id'];
if (isset($id)){
    $query = "SELECT `categories`.`catid` AS catid,
                     `categories`.`catname` AS catname,
                     `categories`.`catdisc` AS catdesc
              FROM categories 
              WHERE catid='".mysql_real_escape_string($id)."'
              LIMIT 1";
    $result= mysql_query($query) or die ('Mysql Error');
}
//Looping through the result, tho we know only 1 result will return
if(mysql_num_rows($result)>=1){
while($row = mysql_fetch_array($result)){
    $cat['id'] = $row['catid'];
    $cat['name'] = $row['catname'];
    $cat['description'] = $row['catdesc'];
}
}else{
    $notice = 'No results found matching id:'.htmlentities($id);
}

//Updating Content

//Checking if form has been submitted with some basic checks
if(
isset($_POST['catid']) && is_numeric($_POST['catid'])==TRUE 
&& isset($_POST['catname']) && $_POST['catname']!="" 
&& isset($_POST['catdesc']) && $_POST['catdesc']!=""){


$cat['id'] = (int)$_POST['catid'];
$cat['name'] = (string)$_POST['catname'];
$cat['description'] = (string)$_POST['catdesc'];

//Create the query
$query="UPDATE categories 
            SET catname='".mysql_real_escape_string($cat['name'])."', catdisc='".mysql_real_escape_string($cat['description'])."' 
            WHERE catid='".mysql_real_escape_string($cat['id'])."'";
//Execute the update
mysql_query($query) or die ('Error Updating');
}
?>

<h1>Edit Categories</h1>

<form method="post" action="">
<?php echo (isset($notice))?$notice:'';?>
<input type="hidden" name="catid" value="<?php echo htmlentities($id);?>">
Category Name: <input type="text" name="catname" value="<?php echo $cat['name'];?>"><br/>
Category Discription: <TEXTAREA NAME="catdisc" ROWS="3" COLS="25"><?php echo $cat['description'];?></TEXTAREA><br/><br/>
<input type="submit" value="Update Category"/>
</form>

编辑我忘了将ID添加到表单字段

答案 3 :(得分:0)

$result= mysql_query("UPDATE categories SET catname='$catname', catdisc='$catdisc' WHERE catid='$id'") or die ('Error Updating');