代码之家  ›  专栏  ›  技术社区  ›  Alex

PHP MYSQL超链接和表单

mysql php
  •  0
  • Alex  · 技术社区  · 16 年前

    伙计们,我运气不好…我试了又试。包括下面的代码。我在Dreamweaver做这件事,这就是有趣的代码。这是编辑页。我成功地将“bet_id”值从第1页解析到此页。它根据从第1页解析的值,用正确的“bet_id”和“category_id”值填充表单字段。当我更新表单中的值时会出现问题。如果我更新“category_id”值并单击“更新下注”按钮,则脚本不会更新数据库中的下注记录。非常感谢您的帮助。 

    <?php require_once('../Connections/punters_c.php'); ?>
<?php
mysql_select_db($database_punters_c, $punters_c);

$query_Recordset1       = "SELECT bet_id, punter_id,category_id FROM betslip where bet_id =".intval($_REQUEST['bet_id']);
$Recordset1             = mysql_query($query_Recordset1, $punters_c) or die(mysql_error());
$row_Recordset1         = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1   = mysql_num_rows($Recordset1);


##the below function removes dodgy field values

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
?>
<?
                // edit.php
if ((isset($_POST["apply"])) && ($_POST["apply"] == "update_betslip_detail")){

        $query = sprintf("  UPDATE betslip 
                            SET category_id = '%d' 
                            WHERE bet_id = %d", 
                            mysql_real_escape($_POST['category_id']),
                            mysql_real_escape($_POST['bet_id'])
                                                                );

  mysql_select_db($database_punters_c, $punters_c);
  $Result1 = mysql_query($query, $punters_c) or die('Connection error to MYSQL occurred: '.(mysql_error()));

        header("Location: /update_betslip_test.php");

    }
    else 
    {
        echo "bet detail not updated";
    }
    ?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Untitled Document</title>
</head>

<body>
    <form action="<?php echo $editFormAction; ?>" method="POST" enctype="multipart/form-data" name="update_betslip_detail">

    <input type="text"      name="bet id"       id = "bet_id"       value="<?php echo $row_Recordset1['bet_id']; ?>"/>
    <input type="text"      name="category_id"  id = "category_id"  value="<?php echo $row_Recordset1['category_id']; ?>"/>


    <input type="hidden"    name= "apply"       value="update_betslip_detail"/>

    <input type="submit"    value="Update bet"/>
    </form>

    <p><a href="update_betslip_test.php">Back to Update page </a></p>
</body></html>
<?php
mysql_free_result($Recordset1);
?>
    1 回复  |  直到 16 年前
        1
  •  0
  •   VoteyDisciple    16 年前

    首先,没有调用 mysql_real_escape() sprintf(..., '%d') ,使用 mysql_real_escape_string() (转义字符串的正确函数)不是必需的。

    相关注释(但与原始问题无关):不应使用 addslashes() GetSQLValueString() 功能。那也应该是 . 只是打电话 添加斜杠() 将为合法的输入工作(例如 O'Brien O\'Brien )但对某些类型的恶意输入不起作用。

    推荐文章
    关于  
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号