2

这是我的usersedit.php代码,另一个是users-edit-action.php在更新后表示数据已成功更新但它不会改变mysql中的任何内容..请帮我解决问题,谢谢用户-编辑.php

<?php include("../includes/config.php"); ?>
<?php
if ($_SESSION["isadmin"])
{

$con=mysql_connect($dbserver,$dbusername,$dbpassword);
if (!$con) { die('Could not connect: ' . mysql_error()); }

mysql_select_db($dbname, $con);
$accountid=$_GET["id"];
$result = mysql_query("SELECT * FROM accounts WHERE (id='".$accountid."')");
while($row = mysql_fetch_array($result))
{
$id=$row['id'];
$firstname = $row['firstname'];
$lastname = $row['lastname'];
$email=$row['email'];
$type=$row['type'];
}
mysql_close($con);
?>
<!DOCTYPE HTML>
<html>
<head>
<title>Edit User</title>
<link rel="StyleSheet" href="../admin/css/style.css" type="text/css" media="screen">
</head>


<body>
<?php include("../admin/includes/header.php"); ?>
<?php include("../admin/includes/nav.php"); ?>
<?php include("../admin/includes/manage-users-aside.php"); ?>
<div id="maincontent">

<div id="breadcrumbs">
<a href="">Home</a> >
<a href="">Manage Users</a> >
<a href="">List Users</a> >
Edit User
</div>
<h2>Edit User</h2>

<form method="post" action="users-edit-action.php">
<input type="hidden" value="<?php echo $accountid; ?>" name="id" />
<label>Email/Username:</label><input type="text" name="email" value="<?php echo $email;     ?>" /><br /><br />
<label>Password:</label><input type="password" name="password" value="<?php echo     $password;?>" /><br /><br />
<label>First Name:</label><input type="text" name="firstname" value="<?php echo      $firstname; ?>" /><br /><br />
<label>Last Name:</label><input type="text" name="lastname" value="<?php echo $lastname; ?>" /><br /><br />
<label>Type:</label><br />
<input type="radio" name="type" value="S" <?php if ($type == 'S') echo     'checked="checked"'; ?> />Student<br />
<input type="radio" name="type" value="T" <?php if ($type == 'T') echo 'checked="checked"'; ?> /> Teacher<br />

<input type="submit" value="Edit" />
</form>
</div>
</body>
<?php include("../admin/includes/footer.php"); ?>
</html>
<?php

}    else
{
header("Location: ".$fullpath."login/unauthorized.php");
}
?>

这是 users-edit-action.php

<?php include("../includes/config.php");?>
<?php

$id=$_POST["id"];
$firstname=$_POST["firstname"];
$lastname=$_POST["lastname"];
$email=$_POST["email"];
$type=$_POST["type"];


$con=mysql_connect($dbserver,$dbusername,$dbpassword);
if (!$con) { die('Could not connect: ' . mysql_error()); }


mysql_select_db($dbname, $con);
$query=("UPDATE accounts SET firstname='".$firstname."' , lastname='".$lastname."         ,password='".$password."' , email='".$email."' type='".$type."' WHERE (id='".$id."')");
$result = mysql_query($query);
echo "User has been updated Successfully!!";
mysql_close($con);
?>

请帮我弄清楚并解决问题

4

1 回答 1

4

转义作为 MySQL 保留关键字的列名

$query=("UPDATE accounts 
         SET firstname='" . $firstname . "'   ,
             lastname='" . $lastname . "      ,
              `password`='" . $password . "'  ,          
              email='" . $email . "'          ,            // <== forgot comma
              type='" . $type . "' WHERE (id='".$id."')
        ");

Password应该逃脱。
您忘记在emailand之间添加逗号type

您当前的查询容易发生SQL 注入。使用PDOMYSQLI

使用 PDO 扩展的示例:

<?php

    $query = "UPDATE accounts 
               SET firstname = ?,
                   lastname = ?,
                   `PassWord` = ?,          
                   email = ?,          
                   type = ? 
            WHERE id = ?
        ";

    $stmt = $dbh->prepare($query);
    $stmt->bindParam(1, $firstname);
    $stmt->bindParam(2, $lastname);
    $stmt->bindParam(3, $password);
    $stmt->bindParam(4, $email);
    $stmt->bindParam(5, $type);
    $stmt->bindParam(6, $id);

    $stmt->execute();
    echo ($stmt) ? "Successful" : "Error Occured";

?>

这将允许您使用单引号插入记录。

于 2012-08-28T03:19:44.050 回答