0

在我的代码中,我试图用表单中可修改文本字段的值更新我的数据库。但是,当查询运行时,它会擦除​​与用户尝试编辑的记录相关的所有字段(将它们变为“”)。谁能明白为什么?

<?php
$dbuser = 'test';
$dbpass = 'test';
$host = '127.0.0.1';
$db = 'test';
mysql_connect($host, $dbuser, $dbpass) or die(mysql_error());
mysql_select_db($db) or die(mysql_error());

$result = mysql_query("SELECT * from characters");
$id = $_REQUEST['combo'];
while($row = mysql_fetch_array($result))
{
    if($id == $row['_Key'])
    {
        echo "<form action=\"webpagetests.php\" method=\'post\'>";
        echo "<strong>Player ID:</strong>    " . $row['_Key'] . "</br>";
        echo "<strong>Steam Name:</strong>   " . $row['_SteamName'] . "</br>";
        echo "<strong>Steam ID:</strong>     " . $row['_SteamID'] . "</br></br>";

        echo "Name: </br><input name = \"name\" type=\"text\" size=\"25\" value=\"" . $row['_Name'] . "\"></br></br>";
        echo "Cash: </br><input name = \"cash\" type=\"text\" size=\"25\" value=\"" . $row['_Cash'] . "\"></br></br>";
        echo "Flags: </br><input name = \"flags\" type=\"text\" size=\"25\" value=\"" . $row['_Flags'] . "\"></br></br>";
        echo "Gender:</br> <input name = \"gender\" type=\"text\" size=\"25\" value=\"" . $row['_Gender'] . "\"></br></br>";
        echo "Model:</br> <input name = \"model\" type=\"text\" size=\"50\" value=\"" . $row['_Model'] . "\"></br></br>";
        echo "Faction: </br><input name = \"faction\" type=\"text\" size=\"25\" value=\"" . $row['_Faction'] . "\"></br></br></br>";
        echo "Recognised Names: </br><input name = \"names\" type=\"text\" size=\"50\" value=\"" . $row['_RecognisedNames'] . "\"</br>";
        echo "<input name=\"submit2\" type=\"submit\" value=\"Update\" />";
        echo "</form>";
    }
}
if (isset($_POST['submit2'])) 
{
    //$name = mysql_real_escape_string(htmlspecialchars($_POST['name']));
    $name = "Test";
    $cash = (int)$_POST['cash'];
    $flags = mysql_real_escape_string(htmlspecialchars($_POST['flags']));
    $gender = mysql_real_escape_string(htmlspecialchars($_POST['gender']));
    $model = mysql_real_escape_string(htmlspecialchars($_POST['model']));
    $faction = mysql_real_escape_string(htmlspecialchars($_POST['faction']));
    $names = mysql_real_escape_string(htmlspecialchars($_POST['names']));

    mysql_query("UPDATE  `test`.`characters` SET  `_Name` =  '$name',
    `_Cash` =  '$cash',
    `_Model` =  '$model',
    `_Flags` =  '$flags',
    `_Gender` =  '$gender',
    `_Faction` =  '$faction',
    `_RecognisedNames` =  '$names' 
    WHERE  `characters`.`_Key` ='$id'") or die(mysql_error());
    echo '<META HTTP-EQUIV="Refresh" Content="0; URL=webpagetest.php">'; 
}?>
4

1 回答 1

0

1) You have no where clause in your select statement, so the whole table is transferred from the DB to your PHP script. Add:

$id = mysql_real_escape_string($id);
$result = mysql_query("select * from characters where _Key = '$id'");

to improve performance and bandwidth usage. Better yet, use mysqli, where you can use prepared statements.

2) I don't see where $id is set, when the form returns, so this might be a problem too.

于 2012-10-24T21:06:02.490 回答