0

我遇到了一个关于更新名为“answers”的数据库表中的值的问题。因为它没有更新表。所以,这是我的代码:

 if(isset($_POST['marked']))
            { $marked= $_POST['marked'];
            $command= "UPDATE Answers SET " .
          "SessionID=" . $_POST['SessionID'] . ", " .
          "TestID=" . $_POST['TestID'] . ", " .
          "QuesID=" . $_POST['QuesID'] . ", " .
          "A1=0, " .
          "A2=0, " .
          "A3=0, " .
          "A4=0, " .
          "A5=0, " .
          "A6=0, " .
          "AnswerText=\"\", " .
          "SortOrder='" . intval($_POST['Order']) . "' " .
          "marked=1".
          "WHERE SessionID=" . $_POST['SessionID'] .
          " AND QuesID=" . $_POST['QuesID'];
             $lolsql= mysql_query($command, $conn);


             }

每当有人单击标记(提交按钮)时,我想将具有 0 值的“标记”字段更新为 1。请有人帮助我。提前致谢:)

4

2 回答 2

1

您的代码极易受到注入攻击,因为您根本没有清理输入并直接更新数据库,其次开始使用mysqli_()or PDO statementsmysql_()社区不再维护。

至少用于mysqli_real_escape_string()清理您的输入

例子

if(isset($_POST['whatever'])) {
  $holder = mysqli_real_escape_string ($connection, $_POST['value']);
}

你的查询一团糟,你为什么要使用连接?你不能像这样简单地写你的查询吗?

$query = "UPDATE table_name SET col_name = '$value', col_name2 = '$value2' ... WHERE ...";
于 2012-11-03T12:55:41.563 回答
1

完整代码:

<? if(isset($_POST['marked'])) {

    $answer_text = "something here";

    $marked = mysql_real_escape_string($_POST['marked']);
    $session = mysql_real_escape_string($_POST['SessionID']);
    $test = mysql_real_escape_string($_POST['TestID']);
    $ques = mysql_real_escape_string($_POST['QuesID']);
    $answer = mysql_real_escape_string($answer_text);
    $order = intval(mysql_real_escape_string($_POST['Order']));

    mysql_query("
    UPDATE
        `Answers`

    SET
        `SessionID` = '$session',
        `TestID` = '$test',
        `QuesID` = '$que',
        `A1` = 0,
        `A2` = 0,
        `A3` = 0,
        `A4` = 0,
        `A5` = 0,
        `A6` = 0,
        `AnswerText` = '$answer',
        `SortOrder` = '$order',
        `marked` = 1

    WHERE
        `SessionID` = '$session'
        AND
            `QuesID` = '$ques';
    ") or die("Error: " . mysql_error());

}?>

如果您希望将查询放在一行上:

mysql_query("UPDATE `Answers` SET `SessionID` = '$session', `TestID` = '$test', `QuesID` = '$que', `A1` = 0, `A2` = 0, `A3` = 0, `A4` = 0, `A5` = 0, `A6` = 0, `AnswerText` = '$answer', `SortOrder` = '$order', `marked` = 1 WHERE `SessionID` = '$session' AND `QuesID` = '$ques';") or die("Error: " . mysql_error());

如果您仍然遇到问题,此脚本将返回以Error:. 您可能拼错了其中一列。

于 2012-11-03T13:30:23.807 回答