0

我一直在从事小型网站管理员工作,但遇到了一个奇怪的问题。我能够从数据库中提取内容,但似乎无法让它更新并将其插入数据库。如果有人可以查看此代码并了解内容不会更新的原因,我将不胜感激。这是页面代码。我肯定错过了什么。

    <?php include("../inc/approve-admin.php"); ?>
<?php include("../inc/connect.php"); ?>

<?php
$result = mysql_query("SELECT * FROM inventory ORDER BY id");
?>
<?     while ($row = mysql_fetch_assoc($result)) {
                                    $id = $row['id'];
                                    $information = $row['information'];
                                    $link = $row['link'];
                                    $title = $row['title'];
                                   } 

    ?>

<!DOCTYPE HTML>
<?php
$description = "Fashion Franchise";
$keywords = "Fashion Franchise";
$body = "home";
require ("../inc/header.php");
?>

<script src="../js/jquery.validate.js" type="text/javascript"></script>
<!-- for styling the form -->
<script src="../js/cmxforms.js" type="text/javascript"></script>

<script type="text/javascript">
$(document).ready(function() {
    $("#addResource").validate();
});
</script>

<script type="text/javascript" src="../js/tiny_mce/tiny_mce.js" ></script>
<script type="text/javascript">
tinyMCE.init({
        mode : "textareas"
});
</script>

    <body id="<?php echo htmlentities("$body") ?>">

    <div class="container_12">
    <!-- Nav -->
    <?php include("../inc/nav-admin.php"); ?>
    <!-- / Nav -->

    <div class="grid_12">&nbsp;</div>
    <div class="grid_12">&nbsp;</div>

    <!-- Adimn List -->
    <?php include("../inc/admin-list.php"); ?>
    <!-- / Adimn List -->

    <div class="grid_7" id="white" style="min-height:400px;">

    <p style="text-align:center;padding-top:20px;">
    <?                  

    if(isset($_POST['title'])) {
        $information = $_POST['information'];
        $link = $_POST['link'];
        $title = $_POST['title'];

        $query = mysql_query("UPDATE inventory SET
            title = '$title',
            information = '$information', 
            link = '$link'
            WHERE id = $id LIMIT 1 ;");

        if($query) {
            $message = $title . " has been updated";
        }else{
            $message = "an error occurred while updating this entry";

        }
    }   
?>  
    </p>

    <? if(isset($_POST['title'])) { ?>
            <div id="content_holder">
              <p style="text-align:center;padding-top:20px;">
              <strong><? echo $message; ?></strong><br/>
              <span class="error"><? if($error_message) { echo $error_message; } ?></span>
              Select a category on the left to continue editing</p>
            <!-- end content_holder -->
            </div>
       <? }else{ ?>


     <form action="inventory.php?id=<?=$id?>" enctype="multipart/form-data"  name="addResource" id="addResource" method="post" class="cmxform">

    <table cellpadding="10px;" cellspacing="5" width="100%" align="left" valign="top">
    <tr><td colspan="2"><h1>Edit Inventory Resources</h1></td></tr>

    <tr>
    <td width="50%">
    <span class="formTitle">General Information</span><br/>
    <label>*Title</label><br/>
    <input id="title" name="title" class="required" value="<?=$title?>"/>
    </td>
    <td width="50%"><br/>
    <label>*Dropbox Link</label><br/>
    <input id="link" name="link" class="required" value="<?=$link?>"/>
    </td>
    </tr>

    <tr>
    <td colspan="2">
    <hr/>
    </td>   
    </tr>

    <tr><td colspan="2">
    <textarea style="width: 510px; height: 400px; font-size: 12px;" id="information" name="information"><?=$information?></textarea>
    </td></tr>

        <tr>
    <td colspan="2">
    <hr/>
    </td>   
    </tr>


    <tr align="right"><td colspan="2">
    <input type="submit" value="Update Inventory Resources" class="submit" />&nbsp;&nbsp;&nbsp;&nbsp;<a href="index.php" class="cancel">Cancel</a><br/><br/>
    </td></tr>
         </form>

        </table>


    </div>



<?php include("../inc/footer.php"); ?>

    <!-- / Container_12 -->
    </div>

    </body>
</html>
  <?php

    mysql_close();
    ?>

<? } ?>
4

1 回答 1

1

The problem is a quote mark in your text:

's standard dummy text ever since the 1500s, when an unknown printer took a galle

Fastest solution is to escape everything before inserting into the table:

    $information_to_insert = mysql_real_escape_string($_POST['information']);
    $link_to_insert = mysql_real_escape_string($_POST['link']);
    $title_to_insert = mysql_real_escape_string($_POST['title']);
    $id = (int)$id;   // Cast this as an integer to also make it safe

    $query = mysql_query("UPDATE inventory SET
        title = '$title_to_insert',
        information = '$information_to_insert', 
        link = '$link_to_insert'
        WHERE id = $id LIMIT 1 ;");

Then, later where you display, you also need to make safe for display:

    $information_to_display = htmlentities($_POST['information']);
    $link_to_display = htmlentities($_POST['link']);
    $title_to_display = htmlentities($_POST['title']);

BUT - check out PDO Prepared statements as advised in comments. Start now before you're forced to change all your code over in a few years.

于 2012-12-05T01:40:23.197 回答