0

当用户可以购买产品时,我正在创建一个网站。我已经创建了该网站的管理员端,并尝试创建一个页面,管理员在登录后可以更新 myphpadmin 数据库中某个产品的库存水平。到目前为止,我已经设法将代码更新到我的数据库中但不更新到所选产品的阶段。相反,它创造了库存水平和价格的新记录。我使用以下命令携带了上一页中的产品 ID:

echo "<input type=hidden name=h_prodid value=".$stockid.">";

因此,当管理员单击更新链接时,他们会到达包含该特定产品当前详细信息的页面。然后他们输入一个或两个值来更新这个特定的产品,但当前一条新记录被插入到数据库中,而不是更新现有的。请看下面的代码。

<?php

session_start();

include("db.php");

//create a variable called $pagename which contains the actual name of the page
$pagename="Product Update Confirmation";

//call in the style sheet called ystylesheet.css to format the page as defined in the style sheet
echo "<link rel=stylesheet type=text/css href=mystylesheet.css>";

//display window title
echo "<title>".$pagename."</title>";
//include head layout 
include("adminheadlayout.html");

//display the name of the site and the date dynamically. See uk.php.net
echo date ('l d F Y H:i:s');
echo "<p></p>";

include ("detectlogin.php");

//display name of the page
echo "<h2>".$pagename."</h2>";

//Capture the details entered in the form using the $_POST superglobal variable
//Store these details into a set of new variables
$newprice=$_POST['p_priceupdate'];
$newquantity=$_POST['p_quantityupdate'];
$prodid=$_POST['h_prodid'];

//If any of the variables is empty
if (!$newprice and !$newquantity)
{
echo "<br>Please enter a value for price and/or quantity ";
echo "<br>Go back to <a href=editstock.php>Edit Stock details</a>";
}
else
{
if (!$newprice or !$newquantity)
{
    //insert a new record in the order table to generate a new order number. 
    //store the id of the user who is placing the order as well as the current date and time
    $productupdateSQL="insert into Products (prodPrice, proQuantity, prodId)
    values ('".$newprice."', '".$newquantity."', '".$prodid."')";
    $exeproductupdateSQL=mysql_query($productupdateSQL);
    echo "<p strong>Stock level updated successfully!";
}

//if a database error is returned, display an order error message
else
{
echo "<p>Sorry there has been an error with your product update";
echo "Go back to <a href=editstock.php>Edit Stock Details</a>";
}
}
//include head layout
include("footlayout.html");
?>

任何想法将不胜感激。我几乎在那里但是找不到与这种特定类型的问题有关的任何东西。

4

1 回答 1

1

您的脚本只包含一个 INSERT 查询,没有 UPDATE 查询,因此它永远不会更新现有记录

警告 您的代码非常不安全,使用过时的 mysql_ 函数并且根本不转义值。因此,该代码易受 SQL 注入攻击。SQL 注入可能导致私有数据暴露和数据丢失!在这里阅读: http ://www.unixwiz.net/techtips/sql-injection.html

于 2013-02-03T21:37:39.230 回答