-2

我正在使用 PHP 表单来更新数据库记录。我对大多数记录都没有问题,但是我需要将 html 放入其中。如果我只输入常规文本或单引号,它会更新,但如果我输入双引号或其他 HTML,它不会。

这是我的页面

<?php

//start session
session_start(); 

$hostname_DuskySportCenter = "localhost";
$database_DuskySportCenter = "test";
$username_DuskySportCenter = "test";
$password_DuskySportCenter = "test";

$con=mysqli_connect($hostname_DuskySportCenter,$username_DuskySportCenter,$password_DuskySportCenter,$database_DuskySportCenter);

// Check connection
if (mysqli_connect_errno($con))
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

//update a record
mysqli_query($con,"UPDATE CSINSTOCK SET name=\"{$_POST['name']}\", description=\"{$_POST['description']}\"  WHERE id=9999 ");

//get record set
$result = mysqli_query($con,"SELECT * FROM `CSINSTOCK` WHERE `id` = '9999' ");


echo  '<form action="monthly-specials-cs-update.php" method="post">';

//table heading row
echo '<table width="1000" border="1" cellspacing="0" cellpadding="1">';
  echo  '<tr>';
  echo   '<td>ID</td>';
  echo   '<td>NAME</td>';
  echo   '<td>description</td>';
  echo   '<td>sort</td>';
  echo   '<td>active</td>';
  echo   '<td>sold</td>';
  echo   '<td>message</td>';
  echo   '<td>price</td>';
  echo   '<td>financing</td>';
  echo   '<td>img1</td>';
  echo  '<td>img2</td>';
  echo   '<td>img3</td>';
  echo   '<td>img4</td>';
  echo   '<td>img5</td>';
  echo   '<td>img6</td>';
  echo   '<td>img7</td>';
  echo   '<td>img8</td>';
  echo   '<td>img9</td>';
  echo  '<td>img10</td>';
  echo  '</tr>';

//display data
while($row = mysqli_fetch_array($result))
  {


  echo  '<tr>';
  echo   '<td>'. $row['id'] . '</td>';
  echo   '<td><input type="text" name="name" value="' . $row['name'] . '" />&nbsp;</td>';
  echo   '<td><textarea name="description" value="' .  $row['description']. '">' . $row['description'] .'</textarea></td>';
  echo   '<td><input type="text" name="sort" value="' . $row['sort'] . '" />&nbsp;</td>';
  echo   '<td><input type="text" name="active" value="' . $row['active'] . '" />&nbsp;</td>';
  echo   '<td><input type="text" name="sold" value="' . $row['sold'] . '" />&nbsp;</td>';
  echo   '<td><input type="text" name="message" value="' . $row['message'] . '" />&nbsp;</td>';
  echo   '<td><input type="text" name="price" value="' . $row['price'] . '" />&nbsp;</td>';
  echo   '<td><input type="text" name="financing" value="' . $row['financing'] . '" />&nbsp;</td>';
  echo   '<td><input type="text" name="img1" value="' . $row['img1'] . '" />&nbsp;</td>';
  echo   '<td><input type="text" name="img2" value="' . $row['img2'] . '" />&nbsp;</td>';
  echo   '<td><input type="text" name="img3" value="' . $row['img3'] . '" />&nbsp;</td>';
  echo   '<td><input type="text" name="img4" value="' . $row['img4'] . '" />&nbsp;</td>';
  echo   '<td><input type="text" name="img5" value="' . $row['img5'] . '" />&nbsp;</td>';
  echo   '<td><input type="text" name="img6" value="' . $row['img6'] . '" />&nbsp;</td>';
  echo   '<td><input type="text" name="img7" value="' . $row['img7'] . '" />&nbsp;</td>';
  echo   '<td><input type="text" name="img8" value="' . $row['img8'] . '" />&nbsp;</td>';
  echo   '<td><input type="text" name="img9" value="' . $row['img9'] . '" />&nbsp;</td>';
  echo   '<td><input type="text" name="img10" value="' . $row['img10'] . '" />&nbsp;</td>';
  echo '</tr>';

  }

//closing tag for table  
echo '</table>';
echo '<br /><input type="submit" value="submit" /></form>';



mysqli_close($con);
?>
4

1 回答 1

1

抬头看mysqli_real_escape_string()。不使用它会产生错误,更重要的是,会产生巨大的安全问题。( http://php.net/manual/en/security.database.sql-injection.php )

于 2013-05-22T16:38:42.800 回答