-3

我的代码有问题,它只影响数据库中的第一行,为什么

if(isset($_POST['submit'])){

    $query = "UPDATE databasename SET id=";
    $query .="'" .$_POST[id]. "', 1 =";
    $query .="'" .$_POST[1]. "', 2 =";
    $query .="'" .$_POST[2]. "', 3 =";
    $query .="'" .$_POST[3]. "', 4 =";
    $query .="'" .$_POST[4]. "', 5=";
    $query .="'" .$_POST[5]. "', 6=";
    $query .="'" .$_POST[6]. "', 7=";
    $query .="'" .$_POST[7]. "', 8=";
    $query .="'" .$_POST[8]. "', 9=";
    $query .="'" .$_POST[9]. "'";

    echo "USER has been modified";
    echo $query;
    echo "<br/>";
    echo "<a href='http://www.example.com/instrument.php?id=$_POST[id]'>Click This Link </a>";
    $result = mysqli_query($link, $query) or die(mysql_error());
    header ("Location: edit.php");
}
4

1 回答 1

0

如果您是真正更新表而不是插入,那么您需要一个WHERE子句来限制对所需行的更新。您当前的语句没有此子句,因此它将更新表中的所有行。例子:

$query = "UPDATE tablename SET 1 =";
//$query .="'" .$_POST[id]. "', 1 =";
$query .="'" .$_POST[1]. "', 2 =";
$query .="'" .$_POST[2]. "', 3 =";
$query .="'" .$_POST[3]. "', 4 =";
$query .="'" .$_POST[4]. "', 5=";
$query .="'" .$_POST[5]. "', 6=";
$query .="'" .$_POST[6]. "', 7=";
$query .="'" .$_POST[7]. "', 8=";
$query .="'" .$_POST[8]. "', 9=";
$query .="'" .$_POST[9]. "'";
&query .="' WHERE id=" . $_POST[id];

是的,这很容易受到 SQL 注入的影响。

于 2013-06-18T17:20:55.797 回答