1

我创建了一个函数来显示表格的内容。这是功能:

function query_tabel ($sql){
    $query = $sql;
    $result = mysql_query($query);
    $kolomen_tellen = mysql_num_fields($result);
    if (!$result) {
        die("Error Query: " . mysql_error());
    }
    print "<table border=1>\n";

        print "<tr>";
            for ($column_num = 0; $column_num < $kolomen_tellen; $column_num++)
            {
                $fieldname = mysql_field_name($result, $column_num);
                print "<TH>$fieldname</TH>";
            }
            print "</tr>";

    while ($row = mysql_fetch_row($result)) {
        print ("<TR>");
        for     ($column_num = 0; $column_num < $kolomen_tellen; $column_num++)
            print ("<TD>$row[$column_num]</TD>\n");
        print ("</TR>\n");
    }
    print "</table>";

它可以工作并且可以在任何文件中随时调用该函数。但我想要另一个创建带有输入字段的编辑表单的函数。

这是我的初稿:

function query_tabel_edit ($sql, $filename){
    $query = $sql;
    $result = mysql_query($query);
    $kolomen_tellen = mysql_num_fields($result);
    if (!$result) {
        die("Error Query: " . mysql_error());
    }
    print "<table class=edit>\n";

        print "<tr>";
            for ($column_num = 0; $column_num < $kolomen_tellen; $column_num++)
            {
                $fieldname = mysql_field_name($result, $column_num);
                print "<TH class=edit>$fieldname</TH>";
            }
            print "</tr>";

    while ($row = mysql_fetch_row($result)) {
        print "<form action=$filename method=post>";
        print ("<TR>");
        for     ($column_num = 0; $column_num < $kolomen_tellen; $column_num++)
            print ("<TD class=edit> <input class=edit type=text name=$row[$column_num] value=$row[$column_num] </TD>\n"); 
            print ("<TD class=edit> <input class=edit type=submit name=update value=edit> <TD>\n");
        print ("</TR>\n");
    }
    print "</table>";
}

所以我添加了编辑链接,就像一个魅力,但我如何以及在哪里创建和放置修改记录的 SQL 行。?

知道如何创建此编辑 sql 语句,我是否需要将数据 sql 行放在我的函数或调用该函数的 PHP 文件中?

4

1 回答 1

0

你可以或多或少地这样做。很难做到这一点完全灵活,因为您需要知道如何构建您的更新语句。这意味着您必须知道要更新哪个表和哪些字段。您不能依赖 HTML 表单中的内容,因为有人可能会伪造假表单并发布非法字段名称,从而使您容易受到攻击。

我认为最好的方法是在用户会话中存储有关正在更新的表和字段的信息,但是由于我不知道您是否了解会话,所以我暂时将其放在了这里。

请注意,我已经使用了这些mysql函数,因为您正在使用它们并且我不想强迫您更改它,但是它们已被弃用,强烈建议您更改为 mysqli 或 PDO。

使用 mysqli 您还可以使用准备好的语句。但这也是我留给您在文档中阅读的内容。

我与您的代码相比,最重要的变化是我使用mysql_fetch_array了 ,它返回一个值数组,其中还包含字段名称作为键。这样,您可以使用这些名称进行编辑,并且您会在$_POST数据中找到这些名称。从那里开始,您应该能够多解一些谜题以使其正常工作。

<?php

// This is how to do it in a single script: Check if a value is posted and 
// act on it.
// If you have separate scripts, you don't actually need this, although it's 
// still a good idea to thoroughly check the input to your scripts to prevent
// attacks from malicious users.

if (array_key_exists('id', $_POST)
{
  // Post data found. Update record.

  // Assuming id is an integer, I int-cast it. If it's not, make sure to 
  // properly escape it or you'll be vulnerable to SQL injection attacks!
  $id = (int)$_POST['id'];

  // You will need to validate if the posted field names are valid. You can
  // do this by specifying a list of updatable fields and then check if the 
  // posted values are in that list. 
  // You could also run query to get the field names from the database, so
  // so you will have more flexibility.
  // You can also store the fields to be updated in the session of the user
  // That will save you a query, but you'll have to read about sessions as well.
  $updatableFields = array('firstname', 'lastname');

  foreach ($_POST as $fieldname => $value)
  {
    // Validate the field names! You don't want field names that don't 
    // exist, or your query will break. Also, it will make you vulnerable 
    // to SQL injection attacks.
    if (array_search($fieldname, $updatableFields) !== false)
    {
      $value = mysql_real_escape_string($value);
      $update[] = "$fieldname = '$value'";
    }
  }
  $sql = 'UPDATE YourTable SET ' . implode($update) . " WHERE id = $id";
  // Execute statement.
}
else
{
  // Query your database here
  // <<code omitted>> 

  // Show edit form
  while ($row = mysql_fetch_array($result))
  {
    foreach ($row as $fieldname => $value)
    {
      $value = htmlspecialchars($value);
      $type = 'text';
      // Store the id in an hidden input, so you know which row to update.
      if ($fieldname == 'id')
      {
        $type = 'hidden';
      }
  ?>
    <label for="<?=$fieldname?>"><?=$fieldname?></label>
    <input type="<?=$type?>" id="<?=$fieldname?>" name="<?=$fieldname?>" value="<?=$value?>">
  <?php
    }
  ?>
    <input type="submit" value="save">
  <?php
  }

}
于 2013-07-29T20:04:18.653 回答