0
我正尝试用会话更新用户配置文件。假设用户配置文件页面将相应地更新为登录用户的配置文件。下面是user_profile.php的示例代码: -PHP MYSQL - 用SESSION更新用户配置文件
<?php
session_start();
ob_start();
include("../function/dbconnect.php");
include("header.php");
?>
<html>
<body>
<?php
if(isset($_SESSION['VALID_USER'])){
if(isset($_POST['submit']))
{
$username = $_POST['username'];
$password = $_POST['password'];
$s=mysql_query("UPDATE tbl_staffs SET username='$username', password='$password' WHERE username='".mysql_real_escape_string($_SESSION["VALID_USER"])."'");
if ($s)
{ echo "<script type='text/javascript'>alert('Successful - Record Updated!'); window.location.href = 'user_profile.php';</script>"; }
else
{ echo "<script type='text/javascript'>alert('Unsuccessful - ERROR!'); window.location.href = 'user_profile.php';</script>"; }
}
$query1=mysql_query("SELECT * FROM tbl_staffs WHERE username='".mysql_real_escape_string($_SESSION["VALID_USER"])."' AND user_levels = '".mysql_real_escape_string('1')."'");
$query2=mysql_fetch_array($query1);
?>
<form action="user_profile.php" method="POST">
<div>Your Profile</div>
<table border="0" align="center" cellpadding="2" cellspacing="0">
<tr>
<td><div>Username:</div></td>
<td><input type="text" name="username" value="<?php echo $query2['username']; ?>" /></td>
</tr>
<tr>
<td><div align="left" id="tb-name">Password:</div></td>
<td><input type="text" name="password" value="<?php echo $query2['password']; ?>" /></td>
</tr>
</table>
<input type="submit" name="submit" value="Update" />
</form>
<?php
// close while loop
}}
?>
<?php
// close connection;
mysql_close();
?>
</br>
</body>
</html>
页面返回空白。还有其他几个代码,我也在为user_profile.php页面工作,但是,我得到的结果是一样的......我使用下面的代码为admin来更新用户配置文件。
include('function/dbconnect.php');
if(isset($_GET['id']))
{
$id=$_GET['id'];
if(isset($_POST['submit']))
{
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
$user_type = $_POST['user_type'];
$query3 = mysql_query("UPDATE tbl_staffs
SET username='$username', email='$email', password='$password', WHERE id='$id'");
if ($query3)
{ echo "<script type='text/javascript'>alert('Successful - Record Updated!'); window.location.href = 'user_list.php';</script>"; }
else
{ echo "<script type='text/javascript'>alert('Unsuccessful - ERROR!'); window.location.href = 'user_list.php';</script>"; }
}
$query1=mysql_query("SELECT * FROM tbl_staffs WHERE id='$id'");
$query2=mysql_fetch_array($query1);
<form method="post">
<tr>
<td><b>Username:</b></td><td><input type="text" name="username" style="width:255px" value="<?php echo $query2['username']; ?>" /></td>
</tr>
<tr>
<td><b>Email:</b></td><td><input type="text" name="email" style="width:255px" value="<?php echo $query2['email']; ?>" /></td>
</tr>
<tr>
<td><b>Password:</b></td><td><input type="text" name="password" style="width:255px" value="<?php echo $query2['password']; ?>" /></td>
</tr>
<tr>
<td colspan="2" align="right">
<br />
<span title="Click to update the user details"><input type="submit" name="submit" value="Update" /></span>
</td>
</tr>
</table>
</form>
<?php
}
?>
显然,它可以正常工作。但是,当我试图暗示用户的代码以便他们可以更新他们自己的配置文件时,代码将不起作用。我在哪里做错了?
这里有多个重要的错误:1.使用不推荐的'mysql_ *'库; 2.打开SQL注入攻击; 3.许多HTML问题。请重写你的代码。 – Raptor
那么为什么你只在'WHERE'中清理值而不是实际插入的值呢? – Sean
一旦你的用户改变他们的用户名,你不会重置$ _SESSION ['VALID_USER']到这个新值,所以当你执行SELECT时,它会尝试找到旧的'username'值,而不是新的值。 – Sean