0
其他更新功能运行良好,但我试图更新任何数据,付款率的现有值变为0.其他值似乎更新得很好。只有缴费率变为0使用DECIMAL输入(php,mysql)更新输入
下面是小数点输入
<div class="form-group">
<label class="control-label col-sm-4" >Payment Rate:</label>
<div class="col-sm-4">
<input type="decimal" class="form-control" name="payment" value="<?php echo "RM"; ?> <?php if(isset($row['payment_puspakom'])){ echo $row['payment_puspakom']; } ?>" required placeholder="Enter Payment Rate (RM)">
</div>
</div>
这是我更新的SQL语句的HTML。
if(isset($_POST['submit'])){
$id = mysqli_real_escape_string($link, $_POST["puspaid"]);
$vehicle = mysqli_real_escape_string($link,$_POST["vehicle"]);
$date = date("Y-m-d",strtotime($_POST["date"]));
$specification = mysqli_real_escape_string($link,$_POST["specification"]);
$stats = mysqli_real_escape_string($link,$_POST["stats"]);
$next = date("Y-m-d",strtotime($_POST["next"]));
$payment = mysqli_real_escape_string($link,$_POST["payment"]);
$status = mysqli_real_escape_string($link,$_POST["status"]);
$update = mysqli_real_escape_string($link,$_SESSION["idinfostaf"]);
$updpuspa="UPDATE puspakom SET id_fkVehicle='$vehicle', id_fkPuspakomStatus='$stats', date_puspakom='$date', specification='$specification', payment_puspakom='$payment', dateNext_puspakom='$next', status_puspakom='$status', updateby_puspakom='$update' WHERE id_puspakom=".$id;
$respuspa=mysqli_query($link,$updpuspa);
if($respuspa){
$success = "Record Updated Successfully";
}
else{
$error = "Error Updating Record. Try Again...".mysqli_error($link);
}
}
我似乎找不到我犯的错误。
使用预准备语句。 – Enstage
准备好声明? – yuki
[Little Bobby](http://bobby-tables.com/)说[你的脚本存在SQL注入攻击风险](http://stackoverflow.com/questions/60174/how-can-i-prevent- SQL注入功能于PHP)。了解[MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php)的[准备语句](http://en.wikipedia.org/wiki/Prepared_statement)。即使[转义字符串](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string)是不安全的。 – junkfoodjunkie