当我回显输出时,显示所需的更新值。 但是,当传递相同的值来更新数据库时,update语句不执行任何操作。PHP中的My Update语句不更新数据库
代码的一部分是
if (empty($_POST) === false)
{
$fname= $_POST['fname'];
$srno= $_POST['SRNO'];
echo $fname.' and'. $srno;
mysql_query('update names set fname="$fname" where SRNO="$srno"');
}
和完整的代码是
<!DOCTYPE html>
<html>
<head>
<title>List of users</title>
</head>
<body>
<?php
mysql_connect("localhost","root","") or die (mysql_error());
mysql_select_db("list") or die (mysql_error());
if (empty($_POST) === false)
{
$fname= $_POST['fname'];
$srno= $_POST['SRNO'];
echo $fname.' and'. $srno;
mysql_query('update names set fname="$fname" where SRNO="$srno"');
}
if(isset($_GET['edit']))
{
$getedit=mysql_query('SELECT SRNO, fname, lname, phone, email from names where SRNO='.mysql_real_escape_string((int)$_GET['edit']));
while ($get_row=mysql_fetch_assoc($getedit))
{
echo '<form method="POST" action="">';
echo 'Sr. No: '.$get_row['SRNO'].'<br />';
echo 'Sr.No:<input type="text" value='.$get_row['SRNO'].' name="SRNO" readonly="readonly">';
echo 'First Name: <input type="text" value='.$get_row['fname'].' name="fname"><br />';
echo '<input type="submit" name="submit" value="save">';
echo '</form>';
}
}
$get=mysql_query('SELECT SRNO, fname, lname, email, phone, address, comments from names ORDER BY SRNO ASC');
if (mysql_num_rows($get)==0)
{
echo 'There are no entries';
}
else
{
echo '<table border=0>';
echo'<tr><th>Sr. No</th><th>First Name</th><th>Last Name</th><th>Phone No</th><th>E-mail</th><th>Modify</th></tr>';
while($get_row=mysql_fetch_assoc($get))
{
echo '<tr><td>'.$get_row['SRNO'].'</td><td>'.$get_row['fname'].'</td><td>'.$get_row['lname'].'</td><td>'.$get_row['phone'].'</td><td>'.$get_row['email'].'</td><td><a href="index.php?edit='.$get_row['SRNO'].'">Edit</a></td></tr>';
}
echo '</table>';
}
?>
</body>
</html>
你的脚本很容易sql注入。对于第一个查询,“update names ....',你没有使用mysql_real_escape_string(),但应该有。对于第二个查询,“SELECT ... where SRNO =',您已经使用了mysql_real_escape_string,但不应该 - 或者应该使该参数成为字符串文字。请阅读如何清理/编码这些查询和/或准备好的语句。 –
VolkerK
2013-03-10 20:24:28
***请[停止使用'mysql_ *'功能](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php)。*** [这些扩展名](http://php.net/manual/en/migration70.removed-exts-sapis.php)已在PHP 7中删除。了解[prepared](http://en.wikipedia.org/wiki/Prepared_statement )[PDO]声明(http://php.net/manual/en/pdo.prepared-statements.php)和[MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared- statement.php),并考虑使用PDO,[这真的很简单](http://jayblanchard.net/demystifying_php_pdo.html)。 – 2018-02-28 17:28:55
[Little Bobby](http://bobby-tables.com/)说*** [你的脚本存在SQL注入攻击风险。](http://stackoverflow.com/questions/60174/how-can- I-防止-SQL注入式-PHP)***。即使[转义字符串](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string)是不安全的! – 2018-02-28 17:29:00