这是形式,它显示的数据,我必须更新数据我得到正确我想当我按下更新按钮数据是更新使用up.php文件我想在我的SQL更新记录,但它更新所有数据没有得到正确的ID
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "alurdu_db";
$id = $_GET['id'];
mysql_query('SET CHARACTER SET utf8');
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error)
{
die("Connection failed: " . $conn->connect_error);
}
mysqli_set_charset($conn,"utf8");
$sql = "SELECT * FROM news WHERE news_id='$id'";
$result = $conn->query($sql);
if ($result->num_rows >0) {
while($row = $result->fetch_assoc()) {
?>
<form action="up.php" method="post" enctype="multipart/form-data">
<div class="form-group">
<input type="text" class="form-control" name="news_title" value="<?=$row["title"]?>">
<div class="col-md-2 text-center">News Title</div>
<button type="submit" class="btn btn-default text-align" style="background-color:#3c8dbc;color:white" value="">Update</button></a>
</form>
<?php
}
} else {
echo "Wrong Page";
}
$conn->close();
?>
这up.php文件,我不知道为什么它不获取ID,如果没有ID它更新表的所有数据更新
<?php
$news_title = $_POST["news_title"];
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "alurdu_db";
$news_id = $_GET['id'];
mysql_query('SET CHARACTER SET utf8');
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
mysqli_set_charset($conn,"utf8");
$sql = " UPDATE news SET title='$news_title' WHERE news_id='$news_id' ";
if ($conn->query($sql) === TRUE) {
echo "Updated";
}
else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
$conn->close();
?>
您的代码容易受到[** SQL注入攻击**](https://en.wikipedia.org/wiki/SQL_injection)的影响。你应该使用[** mysqli **](https://secure.php.net/manual/en/mysqli.prepare.php)或[** PDO **](https://secure.php.net/ manual/en/pdo.prepared-statements.php)准备带有绑定参数的语句,如[**这篇文章**]所述(https://stackoverflow.com/questions/60174/how-can-i-prevent-sql步喷射功能于PHP)。 –
okey我会改变它,但请告诉我我是如何得到正确的编号 –
难道是因为你把id变成了错误的变量吗? '$ news_id = $ _GET ['id'];' - >'$ sql =“更新新闻SET title ='$ news_title'WHERE news_id ='$ id';'。可能应该是'$ sql =”UPDATE news SET title ='$ news_title'WHERE news_id ='$ news_id';'。当然,SQL注入已经提到过了。 –