This is my code to update a table. My problem is that after submitting a fresh record I'm unable to update the first time (it shows blank), but the second time it works fine.
这是我更新表的代码。我的问题是,提交新记录后,我无法第一次更新(显示空白),但第二次工作正常。
One more thing: when I remove the include statement then it is working fine on submessage.php there is no any phpcode. [annakata: I have no idea what this means]
还有一件事:当我删除include语句时,它在submessage.php上运行正常,没有任何phpcode。 [annakata:我不知道这意味着什么]
$pid = $_GET['id'];
$title = $_POST['title'];
$summary = $_POST['summary'];
$content = $_POST['content'];
$catid = $_POST['cid'];
$author = $_POST['author'];
$keyword = $_POST['keyword'];
$result1= mysql_query("update listing set catid='$catid',title='$title',
summary='$summary',content='$content', author='$author', keyword='$keyword' where pid='$pid'",$db);
include("submessage.php");
3 个解决方案
#1
The things that are wrong with that piece of code are hard to enumerate. However, at the very least, you should establish a connection to the database before you can query it.
这段代码错误的东西很难枚举。但是,至少应该在查询之前建立与数据库的连接。
#2
Why not just redirect to submessage.php
rather than inlining it? Redirecting also prevents duplicate db operations when user refreshed the page. Just replace include
statement with:
为什么不直接重定向到submessage.php而不是内联呢?当用户刷新页面时,重定向还可以防止重复的数据库操作。只需将include语句替换为:
header('Location: submessage.php?id=' . $pid);
die();
Also, before you deploy your application: DO NOT EVER PUT USER INPUT DIRECTLY IN SQL QUERY. You should used bound parameters instead. Otherwise, you could just as well publicly advertise your database admin password. Read more on PDO and prepared statements at http://ie.php.net/pdo
此外,在部署应用程序之前:不要在SQL QUERY中直接输入用户输入。您应该使用绑定参数。否则,您也可以公开宣传您的数据库管理员密码。在http://ie.php.net/pdo上阅读有关PDO和准备好的声明的更多信息
Here's how I would do it:
这是我将如何做到这一点:
$pdo = new PDO(....); // some configuration parameters needed
$sql = "
UPDATE listing SET
catid=:catid, title=:title, summary=:summary,
content=:content, author=:author, keyword=:keyword
WHERE pid=:pid
";
$stmt = $pdo->prepare($sql);
$stmt->bindValue('catid', $_POST['catid']);
$stmt->bindValue('title', $_POST['title']);
$stmt->bindValue('summary', $_POST['summary']);
$stmt->bindValue('content', $_POST['content']);
$stmt->bindValue('author', $_POST['author']);
$stmt->bindValue('keyword', $_POST['keyword']);
$stmt->bindValue('pid', $pid = $_GET['id']);
$stmt->execute();
header('Location: submessage.php?id=' . $pid);
die();
Or in fact, I would use some ORM solution to make it look more like that:
或者事实上,我会使用一些ORM解决方案使它看起来更像:
$listing = Listing::getById($pid = $_GET['id']);
$listing->populate($_POST);
$listing->save();
header('Location: submessage.php?id=' . $pid);
die();
#3
Other than the usual warnings of SQL injection - very likely given your code and where you're obtaining the query parameters from (sans any kind of validation) - then it's quite possible your problem has nothing to do with the queries, particularly if it's working on subsequent attempts. Are you sure $_GET['id'] is set the first time you call the script?
除了SQL注入的通常警告 - 非常可能给出你的代码以及你从哪里获得查询参数(没有任何类型的验证) - 那么你的问题很可能与查询无关,特别是如果它正在工作在随后的尝试。你确定第一次调用脚本时是否设置了$ _GET ['id']?
Just to note, there is absolutely no reason to have to perform several update queries for each field you need to update - just combine them into a single query.
需要注意的是,绝对没有理由为您需要更新的每个字段执行多个更新查询 - 只需将它们组合到一个查询中即可。
#1
The things that are wrong with that piece of code are hard to enumerate. However, at the very least, you should establish a connection to the database before you can query it.
这段代码错误的东西很难枚举。但是,至少应该在查询之前建立与数据库的连接。
#2
Why not just redirect to submessage.php
rather than inlining it? Redirecting also prevents duplicate db operations when user refreshed the page. Just replace include
statement with:
为什么不直接重定向到submessage.php而不是内联呢?当用户刷新页面时,重定向还可以防止重复的数据库操作。只需将include语句替换为:
header('Location: submessage.php?id=' . $pid);
die();
Also, before you deploy your application: DO NOT EVER PUT USER INPUT DIRECTLY IN SQL QUERY. You should used bound parameters instead. Otherwise, you could just as well publicly advertise your database admin password. Read more on PDO and prepared statements at http://ie.php.net/pdo
此外,在部署应用程序之前:不要在SQL QUERY中直接输入用户输入。您应该使用绑定参数。否则,您也可以公开宣传您的数据库管理员密码。在http://ie.php.net/pdo上阅读有关PDO和准备好的声明的更多信息
Here's how I would do it:
这是我将如何做到这一点:
$pdo = new PDO(....); // some configuration parameters needed
$sql = "
UPDATE listing SET
catid=:catid, title=:title, summary=:summary,
content=:content, author=:author, keyword=:keyword
WHERE pid=:pid
";
$stmt = $pdo->prepare($sql);
$stmt->bindValue('catid', $_POST['catid']);
$stmt->bindValue('title', $_POST['title']);
$stmt->bindValue('summary', $_POST['summary']);
$stmt->bindValue('content', $_POST['content']);
$stmt->bindValue('author', $_POST['author']);
$stmt->bindValue('keyword', $_POST['keyword']);
$stmt->bindValue('pid', $pid = $_GET['id']);
$stmt->execute();
header('Location: submessage.php?id=' . $pid);
die();
Or in fact, I would use some ORM solution to make it look more like that:
或者事实上,我会使用一些ORM解决方案使它看起来更像:
$listing = Listing::getById($pid = $_GET['id']);
$listing->populate($_POST);
$listing->save();
header('Location: submessage.php?id=' . $pid);
die();
#3
Other than the usual warnings of SQL injection - very likely given your code and where you're obtaining the query parameters from (sans any kind of validation) - then it's quite possible your problem has nothing to do with the queries, particularly if it's working on subsequent attempts. Are you sure $_GET['id'] is set the first time you call the script?
除了SQL注入的通常警告 - 非常可能给出你的代码以及你从哪里获得查询参数(没有任何类型的验证) - 那么你的问题很可能与查询无关,特别是如果它正在工作在随后的尝试。你确定第一次调用脚本时是否设置了$ _GET ['id']?
Just to note, there is absolutely no reason to have to perform several update queries for each field you need to update - just combine them into a single query.
需要注意的是,绝对没有理由为您需要更新的每个字段执行多个更新查询 - 只需将它们组合到一个查询中即可。