PHP形式不是編輯MySQL表數據

Question

我有一個顯示的輸入內一個MySQL錶行的列數據的PHP形式。例如，每列都被放入一個單獨的輸入值。我這樣做是因爲我希望用戶能夠編輯特定行的列數據。用戶應該能夠編輯其中一個輸入值，點擊提交按鈕，並且MySQL表中該行的列數據將被更改。目前，當我點擊提交時，我收到錯誤Could not edit job position:。即使我保持輸入值相同，也會發生這種情況。

以下是完整的PHP頁面的圖片： 更多信息：在照片中可以看到，有一個編輯和刪除鏈接，每個錶行。表格行代表MySQL Table行。點擊編輯鏈接時，我的PHP表單出現在底部，標題，說明，型號，品牌，年份和價格欄均有輸入。這些輸入包含該表格行的每列值。

這是我的完整的PHP頁面的代碼：

<!DOCTYPE html> 
<head> 
<title>GBM Trailer Service Ltd. ::: Used Units Management</title> 
</head> 
<body> 
<?php 
$dbLink = new mysqli('dacom', 'ksbm', 'Kiaer', 'kabm'); 
if(mysqli_connect_errno()) { 
    die("MySQL connection failed: ". mysqli_connect_error()); 
} 

//Up and Down Arrow Links: PHP Code 

$conn = new mysqli('dsm', 'kam', 'Kfr', 'kcm'); 

// if an arrow link was clicked... 
if ($_GET['dir'] && $_GET['id']) { 
    // make GET vars easier to handle 
    $dir = $_GET['dir']; 
    // cast as int and couple with switch for sql injection prevention for $id 
    $id = (int) $_GET['id']; 
    // decide what row we're swapping based on $dir 
    switch ($dir) { 
     // if we're going up, swap is 1 less than id 
     case 'up': 
     // make sure that there's a row above to swap 
     $swap = ($id > 1)? $id-- : 1; 
     break; 
     // if we're going down, swap is 1 more than id 
     case 'down': 
     // find out what the highest row is 
     $sql = "SELECT count(*) FROM used_trailers"; 
     $result = mysqli_query($conn, $sql) or die(); 
     $r = mysqli_fetch_row($result); 
     $max = $r[0]; 
     // make sure that there's a row below to swap with 
     $swap = ($id < $max)? $id++ : $max; 
     break; 
     // default value (sql injection prevention for $dir) 
     default: 
     $swap = $id; 
    } // end switch $dir 
    // swap the rows. Basic idea is to make $id=$swap and $swap=$id 
    $sql = "UPDATE used_trailers SET orderid = CASE orderid WHEN $id THEN $swap WHEN $swap THEN $id END WHERE orderid IN ($id, $swap)"; 
    $result = mysqli_query($conn, $sql) or die; 
} // end if GET 

// set a result order with a default (sql infection prevention for $sortby) 
$sortby = ($_GET['sortby'] == 'title')? $_GET['sortby'] : 'orderid'; 

// Delete link: PHP Code 

// delete from table 
if ($_GET['del'] == 'true') { 
    // cast id as int for security 
    $id = (int) $_GET['id']; 
    // delete row from table 
    $sql = "DELETE FROM used_trailers WHERE orderid = '$id'"; 
    $result = mysqli_query($conn, $sql) or die(); 
    // select the info, ordering by usort 
    $sql = "SELECT orderid, title FROM used_trailers ORDER BY orderid"; 
    $result = mysqli_query($conn,$sql) or die(); 
    // initialize a counter for rewriting usort 
    $job_pos_sortt = 1; 
    // while there is info to be fetched... 
    while ($r = mysqli_fetch_assoc($result)) { 
     $job_poss = $r['orderid']; 
     // update the usort number to the one in the next number 
     $sql = "UPDATE used_trailers SET orderid = '$job_pos_sortt' WHERE title = '$job_poss'"; 
     $update = mysqli_query($conn, $sql) or die(); 
     // inc to next avail number 
     $job_pos_sortt++; 
    } // end while 
} // end if del 

// Connect to the database 
$dbLink = new mysqli('da.com', 'am', 'aer', 'kabm'); 
if(mysqli_connect_errno()) { 
    die("MySQL connection failed: ". mysqli_connect_error()); 
} 

// Query for a list of all existing files 
$sql = 'SELECT * FROM used_trailers ORDER BY orderid'; 
$result = $dbLink->query($sql); 

// Check if it was successfull 
if($result) { 
    // Make sure there are some files in there 
    if($result->num_rows == 0) { 
     echo '<p>There are no files in the database</p>'; 
    } 
    else { 
     // Print the top of a table 
     echo '<table width="100%" border="1"> 
       <tr valign="middle" align="center">'; 
      echo "<td>Order</td>"; 
      echo "<td>Title</td>"; 
      echo '<td valign="middle"><b>Description</b></td> 
        <td valign="middle"><b>Model</b></td> 
        <td valign="middle"><b>Make</b></td> 
        <td valign="middle"><b>Year</b></td> 
        <td valign="middle"><b>Price</b></td> 
        <td valign="middle"><b>Photo 1</b></td> 
        <td valign="middle"><b>Photo 2</b></td> 
        <td valign="middle"><b>Photo 3</b></td> 
        <td valign="middle"><b>Photo 4</b></td> 
        <td valign="middle"><b>Photo 5</b></td> 
        <td valign="middle"><b>PDF</b></td> 
        <td valign="middle"><b>Edit/Delete</b></td> 
       </tr>'; 

     // Print each file 
     while($row = $result->fetch_assoc()) { 
      echo " 
       <tr valign='middle' align='center'> 
        <td align = 'center' valign = 'center'><a style='color:black;' href='{$_SERVER['PHP_SELF']}?dir=up&id={$row['orderid']}'>/\</a> 
        <a style='color:black;' href='{$_SERVER['PHP_SELF']}?dir=down&id={$row['orderid']}'>\/</a></td> 
        <td valign='middle'>{$row['title']}</td> 
        <td valign='middle'>{$row['description']}</td> 
        <td valign='middle'>{$row['model']}</td> 
        <td valign='middle'>{$row['make']}</td> 
        <td valign='middle'>{$row['year']}</td> 
        <td valign='middle'>{$row['price']}</td> 
        <td valign='center'><img width=100 height=100 src=images/{$row['photo']}></td> 
        <td valign='center'><img width=100 height=100 src=images/{$row['photo1']}></td> 
        <td valign='center'><img width=100 height=100 src=images/{$row['photo2']}></td> 
        <td valign='center'><img width=100 height=100 src=images/{$row['photo3']}></td> 
        <td valign='center'><img width=100 height=100 src=images/{$row['photo4']}></td> 
        <td valign='center'><a target='_blank' href='downloadfile.php?id={$row['id']}'>{$row['name']}</a></td> 
        <td align = 'center' valign = 'center'><b><a href='pdfget.php?orderid={$row['orderid']}' style='color:black;'>Edit</a> <a href='{$_SERVER['PHP_SELF']}?del=true&id={$row['orderid']}' style='color:black;' onclick='return show_confirm();'>Delete</a></b></td> 
       </tr>"; 
     } 

     // Close table 
     echo '</table>'; 
    } 

    // Free the result 
    $result->free(); 
} 
else 
{ 
    echo 'Error! SQL query failed:'; 
    echo "<pre>{$dbLink->error}</pre>"; 
} 

// Close the mysql connection 
$dbLink->close(); 
?> 

<?php 
if (isset($_GET["orderid"])) { 
    $sn = (int)($_GET["orderid"]); 
if(isset($_POST['update'])) 
{ 
$job_pos_sort = $_POST['orderid']; 
$job_pos = $_POST['title']; 
$job_pose = $_POST['description']; 
$job_pose1 = $_POST['make']; 
$job_pose2 = $_POST['model']; 
$job_pose3 = $_POST['year']; 
$job_pose4 = $_POST['price']; 

$dbhost = 'daom'; 
$dbuser = 'keabm'; 
$dbpass = 'Kaer'; 
$dbname = 'keagbm'; 
$conn = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname); 
if(! $conn) 
{ 
    die('Could not connect: ' . mysqli_error()); 
} 

$sql = "UPDATE used_trailers SET title='$job_pos', description='$job_pose', make='$job_pose1', model='$job_pose2', year='$job_pose3', price='$job_pose4' WHERE orderid=$job_pos_sort"; 

$retval = mysqli_query($conn, $sql); 
if(! $retval) 
{ 
    die(mysqli_error($conn) . "update failed"); 
} 
echo "Edited job position successfully. <br />\n"; 
echo "Click <a style='color:black;' href='managecareers.php'>here</a> to refresh the page"; 

} 
else 
{ 
$job_posname = "SELECT title FROM used_trailers WHERE orderid = $sn"; 
$query=mysqli_query($conn, $job_posname); 
$array=mysqli_fetch_assoc($query); 
$job_posname=stripslashes($array['title']); 

$job_posname1 = "SELECT description FROM used_trailers WHERE orderid = $sn"; 
$query=mysqli_query($conn, $job_posname1); 
$array=mysqli_fetch_assoc($query); 
$job_posname1=stripslashes($array['description']); 

$job_posname2 = "SELECT make FROM used_trailers WHERE orderid = $sn"; 
$query=mysqli_query($conn, $job_posname2); 
$array=mysqli_fetch_assoc($query); 
$job_posname2=stripslashes($array['make']); 

$job_posname3 = "SELECT model FROM used_trailers WHERE orderid = $sn"; 
$query=mysqli_query($conn, $job_posname3); 
$array=mysqli_fetch_assoc($query); 
$job_posname3=stripslashes($array['model']); 

$job_posname4 = "SELECT year FROM used_trailers WHERE orderid = $sn"; 
$query=mysqli_query($conn, $job_posname4); 
$array=mysqli_fetch_assoc($query); 
$job_posname4=stripslashes($array['year']); 

$job_posname5 = "SELECT price FROM used_trailers WHERE orderid = $sn"; 
$query=mysqli_query($conn, $job_posname5); 
$array=mysqli_fetch_assoc($query); 
$job_posname5=stripslashes($array['price']); 
?> 

<div align="center"> 
<p style="position:relative; left:-11px;">Edit Job Position</p> 
<form method="post" action=""> 
<table width="400" border="0" cellspacing="1" cellpadding="2"> 
<tr> 
<td><input name="job_pos_sort" type="hidden" id="job_pos_sort" value="<?php echo $sn;?>"></td> 
</tr> 
<tr> 
<td width="100" style="color:white;">Job Position:</td> 
<td><input name="job_pos" type="text" id="job_pos" value="<?php echo $job_posname;?>"><span id="measure"></span></td> 
<td><input name="description" type="text" id="description" value="<?php echo $job_posname1;?>"></td> 
<td><input name="make" type="text" id="make" value="<?php echo $job_posname2;?>"></td> 
<td><input name="model" type="text" id="model" value="<?php echo $job_posname3;?>"></td> 
<td><input name="year" type="text" id="year" value="<?php echo $job_posname4;?>"></td> 
<td><input name="price" type="text" id="price" value="<?php echo $job_posname5;?>"></td> 
</tr> 
<tr> 
<td width="100"> </td> 
<td> </td> 
</tr> 
<tr> 
<td width="100"> </td> 
<td> 
<input name="update" type="submit" id="update" value="Edit"> 
</td> 
</tr> 
</table> 
</form> 
</div> 
<?php 
} 
} 
else { 
} 
?> 
</body> 
</html> 

所有幫助是極大的讚賞。感謝您的任何幫助。

Answer 1

你需要加上引號的數據查詢：

$sql = "UPDATE used_trailers SET title='$job_pos', description='$job_pose', make='$job_pose1', model='$job_pose2', year='$job_pose3', price='$job_pose4' WHERE orderid=$job_pos_sort"; 

另外，你應該從你輸入逃避任何數據庫參數，或者他們會打破你的查詢 - mysqli_real_escape_string()對於MySQL或pg_escape_string() Postgres的：

$job_pos_sort = mysqli_real_escape_string($_POST['orderid']); 
$job_pos = mysqli_real_escape_string($_POST['title']); 
$job_pose = mysqli_real_escape_string($_POST['description']); 
$job_pose1 = mysqli_real_escape_string($_POST['make']); 
$job_pose2 = mysqli_real_escape_string($_POST['model']); 
$job_pose3 = mysqli_real_escape_string($_POST['year']); 
$job_pose4 = mysqli_real_escape_string($_POST['price']);