如果行存在，或者如果不是基於user_id，則更新

Question

用戶可以通過我網站上的編輯表單編輯其位置。

某些用戶可能尚未輸入開頭的位置，因此我需要查詢來創建一行，並將用戶的user_id和用戶名以及他們提交的位置數據一起插入。

我在嘗試REPLACE INTO和多個INSERT查詢後很掙扎，顯然我沒有把它做對。

我的代碼;

require("includes/common.php"); 

    if(empty($_SESSION['user'])) 
    { 
     header("Location: index.php"); 
     die("Redirecting to index.php"); 
    } 

$uid=$_SESSION['user']['id']; 

$location_city = $_POST['location_city']; 
$loctaion_county = $_POST['location_county']; 
$loctaion_country = $_POST['location_country']; 

// query 
$sql = "UPDATE locations 
     SET location_county=?, location_city=?, location_country=? 
     WHERE user_id=$uid"; 
$q = $db->prepare($sql); 
$q->execute(array($location_county,$location_city,$location_country)); 
header("location: edit-account.php"); 

請注意，我有我試圖通過預填充隱藏字段傳遞的用戶名和USER_ID到數據庫表，並曾在上面的代碼中其他POST變量來插入數據。

上面的代碼正常工作，因爲它應該用於簡單更新，其中我已經在位置表中手動創建了一個用戶記錄，用於測試目的，方法是替換location_city中的值。

更新：有兩個選項可以繼續存在，而不是關閉 - 1）在註冊表中創建條目，因此如果在編輯位置時不存在需要插入的行，則不需要插入行。 2）如果不存在，則創建一個新行。

我的註冊代碼

<?php 

    // First we execute our common code to connection to the database and start the session 
    require("includes/common.php"); 

    // This if statement checks to determine whether the registration form has been submitted 
    // If it has, then the registration code is run, otherwise the form is displayed 
    if(!empty($_POST)) 
    { 
     // Ensure that the user has entered a non-empty username 
     if(empty($_POST['username'])) 
     { 
      // Note that die() is generally a terrible way of handling user errors 
      // like this. It is much better to display the error with the form 
      // and allow the user to correct their mistake. However, that is an 
      // exercise for you to implement yourself. 
      die("Please enter a username."); 
     } 

     // Ensure that the user has entered a non-empty password 
     if(empty($_POST['password'])) 
     { 
      die("Please enter a password."); 
     } 

     // Make sure the user entered a valid E-Mail address 
     // filter_var is a useful PHP function for validating form input, see: 
     // http://us.php.net/manual/en/function.filter-var.php 
     // http://us.php.net/manual/en/filter.filters.php 
     if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) 
     { 
      die("Invalid E-Mail Address"); 
     } 

     // We will use this SQL query to see whether the username entered by the 
     // user is already in use. A SELECT query is used to retrieve data from the database. 
     // :username is a special token, we will substitute a real value in its place when 
     // we execute the query. 
     $query = " 
      SELECT 
       1 
      FROM users 
      WHERE 
       username = :username 
     "; 

     // This contains the definitions for any special tokens that we place in 
     // our SQL query. In this case, we are defining a value for the token 
     // :username. It is possible to insert $_POST['username'] directly into 
     // your $query string; however doing so is very insecure and opens your 
     // code up to SQL injection exploits. Using tokens prevents this. 
     // For more information on SQL injections, see Wikipedia: 
     // http://en.wikipedia.org/wiki/SQL_Injection 
     $query_params = array( 
      ':username' => $_POST['username'] 
     ); 

     try 
     { 
      // These two statements run the query against your database table. 
      $stmt = $db->prepare($query); 
      $result = $stmt->execute($query_params); 
     } 
     catch(PDOException $ex) 
     { 
      // Note: On a production website, you should not output $ex->getMessage(). 
      // It may provide an attacker with helpful information about your code. 
      die("Failed to run query: " . $ex->getMessage()); 
     } 

     // The fetch() method returns an array representing the "next" row from 
     // the selected results, or false if there are no more rows to fetch. 
     $row = $stmt->fetch(); 

     // If a row was returned, then we know a matching username was found in 
     // the database already and we should not allow the user to continue. 
     if($row) 
     { 
      die("This username is already in use"); 
     } 

     // Now we perform the same type of check for the email address, in order 
     // to ensure that it is unique. 
     $query = " 
      SELECT 
       1 
      FROM users 
      WHERE 
       email = :email 
     "; 

     $query_params = array( 
      ':email' => $_POST['email'] 
     ); 

     try 
     { 
      $stmt = $db->prepare($query); 
      $result = $stmt->execute($query_params); 
     } 

     catch(PDOException $ex) 
     { 
      die("Failed to run query: " . $ex->getMessage()); 
     } 

     $row = $stmt->fetch(); 

     if($row) 
     { 
      die("This email address is already registered"); 
     } 

     // An INSERT query is used to add new rows to a database table. 
     // Again, we are using special tokens (technically called parameters) to 
     // protect against SQL injection attacks. 
     $query = " 
      INSERT INTO users ( 
       username, 
       password, 
       salt, 
       email 
      ) VALUES ( 
       :username, 
       :password, 
       :salt, 
       :email 
      ) 
     "; 

     // A salt is randomly generated here to protect again brute force attacks 
     // and rainbow table attacks. The following statement generates a hex 
     // representation of an 8 byte salt. Representing this in hex provides 
     // no additional security, but makes it easier for humans to read. 
     // For more information: 
     // http://en.wikipedia.org/wiki/Salt_%28cryptography%29 
     // http://en.wikipedia.org/wiki/Brute-force_attack 
     // http://en.wikipedia.org/wiki/Rainbow_table 
     $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 

     // This hashes the password with the salt so that it can be stored securely 
     // in your database. The output of this next statement is a 64 byte hex 
     // string representing the 32 byte sha256 hash of the password. The original 
     // password cannot be recovered from the hash. For more information: 
     // http://en.wikipedia.org/wiki/Cryptographic_hash_function 
     $password = hash('sha256', $_POST['password'] . $salt); 

     // Next we hash the hash value 65536 more times. The purpose of this is to 
     // protect against brute force attacks. Now an attacker must compute the hash 65537 
     // times for each guess they make against a password, whereas if the password 
     // were hashed only once the attacker would have been able to make 65537 different 
     // guesses in the same amount of time instead of only one. 
     for($round = 0; $round < 65536; $round++) 
     { 
      $password = hash('sha256', $password . $salt); 
     } 

     // Here we prepare our tokens for insertion into the SQL query. We do not 
     // store the original password; only the hashed version of it. We do store 
     // the salt (in its plaintext form; this is not a security risk). 
     $query_params = array( 
      ':username' => $_POST['username'], 
      ':password' => $password, 
      ':salt' => $salt, 
      ':email' => $_POST['email'] 
     ); 

     try 
     { 
      // Execute the query to create the user 
      $stmt = $db->prepare($query); 
      $result = $stmt->execute($query_params); 
     } 
     catch(PDOException $ex) 
     { 
      // Note: On a production website, you should not output $ex->getMessage(). 
      // It may provide an attacker with helpful information about your code. 
      die("Failed to run query: " . $ex->getMessage()); 
     } 

     // This redirects the user back to the login page after they register 
     header("Location: login.php"); 

     // Calling die or exit after performing a redirect using the header function 
     // is critical. The rest of your PHP script will continue to execute and 
     // will be sent to the user if you do not die or exit. 
     die("Redirecting to login.php"); 
    } 

?> 

Answer 1

我已經設法解決了我與REPLACE INTO有關的問題，下面的最終代碼僅供參考;

$user_id = $_POST['user_id']; 
$username = $_POST['username']; 
$location_city = $_POST['location_city']; 
$loctaion_county = $_POST['location_county']; 
$loctaion_country = $_POST['location_country']; 

    // query 
    $sql = "REPLACE INTO locations(user_id,username,location_city,location_county,location_country) VALUES('$_POST[user_id]','$_POST[username]',$location_city,'$location_county','$location_country')"; 
    $q = $db->prepare($sql); 
    $q->execute(array($_POST[user_id],$_POST[username],$location_city,$locaion_county,$location_country)); 
    header("location: edit-account.php"); 

Answer 2

如果你想插入新行應該像這樣;

$sql = "INSERT INTO locations 
    SET location_county=?, location_city=?, location_country=?, user_id=? 

當然這個查詢只會在用戶第一次提交位置數據時執行。在插入新行之前，檢查用戶的用戶名爲&是否存在一行也是明智的。