使用PHP在MySQL數據庫

Question

更新記錄考慮：

<form action="sql5_2.php" method="POST"> 
    <h3>Update customer Record</h3> 
    <input type = "text" name ="PATNUM" placeholder ="Enter Patient number "><br> 
    <input type = "text" name ="PAT_FORENAME" placeholder ="Enter Patient Forename "><br> 
    <input type = "text" name ="PAT_SURNAME" placeholder ="Enter Patient Lastname"><br> 
    <input type = "text" name ="STREET_ADDRESS" placeholder ="Enter Address"><br> 
    <input type = "text" name ="TOWN" placeholder ="Enter Town"><br> 
    <input type = "text" name ="POST_CODE" placeholder ="Enter Postcode"><br> 
    <input type = "text" name ="AGE" placeholder ="Enter Patient Age"><br> 
    <br><input type = "submit" value ="Save"><br> 
</form> 

<?php 
    $conn = mysqli_connect ("localhost", "B00657633", "Jpr3EjPw") 
       or die ("could not connect: " . mysqli_error($conn)); 
    print "successful connection<br>"; 

    mysqli_select_db($conn, 'B00657633') or die ('db will not open'); 

    $patnum = $_POST[PATNUM]; 
    $firstname = $_POST[PAT_FORENAME]; 
    $lastname = $_POST[PAT_SURNAME]; 
    $address = $_POST[STREET_ADDRESS]; 
    $town = $_POST[TOWN]; 
    $postcode = $_POST[POST_CODE]; 
    $age = $_POST[AGE]; 

    $sql = "UPDATE patient3 SET PATNUM='$patnum', PAT_FORNAME='$firstname', STREET_ADDRESS='$address', TOWN='$town' , POST_CODE='$postcode' , AGE='$age' WHERE PATNUM= $patnum"; 

    if (mysqli_query($conn, $sql)) { 
     echo "Record updated successfully"; 
     echo '<br><a class="button" href="sql5_2.php?PATNUM=' . $patnum . '">View updated records</a><br>'; 
    } 

    mysqli_close($conn); 
?> 
</div> 

Answer 1

你的POST變量需要在單引號：

$patnum= $_POST[PATNUM];必須是$patnum= $_POST['PATNUM'];

這適用於所有。

而且where條件必須是在單引號：

$sql = "UPDATE patient3 SET PATNUM='$patnum', PAT_FORNAME='$firstname', STREET_ADDRESS='$address', TOWN='$town' , POST_CODE='$postcode' , AGE='$age' WHERE PATNUM= '$patnum'"; 

---

注意有關錯誤報告的水平。

如果在服務器上未設置錯誤報告級別以便默認捕獲它們，則不帶引號的POST陣列將是有效的。

它試圖將標識符解析爲一個常量，如果常量不存在，PHP假定標識符應該被引用。

否則，使用error_reporting(E_ALL);時，它會產生：

E_NOTICE：類型8 - 使用未定義的常量PATNUM的 - 假設 'PATNUM'

因此，它通常是最好的捕捉所有錯誤並引用POST數組。

參考：

• http://php.net/manual/en/function.error-reporting.php

Answer 2

$ _ POST是一個數組，所以使用鑰匙等作爲

$_POST['key'] = $value; 

你錯過了封閉鑰匙進入引號（'），如獲取值as

$patnum = $_POST['PATNUM']; 
$firstname = $_POST['PAT_FORENAME']; 
$lastname = $_POST['PAT_SURNAME']; 
$address = $_POST['STREET_ADDRESS']; 
$town = $_POST['TOWN']; 
$postcode = $_POST['POST_CODE']; 
$age = $_POST['AGE']; 

---

有關錯誤報告級別的注意事項。

如果在服務器上未設置錯誤報告級別以便默認捕獲它們，則不帶引號的POST陣列將是有效的。

它試圖將標識符解析爲一個常量，如果常量不存在，PHP假定標識符應該被引用。

否則，使用error_reporting(E_ALL);時，它會產生：

E_NOTICE：類型8 - 使用未定義的常量PATNUM的 - 假設 'PATNUM'

因此，它通常是最好的捕捉所有錯誤並引用POST數組。

參考：所有的

• http://php.net/manual/en/function.error-reporting.php

Answer 3

首先，認爲這是一個例如，讓你在正確的方向，而不是在生產中使用。

很重要的是要驗證用戶輸入，最低將是：

• 檢查如果一個變量被設置$_POST，試圖訪問它之前，使用isset()，empty() ...
• 驗證它包含的數據，你期望一個INT，範圍在2 - 99之間，一封電子郵件...
• 使用準備好的語句來防止SQL注入，如果不可能，至少使用mysqli_real_escape_string。

HTML表單：

<form action="sql5_2.php" method="POST"> 
    <h3>Update customer Record</h3>   
     <input type = "text" name ="PATNUM" placeholder ="Enter Patient number "><br> 
     <input type = "text" name ="PAT_FORENAME" placeholder ="Enter Patient Forename "><br> 
     <input type = "text" name ="PAT_SURNAME" placeholder ="Enter Patient Lastname"><br> 
     <input type = "text" name ="STREET_ADDRESS" placeholder ="Enter Address"><br> 
     <input type = "text" name ="TOWN" placeholder ="Enter Town"><br> 
     <input type = "text" name ="POST_CODE" placeholder ="Enter Postcode"><br> 
     <input type = "text" name ="AGE" placeholder ="Enter Patient Age"><br> 
     <br><input type = "submit" value ="Save"><br> 
</form> 

這裏的PHP sql5_2.php文件：

<?php 
// I assume this is an example, but in real life don't print errors to the client 
$conn = mysqli_connect ("localhost", "*********", "********") 
    or die ("could not connect: " . mysqli_error($conn)); 
print "successful connection<br>"; 

mysqli_select_db($conn, 'B00657633') or die ('db will not open'); 


if (!isset($_POST['PATNUM'])) 
{ 
    die("No 'Patient number' supplied"); 
} else 
{ 
    // Here validate the patient number 
    // I assume it's a natural number auto-generated by DB 
    if (1 !== @preg_match('/(^0$)|(^[1-9]{1}\d*)$/', $_POST['PATNUM'])) 
    { 
     die("Invalid 'Patient number': ".$_POST['PATNUM']); 
    } 

    $patnum = $_POST['PATNUM']; 
} 

$firstname = $lastname = $address = $town = $postcode = $age = NULL; 

// At least some basic SQL Injection prevention 
if (isset($_POST['PAT_FORENAME']) 
{ 
    $firstname= mysqli_real_escape_string($conn, $_POST['PAT_FORENAME']); 
} 

// Use the same style for the other variables 

// Example using direct query 
$sql = "UPDATE patient3 SET " 
    ." PAT_FORNAME='$firstname' " 
    ." WHERE PATNUM= $patnum"; 

if (mysqli_query($conn, $sql)) { 
    echo "Record updated successfully"; 
} else { 
    die("Record could not be updated"); 

mysqli_close($conn); 

是使用準備好的語句，請按照下面的例子：

if (!isset($_POST['PATNUM'])) 
{ 
    die("No 'Patient number' supplied"); 
} else 
{ 
    // Here validate the patient number 
    // I assume it's a natural number auto-generated by DB 
    if (1 !== @preg_match('/(^0$)|(^[1-9]{1}\d*)$/', $_POST['PATNUM'])) 
    { 
     die("Invalid 'Patient number': ".$_POST['PATNUM']); 
    } 

    $patnum = $_POST['PATNUM']; 
} 

if (!isset($_POST['PAT_FORENAME']) 
{ 
    die('No name supplied'); 
} 

$db = new mysqli('localhost', '*******', '********', 'B00657633'); 

if (mysqli_connect_errno()) { 
    printf("Connect failed: %s\n", mysqli_connect_error()); 
    die(); 
} 

$statment = $db->prepare("UPDATE patient3 SET PATNUM=? WHERE PATNUM=?"); 
if (false === $statement) 
    die(); 

if (false === $statement->bind_param('sd', $_POST['PAT_FORENAME'], $patnum)) 
    die(); 

if (false === $statement->execute()) 
    die();