1. 首頁
  2. 問答
  3. 如何更新多行並防止SQL注入?

如何更新多行並防止SQL注入?

2013-09-22 20 views
0 
<?php 
if (isset($_POST["submit"])) { 

    foreach($_POST["id"] AS $id) { 
     $may_tc_s1 = mysql_real_escape_string($_POST["may_tc_s1"][$id]); 
     $may_ac_s1 = mysql_real_escape_string($_POST["may_ac_s1"][$id]); 
     $jun_tc_s1 = mysql_real_escape_string($_POST["jun_tc_s1"][$id]); 
     $jun_ac_s1 = mysql_real_escape_string($_POST["jun_ac_s1"][$id]); 
     $jul_tc_s1 = mysql_real_escape_string($_POST["jul_tc_s1"][$id]); 
     $jul_ac_s1 = mysql_real_escape_string($_POST["jul_ac_s1"][$id]); 
     $aug_tc_s1 = mysql_real_escape_string($_POST["aug_tc_s1"][$id]); 
     $aug_ac_s1 = mysql_real_escape_string($_POST["aug_ac_s1"][$id]); 
     $sep_tc_s1 = mysql_real_escape_string($_POST["sep_tc_s1"][$id]); 
     $sep_ac_s1 = mysql_real_escape_string($_POST["sep_ac_s1"][$id]); 
     $oct_tc_s1 = mysql_real_escape_string($_POST["oct_tc_s1"][$id]); 
     $oct_ac_s1 = mysql_real_escape_string($_POST["oct_ac_s1"][$id]); 
     $nov_tc_s1 = mysql_real_escape_string($_POST["nov_tc_s1"][$id]); 
     $nov_ac_s1 = mysql_real_escape_string($_POST["nov_ac_s1"][$id]); 
     $s1_t1 = mysql_real_escape_string($_POST["s1_t1"][$id]); 
     $s1_t2 = mysql_real_escape_string($_POST["s1_t2"][$id]); 
     $s1_t3 = mysql_real_escape_string($_POST["s1_t3"][$id]); 

     $update = " UPDATE `attendence` SET 
     `may_tc_s1` = '$may_tc_s1', 
     `may_ac_s1` = '$may_ac_s1', 
     `jun_tc_s1` = '$jun_tc_s1', 
     `jun_ac_s1` = '$jun_ac_s1', 
     `jul_tc_s1` = '$jul_tc_s1', 
     `jul_ac_s1` = '$jul_ac_s1', 
     `aug_tc_s1` = '$aug_tc_s1', 
     `aug_ac_s1` = '$aug_ac_s1', 
     `sep_tc_s1` = '$sep_tc_s1', 
     `sep_ac_s1` = '$sep_ac_s1', 
     `oct_tc_s1` = '$oct_tc_s1', 
     `oct_ac_s1` = '$oct_ac_s1', 
     `nov_tc_s1` = '$nov_tc_s1', 
     `nov_ac_s1` = '$nov_ac_s1', 
     `s1_t1` = '$s1_t1', 
     `s1_t2` = '$s1_t2', 
     `s1_t3` = '$s1_t3' 
     WHERE `idatten` =$id LIMIT 1 ; "; 
     mysql_query($update) or die(mysql_error()); 
    } 
} 

$sql = "SELECT * FROM attendence WHERE branch = 'cs' AND attendence.semester=1 ORDER BY attendence.rollno"; 
$res = mysql_query($sql) or die(mysql_error()); 
if (mysql_num_rows($res) > 0) { 

    echo '<form method="post">'; 
    echo' <table border="1" align="center">'; 
    echo' <tr>'; 
    echo' <th><div align="center">ID</div></th>'; 
    echo' <th><div align="center">Student Name</div></th>'; 
    echo' <th><div align="center">Roll No</div></th>'; 
    echo' <th colspan="2"><div align="center">May</div></th>'; 
    echo' <th colspan="2"><div align="center">Jun</div></th>'; 
    echo' <th colspan="2"><div align="center">Jul</div></th>'; 
    echo' <th colspan="2"><div align="center">Aug</div></th>'; 
    echo' <th colspan="2"><div align="center">Sep</div></th>'; 
    echo' <th colspan="2"><div align="center">Oct</div></th>'; 
    echo' <th colspan="2"><div align="center">Nov</div></th>'; 
    echo' <th><div align="center">T1</div></th>'; 
    echo' <th><div align="center">T2</div></th>'; 
    echo' <th><div align="center">T3</div></th>'; 
    echo' </tr>'; 
    echo' <tr>'; 
    echo' <th><div align="center"></div></th>'; 
    echo' <th><div align="center"></div></th>'; 
    echo' <th><div align="center"></div></th>'; 
    echo' <th><div align="center">TC</div></th>'; 
    echo' <th><div align="center">AC</div></th>'; 
    echo' <th><div align="center">TC</div></th>'; 
    echo' <th><div align="center">AC</div></th>'; 
    echo' <th><div align="center">TC</div></th>'; 
    echo' <th><div align="center">AC</div></th>'; 
    echo' <th><div align="center">TC</div></th>'; 
    echo' <th><div align="center">AC</div></th>'; 
    echo' <th><div align="center">TC</div></th>'; 
    echo' <th><div align="center">AC</div></th>'; 
    echo' <th><div align="center">TC</div></th>'; 
    echo' <th><div align="center">AC</div></th>'; 
    echo' <th><div align="center">TC</div></th>'; 
    echo' <th><div align="center">AC</div></th>'; 
    echo' <th><div align="center"></div></th>'; 
    echo' <th><div align="center"></div></th>'; 
    echo' <th><div align="center"></div></th>'; 
    echo' </tr>'; 
    while ($row = mysql_fetch_assoc($res)) { 
    echo' <tr>'; 
    echo' <td>'.$row["idatten"] . '</td>'; 
    echo' <td>'.$row["username"] . '</td>'; 
    echo' <td>'.$row["rollno"] .'</td>'; 
    echo' <td><input size="2" type="text" name="may_tc_s1[' . $row["idatten"] . ']" value="' . $row["may_tc_s1"] . '"></td>'; 
    echo' <td><input size="2" type="text" name="may_ac_s1[' . $row["idatten"] . ']" value="' . $row["may_ac_s1"] . '"></td>'; 
    echo' <td><input size="2" type="text" name="jun_tc_s1[' . $row["idatten"] . ']" value="' . $row["jun_tc_s1"] . '"></td>'; 
    echo' <td><input size="2" type="text" name="jun_ac_s1[' . $row["idatten"] . ']" value="' . $row["jun_ac_s1"] . '"></td>'; 
    echo' <td><input size="2" type="text" name="jul_tc_s1[' . $row["idatten"] . ']" value="' . $row["jul_tc_s1"] . '"></td>'; 
    echo' <td><input size="2" type="text" name="jul_ac_s1[' . $row["idatten"] . ']" value="' . $row["jul_ac_s1"] . '"></td>'; 
    echo' <td><input size="2" type="text" name="aug_tc_s1[' . $row["idatten"] . ']" value="' . $row["aug_tc_s1"] . '"></td>'; 
    echo' <td><input size="2" type="text" name="aug_ac_s1[' . $row["idatten"] . ']" value="' . $row["aug_ac_s1"] . '"></td>'; 
    echo' <td><input size="2" type="text" name="sep_tc_s1[' . $row["idatten"] . ']" value="' . $row["sep_tc_s1"] . '"></td>'; 
    echo' <td><input size="2" type="text" name="sep_ac_s1[' . $row["idatten"] . ']" value="' . $row["sep_ac_s1"] . '"></td>'; 
    echo' <td><input size="2" type="text" name="oct_tc_s1[' . $row["idatten"] . ']" value="' . $row["oct_tc_s1"] . '"></td>'; 
    echo' <td><input size="2" type="text" name="oct_ac_s1[' . $row["idatten"] . ']" value="' . $row["oct_ac_s1"] . '"></td>'; 
    echo' <td><input size="2" type="text" name="nov_tc_s1[' . $row["idatten"] . ']" value="' . $row["nov_tc_s1"] . '"></td>'; 
    echo' <td><input size="2" type="text" name="nov_ac_s1[' . $row["idatten"] . ']" value="' . $row["nov_ac_s1"] . '"></td>';  
    echo' <td><input size="4" type="text" name="s1_t1[' . $row["idatten"] . ']" value="' . $row["s1_t1"] . '"></td>'; 
    echo' <td><input size="4" type="text" name="s1_t2[' . $row["idatten"] . ']" value="' . $row["s1_t2"] . '"></td>'; 
    echo' <td><input size="4" type="text" name="s1_t3[' . $row["idatten"] . ']" value="' . $row["s1_t3"] . '"></td>'; 
    echo' <input type="hidden" name="id[]" value="' . $row["idatten"] . '">'; 
    echo' </tr>'; 
    echo' <tr>'; 
    }} 
    echo' <td colspan="20"><div align="center"> <input type="submit" onblur="t1()" name="submit" value="Update Record"></div></td>'; 
    echo' </tr>'; 
    echo' </table>'; 
    echo '</form>'; 
?> 
<!-- End of cs1_s1 ---></div>

這是我上傳多個記錄的代碼。它的工作正常,但必須把所有的桌子都放在裏面,如果只有那麼麻煩的話。因爲我有多個頁面要做,並且這種類型的編碼是安全的,因爲如果它是如何使其安全的話,它很容易發生sql注入或其他任何事情。我需要在同一頁面上有七個表,但如果我放置所有七個表,它會彈出一個錯誤數據庫找不到。那麼我如何在同一頁面上調用7到8個。如何更新多行並防止SQL注入?

來源

2013-09-22 user2774977

+1

您的更新查詢很好。其次爲什麼你使用PHP製作整個表格?在html中製作表格,並在其中嵌入php。用這種方法你在PHP中的回聲將不需要。在你的HTML **​​<?php echo $ row [「idatten」]?> ** –

+0

但你能告訴我如何做plz,因爲我是新手 – user2774977

+0

看起來很安全,但非常容易出錯,低可維護性。表列是否修復?你能簡要描述一下這個系統是什麼嗎?所以我們可以幫助你如何提高它的效率。什麼是TC/AC? S1/S2是學期? –

回答

0

創建一個test.php頁面,在其中粘貼此代碼。

<form method="post"> 
<table border="1" align="center">'; 
<tr> 
<th><div align="center">ID</div></th> 
<th><div align="center">Student Name</div></th> 
<th><div align="center">Roll No</div></th> 
</tr> 

<?php 
while ($row = mysql_fetch_assoc($res)) { 
?> 
<tr> 
<td><?php echo $row["idatten"]; ?> </td> 
<td><?php echo $row["username"]; ?> </td> 
<td><?php echo $row["rollno"]; ?> </td> 
</tr> 
<?php 
} 
?> 
</table> 
</form>

來源

2013-09-22 03:45:33

相關問題

 相關問題