這是即時通訊使用的顯示數據的代碼。(registos.php)我無法弄清楚什麼是錯在我更新代碼
<?php
$con = mysqli_connect('localhost','root','');
if (!$con)
{
die('Could not connect: ' . mysqli_error());
}
mysqli_select_db($con,'databaseteste');
$result =mysqli_query($con,("SELECT * FROM `formando2`"));
if (!$result) {
printf("Error: %s\n", mysqli_error($con));
exit();
}
echo "<table class=mainmenu border='1' width=100% >
<p><caption><h1>Registos</h1></caption></p>
<tr>
<th>Primeiro Nome</th>
<th>Ultimo Nome</th>
<th>Numero C.C</th>
<th>Numero contribuinte</th>
<th>Email</th>
<th>Morada</th>
<th>Código postal</th>
</tr>";
while($row = mysqli_fetch_array($result))
{
echo "<tr><form action=update.php method=post>";
echo "<td><input type=text name=pname value='".$row['PrimeiroNome']."'></td>";
echo "<td><input type=text name=sname value='".$row['UltimoNome']."'></td>";
echo "<td><input type=text name=bi value='".$row['NumeroBI']."'></td>";
echo "<td><input type=text name=contri value='".$row['NumeroContribuinte']."'></td>";
echo "<td><input type=text name=email value='".$row['Email']."'></td>";
echo "<td><input type=text name=morada value='".$row['Morada']."'></td>";
echo "<td><input type=text name=cpostal value='".$row['CodigoPostal']."'></td>";
echo "<td><input type=hidden name=id value='".$row['idformando2']."'></td>";
echo "<td><input type=submit></td>";
echo "</tr>";
}
echo "</table>";
?>
這就是會給予我,我想這個問題的代碼,在更新代碼。(update.php)
<?php
$con = mysqli_connect('localhost','root','');
if (!$con){die('Could not connect: ' . mysqli_error());}
mysqli_select_db($con,'databaseteste');
$update ="update `formando2`
set PrimeiroNome='$_POST[pname]',
UltimoNome='$_POST[sname]',
NumeroBI='$_POST[bi]',
NumeroContribuinte='$_POST[contri]',
Email='$_POST[email]',
Morada='$_POST[morada]',
CodigoPostal='$_POST[cpostal]'
where idformando2='$_POST[id]'";
if(mysqli_query($con,$update)){
header("refresh:1; url=registos.php");}
else{
printf("Error: %s\n", mysqli_error($con));
}
?>
當我提交重定向的我到update.php頁面然後到registos.php一遍,但是數據依然是相同的。
Registo Screen
Post update
您的腳本存在[SQL注入攻擊]的風險(http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)看看發生了什麼事[小Bobby表](http://bobby-tables.com/)即使[如果你逃避投入,它不安全!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets -around-mysql-real-escape-string)使用[prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php)。 –
你不會做任何努力來檢查所有這些'$ _POST'值實際上是否存在 – RiggsFolly
@AbdullaNilam是的確如此,請查看錶格末尾的隱藏字段 – RiggsFolly