<?php
$host = "localhost";
$user = "root";
$pass = "pass";
$db = "table";
$connect=mysql_connect($host, $user, $pass) or die(mysql_error());
mysql_select_db($db, $connect) or die(mysql_error());
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
$username = trim($_POST["username"]);
$res = mysql_query("SELECT id, username, email, ip FROM users WHERE username='". mysql_real_escape_string($username) . "'");
$arr = mysql_fetch_assoc($res);
$user_id = $arr['id'];
$user_name = $arr['username'];
$user_email = $arr['email'];
$user_ip = $arr['ip'];
$res = mysql_query("UPDATE users SET enabled=no WHERE id=$user_id") or mysql_error();
}
?>
<form method="post" action="">
<input type="text" size="40" name="username">
<tr><td colspan="2"><input type="submit" class="btn" value='send'></td></tr>
</form>
該腳本不執行:$res = mysql_query("UPDATE users SET enabled=no WHERE id=$user_id") or mysql_error();
PHP的MySQL更新
有什麼不對?
如果id列是我懷疑單引號$ user_ID的整數你不需要單引號括起來的user_id $ – 2011-04-19 12:21:59
... 你確定? – PHP 2011-04-19 12:22:27
的確如此,但這是最好的實踐 - 如果它在引號內並且你轉義了變量,它可以防止SQL注入 – fin1te 2011-04-19 12:22:34