1. 首頁
  2. 問答
  3. 創建表單編輯功能php

創建表單編輯功能php

2013-07-29 99 views
1

我創建了一個函數來顯示錶格的內容。這是功能:創建表單編輯功能php

function query_tabel ($sql){ 
    $query = $sql; 
    $result = mysql_query($query); 
    $kolomen_tellen = mysql_num_fields($result); 
    if (!$result) { 
     die("Error Query: " . mysql_error()); 
    } 
    print "<table border=1>\n"; 

     print "<tr>"; 
      for ($column_num = 0; $column_num < $kolomen_tellen; $column_num++) 
      { 
       $fieldname = mysql_field_name($result, $column_num); 
       print "<TH>$fieldname</TH>"; 
      } 
      print "</tr>"; 

    while ($row = mysql_fetch_row($result)) { 
     print ("<TR>"); 
     for  ($column_num = 0; $column_num < $kolomen_tellen; $column_num++) 
      print ("<TD>$row[$column_num]</TD>\n"); 
     print ("</TR>\n"); 
    } 
    print "</table>";

它的工作,並可以在任何時間在任何文件中調用該函數。 但我想要另一個創建帶輸入字段的編輯表單的函數。

這是我的第一稿:

function query_tabel_edit ($sql, $filename){ 
    $query = $sql; 
    $result = mysql_query($query); 
    $kolomen_tellen = mysql_num_fields($result); 
    if (!$result) { 
     die("Error Query: " . mysql_error()); 
    } 
    print "<table class=edit>\n"; 

     print "<tr>"; 
      for ($column_num = 0; $column_num < $kolomen_tellen; $column_num++) 
      { 
       $fieldname = mysql_field_name($result, $column_num); 
       print "<TH class=edit>$fieldname</TH>"; 
      } 
      print "</tr>"; 

    while ($row = mysql_fetch_row($result)) { 
     print "<form action=$filename method=post>"; 
     print ("<TR>"); 
     for  ($column_num = 0; $column_num < $kolomen_tellen; $column_num++) 
      print ("<TD class=edit> <input class=edit type=text name=$row[$column_num] value=$row[$column_num] </TD>\n"); 
      print ("<TD class=edit> <input class=edit type=submit name=update value=edit> <TD>\n"); 
     print ("</TR>\n"); 
    } 
    print "</table>"; 
}

所以我添加編輯鏈接,就像一個魅力,但如何和我在哪裏創建並把SQL行修改的記錄?

任何想法如何創建此編輯sql語句,我需要把數據sql行放在我的函數或調用該函數的PHP文件中的某處?

來源

2013-07-29 Ralph Schipper

+3

* PSA:*本'mysql_ *'功能已廢棄在PHP 5.5](http://php.net/manual/en/faq.databases.php#faq.databases.mysql.deprecated) 。不建議您編寫新的代碼,因爲這會阻止您將來升級。相反,請使用[MySQLi](http://php.net/manual/en/book.mysqli.php)或[PDO](http://php.net/manual/en/book.pdo.php)和[是一個更好的PHP開發人員](http://jason.pureconcepts.net/2012/08/better-php-developer/)。 –

回答

0

你可以或多或少地這樣做。這很難使其完全靈活,因爲您需要知道如何構建您的更新聲明。這意味着您必須知道要更新哪個表以及哪些字段。你不能依賴HTML表單中的內容,因爲有人可能會僞造一個僞造的表單併發布非法字段名稱,從而使你面臨攻擊。

我認爲做這件事的最好方法是存儲關於在用戶會話中更新的表和字段的信息,但由於我不知道你是否瞭解會話,所以我把它留在這裏現在。

請注意,我已經使用了mysql函數,因爲您正在使用它們,我不想強​​迫您更改該函數,但它們已被棄用,並且強烈建議您更改爲mysqli或PDO。

使用mysqli你也可以使用預處理語句。但這也是我留給你閱讀文檔中的東西。

我與你的代碼相比最重要的變化是我使用了mysql_fetch_array,它返回一個也包含字段名稱作爲鍵的值數組。這樣,您可以使用這些名稱進行編輯,並且可以在您的$_POST數據中找到這些名稱。從那裏開始,你應該能夠多一點拼圖來讓它工作。

<?php 

// This is how to do it in a single script: Check if a value is posted and 
// act on it. 
// If you have separate scripts, you don't actually need this, although it's 
// still a good idea to thoroughly check the input to your scripts to prevent 
// attacks from malicious users. 

if (array_key_exists('id', $_POST) 
{ 
    // Post data found. Update record. 

    // Assuming id is an integer, I int-cast it. If it's not, make sure to 
    // properly escape it or you'll be vulnerable to SQL injection attacks! 
    $id = (int)$_POST['id']; 

    // You will need to validate if the posted field names are valid. You can 
    // do this by specifying a list of updatable fields and then check if the 
    // posted values are in that list. 
    // You could also run query to get the field names from the database, so 
    // so you will have more flexibility. 
    // You can also store the fields to be updated in the session of the user 
    // That will save you a query, but you'll have to read about sessions as well. 
    $updatableFields = array('firstname', 'lastname'); 

    foreach ($_POST as $fieldname => $value) 
    { 
    // Validate the field names! You don't want field names that don't 
    // exist, or your query will break. Also, it will make you vulnerable 
    // to SQL injection attacks. 
    if (array_search($fieldname, $updatableFields) !== false) 
    { 
     $value = mysql_real_escape_string($value); 
     $update[] = "$fieldname = '$value'"; 
    } 
    } 
    $sql = 'UPDATE YourTable SET ' . implode($update) . " WHERE id = $id"; 
    // Execute statement. 
} 
else 
{ 
    // Query your database here 
    // <<code omitted>> 

    // Show edit form 
    while ($row = mysql_fetch_array($result)) 
    { 
    foreach ($row as $fieldname => $value) 
    { 
     $value = htmlspecialchars($value); 
     $type = 'text'; 
     // Store the id in an hidden input, so you know which row to update. 
     if ($fieldname == 'id') 
     { 
     $type = 'hidden'; 
     } 
    ?> 
    <label for="<?=$fieldname?>"><?=$fieldname?></label> 
    <input type="<?=$type?>" id="<?=$fieldname?>" name="<?=$fieldname?>" value="<?=$value?>"> 
    <?php 
    } 
    ?> 
    <input type="submit" value="save"> 
    <?php 
    } 

}

來源

2013-07-29 20:04:18 GolezTrol

相關問題

 相關問題