2016-12-05 54 views
0

我有一個簡單的html表單頁面,需要更新2列值,其中'Some_DB_Table'.id =用戶輸入的id號碼。不過,我有點困擾如何使用預處理語句來避免SQL注入。使用PHP中的表單值更新MySQL DB行

我的代碼:

HTML:

<form id="workorderMovement" name='workorderMovement_form' action="workordermovementGET.php" method="post"> 



<fieldset id="userid"> 

    <span>Welcome <?php echo $user ?> </span> 

</fieldset> 




<fieldset id="sgnum"> 

<fieldset id="fieldset" style="text-align: center;"> 
    <span>Please enter the SG Number</span> 
</fieldset> 

<input type="text" name="sgnumber" id="sgnumber"> &nbsp;&nbsp;&nbsp; <input type="button" name="searchButton" id="searchButton" value="SEARCH"> 

</fieldset> 


<br/> 
<br/> 



<fieldset id="stageSelectField"> 

    <fieldset id="fieldset" style="text-align: center;"> 
    <span>Please select the Stage Completed</span> 
    </fieldset> 

<select name="stageSelect" id="stageSelect"> 
    <option value="Please Select">Please Select</option> 
    <option value="Film Done">Film Done</option> 
    <option value="Staged Done">Staged Done</option> 
    <option value="Cleanroom Done">Cleanroom Done</option> 
    <option value="GB2 Done">GB2 Done</option> 
    <option value="Bagging Done">Bagging Done</option> 
    <option value="Inspection Done">Inspection Done</option> 
    <option value="LC Done">LC Inspection Done</option> 
    <option value="IGU Done">IGU Done</option> 
</select> 

</fieldset> 


<br/> 
<br/> 


<fieldset id="floorNotesField"> 

    <fieldset id="fieldset" style="text-align: center;"> 
    <span>Please enter any new work order notes</span> 
    </fieldset> 

    <textarea type="text" name="floorNotes" id="floorNotes" class="floorNotesText"></textarea> 

</fieldset> 


<br/> 
<br/> 
<br/> 

</form> <!-- End Work Order Movement Form --> 

<fieldset id="doneButtonField"> 

    <input type="button" name="doneButton" id="doneButton" value="DONE"> 

</fieldset> 

MY AJAX:

j("#doneButton").click(function(){ 


//send Workorder Movement Data values to php using ajax. 

var sgnumber = j('#sgnumber').val(); 
var stageselect = j('#stageSelect').val(); 
var floornotes = j('#floorNotes').val(); 
j.ajax ({ 
    method: 'POST', 
    url: "workordermovementUPDATE.php", 
    data: {sgNumber: sgnumber, stageSelect: stageselect, floorNotes: floornotes}, 
    dataType: 'json', 
    success: function(data){ 
     alert(data); 
    } 
    }); 

}); 

我的PHP:

<?php 


include('inc.php'); 


//Get Table Options. 
if (isset($_POST['sgNumber'])) { 
    $sgNumber = $_POST['sgNumber']; 

    if (isset($_POST['stageSelect'])) { 
     $stageSelect=$_POST['stageSelect']; 
    } 
    if (isset($_POST['floorNotes'])) { 
     $floorNotes=$_POST['floorNotes']; 
    } 

    //connect to the database 
    $conn = new mysqli($servername, $username, $password, $dbname); 

    // Check connection 
    if(mysqli_connect_errno()) { 
     printf('Could not connect: ' . mysqli_connect_error()); 
     exit(); 
    } 

    $conn->select_db($dbname); 

    if(! $conn->select_db($dbname)) { 
     echo 'Could not select database. '.'<BR>'; 
    } 

    $sql= "UPDATE invoices SET productionstage = ".$stageSelect.", floornotes = ".$floorNotes." WHERE id = ?"; 
    $stmt = $conn->prepare($sql); 
    $stmt->bind_param('i', $sgNumber); 
    $stmt->execute(); 
    $stmt->store_result();  

    if(mysqli_query($conn, $stmt)){ 
     echo "".$sgnumber." Updated Successfully!"; 
    } else { 
     echo "ERROR: Could not update ".$sgnumber."".mysqli_error($conn).""; 
    } 


//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// 


//Free the result variable. 
$result->free(); 


//Close the Database connection. 
$conn->close(); 

}//End If statement 

?> 

這是正確的/有什麼建議?

謝謝!

+1

由於您正在準備事情並進行「bind_param」調用,我不確定您是如何完全錯過了爲所有**放置佔位符的船,而不僅僅是一些任意值。在那裏做什麼'$ stageSelect'?用'?'替換所有內容並綁定這些值。 – tadman

+0

@tadman所以像這樣:$ sql =「更新發票SET productionstage =?,floornotes =?WHERE id =?'然後執行$ stmt-> bind_param('我',$ sgNumber,$ stageSelect,$ floorNotes);?我不知道如何執行bind_param部分以避免SQL注入更新表時只是從中選擇數據。 – rdimouro

回答

2

如果您仔細閱讀the documentation on bind_param,您會發現需要指定每個參數的類型。通常這不是什麼大問題:

$stmt = $conn->prepare(
    "UPDATE invoices SET productionstage=?,floornotes=? WHERE id = ?" 
); 
$stmt->bind_param('ssi', $stageSelect, $floorNotes, $sgNumber); 

儘量避免爲語句創建中間變量。這通常會導致您無意中運行錯誤查詢的情況。

+0

所以我測試了這樣的更新和我的productionstage列正確更新,但floornotes沒有。floornotes列類型是文本,所以我已經設置我的param_bind類型爲's'像這樣:'ssi'和我的實際文本只是說'測試「,但是當我重做搜索時,該字段返回空,我可以在數據庫中看到該行的列也是空的,我也沒有收到任何錯誤......列productionstage的數據類型是'varchar '。我可以在param_bind和列類型的文本中遇到問題嗎? – rdimouro

+1

非常感謝!我解決了這個問題。原來我的代碼編輯器和我的服務器有通信困難,阻止了我的一些編輯通過服務器進行修復,一切正常。 – rdimouro