douchuang8359 2013-10-24 18:39
浏览 56
已采纳

用户更新MySQL数据库条目的PHP表单

I'm trying to allow users to add new records and update existing fields in a MySQL database using a PHP form.

I've built the form and users can add new records, but when I modify the $add function to use UPDATE instead of INSERT INTO, it uses the values that have been entered into the form to update all of the records instead of just the one that has been edited.

The full code is here: http://pastebin.com/s0TBUYgK

The UPDATE query that I've tried to replace the INSERT INTO query on line 20 with is:

$add = "UPDATE albums SET name = '$name', artist = '$artist', year = '$year'";
  • 写回答

2条回答 默认 最新

  • dsvyc66464 2013-10-24 18:43
    关注

    You don't have a where clause to restrict the update to just the one record being editted, e.g...

    UPDATE albums SET .... WHERE id=$id;
                       ^^^^^^^^^^^^

    Remember that sql tends to be the sort of thing where "the less you specify, the more you get".

    Given that sort of elementary error, I'm going to guess that you've also done NO sanitization and escaping on the data in $name, $artist, and $year, meaning your code is vulnerable to SQL injection attacks.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?