php - 表单不会更新数据库

Question

目前，我已完成剧本的最后一关。

我知道 SQL 注入(inject)的风险，但这是一个私有(private)网站，只有 1 人可以访问表单等。

我现在的问题是，当我尝试更新数据库中的字段时，最后一页显示成功。但数据库实际上并没有更新。在你们的大力帮助下，这是我的 2 个脚本:

<?php
     session_start();
    include_once("isadmin.php");
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Update Client Message</title>
<link href="loginmodule.css" rel="stylesheet" type="text/css" />
</head>
<body>
<?php
    if( isset($_SESSION['ERRMSG_ARR']) && is_array($_SESSION['ERRMSG_ARR']) && count($_SESSION['ERRMSG_ARR']) >0 ) {
        echo '<ul class="err">';
        foreach($_SESSION['ERRMSG_ARR'] as $msg) {
            echo '<li>',$msg,'</li>'; 
        }
        echo '</ul>';
        unset($_SESSION['ERRMSG_ARR']);
     }
?>
<form id="updateform" name="updateform" method="post" action="updateexec.php">
  <table width="500" border="0" align="center" cellpadding="2" cellspacing="0">
    <tr>
      <th width="200">Select User</th>
      <td>
 <?php
require_once('config.php');

    //Connect to mysql server
    $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }

    //Select database
    $db = mysql_select_db(DB_DATABASE);
if(!$db) {
    die("Unable to select database");

    }


$useruploadids = mysql_query("SELECT member_id, firstname, lastname FROM members");
while ($row = mysql_fetch_assoc($useruploadids)) {
    $userid = $row['member_id']; 
    $firstname = $row['firstname'];
    $lastname = $row['lastname'];
?>
<input type="checkbox" name="userid_<?php echo $userid ?>" value="y" /><?php echo     $firstname ?><?php echo $lastname ?><br />
<?php } ?>
</td>
    </tr>
     <tr>
      <th>Message For Client </th>
      <td>
      <textarea input name="otherdeets" type="textarea" class="textfield" id="otherdeets" style="width: 356px; height: 176px">
          </textarea>
      </td>
    </tr>


    <tr>
      <td>&nbsp;</td>
          <td><input type="submit" name="Submit" value="Update" /></td>
    </tr>
  </table>
</form>
</body>
</html>

正如您所见，这是表单，现在是执行脚本:

 <?php 

 echo( "<pre>" );
 print_r( $_POST );
 echo( "</pre>" );

include ("config.php"); 
$tbl_name="members";
    //Connect to mysql server
    $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }

    //Select database
    $db = mysql_select_db(DB_DATABASE);
    if(!$db) {
        die("Unable to select database");

        }

 //This gets all the other information from the form 
 $update = $_POST['otherdeets']; 
 $id = $_POST['userid'.$row['member_id']];

 // Cycle through each member and check that it needs to be added to the db
$useruploadids = mysql_query( "SELECT member_id FROM members" );
while ($row = mysql_fetch_assoc($useruploadids))
{
    // Check that the member was sent from the last form
    if( isset( $_POST['userid_'.$row['member_id']] ) && $_POST['userid_'.$row['member_id']] == "y" )
    {


// update data in mysql database
$sql="UPDATE $tbl_name SET otherdeets='$update' WHERE member_id='$id'";
$result=mysql_query($sql);  
}
}


 if($result){
echo "Successful";
echo "<BR>";
echo "<a href='admin-welcome.php'>Admin Home</a>";
}

else {
echo "ERROR";
}
 ?> 

所以我已经经历过很多次了，但我一生都无法弄清楚出了什么问题。

字段 other deets 是 VARCHAR 如果有帮助的话？

Answer 1

您需要在表单的隐藏字段中传递$row['member_id']值

<input type="hidden" name="member_id" value="<?php echo $row['member_id']; ?>" />

所以提交页面后就可以获得member_id的值

//This gets all the other information from the form 
 $update = $_POST['otherdeets']; 
 $id = $_POST['member_id'];

希望这能帮助您解决问题。