当用户可以购买产品时,我正在创建一个网站 . 我已经创建了这个网站的管理员端,我正在尝试创建一个页面,其中管理员一旦登录,就可以更新myphpadmin数据库上某个产品的库存水平 . 到目前为止,我已设法将代码放到我的数据库中更新的阶段,而不是所选产品 . 相反,它会创建一个包含库存水平和价格的新记录 . 我使用以下命令从上一页获取了产品ID:
echo "<input type=hidden name=h_prodid value=".$stockid.">";
因此,当管理员点击更新链接时,他们会到达包含该特定产品的当前详细信息的页面 . 然后,他们输入一个或两个值来更新此特定产品,但是当前将新记录插入到数据库中,而不是更新现有的记录 . 请参阅下面的代码 .
<?php
session_start();
include("db.php");
//create a variable called $pagename which contains the actual name of the page
$pagename="Product Update Confirmation";
//call in the style sheet called ystylesheet.css to format the page as defined in the style sheet
echo "<link rel=stylesheet type=text/css href=mystylesheet.css>";
//display window title
echo "<title>".$pagename."</title>";
//include head layout
include("adminheadlayout.html");
//display the name of the site and the date dynamically. See uk.php.net
echo date ('l d F Y H:i:s');
echo "<p></p>";
include ("detectlogin.php");
//display name of the page
echo "<h2>".$pagename."</h2>";
//Capture the details entered in the form using the $_POST superglobal variable
//Store these details into a set of new variables
$newprice=$_POST['p_priceupdate'];
$newquantity=$_POST['p_quantityupdate'];
$prodid=$_POST['h_prodid'];
//If any of the variables is empty
if (!$newprice and !$newquantity)
{
echo "<br>Please enter a value for price and/or quantity ";
echo "<br>Go back to <a href=editstock.php>Edit Stock details</a>";
}
else
{
if (!$newprice or !$newquantity)
{
//insert a new record in the order table to generate a new order number.
//store the id of the user who is placing the order as well as the current date and time
$productupdateSQL="insert into Products (prodPrice, proQuantity, prodId)
values ('".$newprice."', '".$newquantity."', '".$prodid."')";
$exeproductupdateSQL=mysql_query($productupdateSQL);
echo "<p strong>Stock level updated successfully!";
}
//if a database error is returned, display an order error message
else
{
echo "<p>Sorry there has been an error with your product update";
echo "Go back to <a href=editstock.php>Edit Stock Details</a>";
}
}
//include head layout
include("footlayout.html");
?>
任何想法将不胜感激 . 我几乎在那里找不到任何与这类特殊问题相关的内容 .
1 回答
您的脚本只包含INSERT查询,没有UPDATE查询,因此它永远不会更新现有记录
warning 您的代码非常不安全,使用过时的mysql_函数并且根本不会转义值 . 因此,代码易受SQL注入攻击 . SQL注入可能会导致私有数据和数据丢失!在这里阅读:http://www.unixwiz.net/techtips/sql-injection.html