php 更新其中 id=$id
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/8313213/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Update where id=$id
提问by Geme
I have this query to submit data into the database:
我有这个查询将数据提交到数据库中:
$sql = "UPDATE table SET user='$user', name='$name' where id ='$id'";
the id will be obtained via url EX localhost/index.php?id=123
id 将通过 url EX 获得 localhost/index.php?id=123
$id=$_GET['id']
The query will not work correctly; the data will not update. If I write :
查询将无法正常工作;数据不会更新。如果我写:
$sql = "UPDATE table SET user='$user', name='$name' where id ='123'";
It works fine.
它工作正常。
If I echo the ID it will show the correct result, 123.
如果我回显 ID,它将显示正确的结果,123.
Where is the problem?
问题出在哪儿?
回答by Your Common Sense
run ALL your queries the way you can get the error message along with erroneous query.
so, at least this way
以获取错误消息和错误查询的方式运行所有查询。
所以,至少这样
$sql = "UPDATE table SET user='$user', name='$name' where id ='$id'";
$res = mysql_query($sql) or trigger_error(mysql_error()." in ".$sql);
and it will tell you where is the problem.
它会告诉你问题出在哪里。
It is WAY more convenient, precise and faster than asking questions here.
它比在这里提问更方便、准确和快捷。
回答by Marc B
I'm guessing your problem is mal-formed SQL due to unescaped data interpolation - an SQL injection hole.
我猜您的问题是由于未转义的数据插值导致的格式错误的 SQL - SQL 注入漏洞。
What does your actual generated query look like? Not the code that creates the sql (which you've got above), but the actual SQL afterthe variables are inserted?
您实际生成的查询是什么样的?不是创建 sql 的代码(上面有),而是插入变量后的实际 SQL ?
I'm guessing it'll look something like this:
我猜它看起来像这样:
UPDATE table SET user='fred', name='O'Brien' where id='123';
^--unescaped quote
causing a syntax error.
导致语法错误。
If you're running the query like this:
如果您像这样运行查询:
$result = mysql_query($sql);
then change it to be
然后将其更改为
$result = mysql_query($sql) or die(mysql_error());
so you'll immediately get feedback if the query fails for any reason.
因此,如果查询因任何原因失败,您将立即获得反馈。
And then read up about SQL injectionholes
然后阅读有关SQL 注入漏洞的信息
回答by nageeb
Without getting into the issue of how bad it is to pull data right from the GET array, I'd start by suggesting you properly escape your variables. I assume ID is an integer, so there's no need for singlequotes around it.
在不涉及直接从 GET 数组中提取数据有多糟糕的问题的情况下,我首先建议您正确地转义变量。我假设 ID 是一个整数,所以不需要在它周围加上单引号。
$sql = "UPDATE table SET user='".$user."', name='".$name."' where id=".$id;
See if that works.
看看这是否有效。
回答by vikas
TableName should be there ....you have not used table name in your query..Echo the $sql and then try executing in phpmyadmin.
TableName 应该在那里......你没有在你的查询中使用表名......回显 $sql 然后尝试在 phpmyadmin 中执行。
回答by Oldskool
First of all, you're wide open to SQL Injection attacks if you do it like this. Anyone can just alter the part after id= to anything they like and modify your database with that.
首先,如果你这样做,你就会对 SQL 注入攻击持开放态度。任何人都可以将 id= 之后的部分更改为他们喜欢的任何内容,并以此修改您的数据库。
Secondly, I see you pass an id to the script, but where does it determine the $userand $namevalues? Seems like your code posted is incomplete.
其次,我看到您将 id 传递给脚本,但它在哪里确定$user和$name值?似乎您发布的代码不完整。
