如何使用PHP用表单数据更新SQL数据库?
如何使html表单POST数据显示在=符号之后如何使用PHP用表单数据更新SQL数据库?,php,html,sql,Php,Html,Sql,如何使html表单POST数据显示在=符号之后 $tsql = "UPDATE dbo.[order] SET status='' WHERE order_ID='' "; 所有POST数据都存储在$\u POST 将$_POST['dataname']放在那里 SET status='".$_POST['dataname']."' 将是适当的替换。所有POST数据都存储在$\u POST 将$_POST['dataname']放在那里 SET status='".$_POST['da
$tsql = "UPDATE dbo.[order]
SET status=''
WHERE order_ID='' ";
所有POST数据都存储在
$\u POST
将$_POST['dataname']放在那里
SET status='".$_POST['dataname']."'
将是适当的替换。所有POST数据都存储在
$\u POST
将$_POST['dataname']放在那里
SET status='".$_POST['dataname']."'
将是适当的替换。可以使用$\u POST子全局检索POST数据,如下所示:
.... " SET status = '{$_POST['form_field_name']}'";
// Store the form data in variables
$status = $_POST['status_field'];
$order_ID = $_POST['order_ID_field'];
// If you're not going to use prepared statements AT LEAST do this
// Not a necessary step if using prepared statements
$sanitized_status = mysqli_real_escape_string($dbConnection, $status);
$sanitized_order_ID = mysqli_real_escape_string($dbConnection, $order_ID);
// Prepare the SQL
// When script is run database will compile this statement first
$stmt = $dbConnection->prepare('UPDATE table_name SET status = ? WHERE order_ID = ?');
// Parameters are bound to the COMPILED statement not the string
$stmt->bind_param('si', $sanitized_status, $sanitized_order_ID);
$stmt->execute();
但是,我建议尽可能使用事先准备好的声明。将表单数据直接放入SQL语句是一种不好的做法,可能会导致安全问题
您应该使用如下准备好的语句:
.... " SET status = '{$_POST['form_field_name']}'";
// Store the form data in variables
$status = $_POST['status_field'];
$order_ID = $_POST['order_ID_field'];
// If you're not going to use prepared statements AT LEAST do this
// Not a necessary step if using prepared statements
$sanitized_status = mysqli_real_escape_string($dbConnection, $status);
$sanitized_order_ID = mysqli_real_escape_string($dbConnection, $order_ID);
// Prepare the SQL
// When script is run database will compile this statement first
$stmt = $dbConnection->prepare('UPDATE table_name SET status = ? WHERE order_ID = ?');
// Parameters are bound to the COMPILED statement not the string
$stmt->bind_param('si', $sanitized_status, $sanitized_order_ID);
$stmt->execute();
关键是将表单数据绑定到已编译语句,而不是SQL字符串本身。在下面这个优秀的资源中阅读更多关于准备好的陈述
参考:可以使用$\u POST子全局检索POST数据,如下所示:
.... " SET status = '{$_POST['form_field_name']}'";
// Store the form data in variables
$status = $_POST['status_field'];
$order_ID = $_POST['order_ID_field'];
// If you're not going to use prepared statements AT LEAST do this
// Not a necessary step if using prepared statements
$sanitized_status = mysqli_real_escape_string($dbConnection, $status);
$sanitized_order_ID = mysqli_real_escape_string($dbConnection, $order_ID);
// Prepare the SQL
// When script is run database will compile this statement first
$stmt = $dbConnection->prepare('UPDATE table_name SET status = ? WHERE order_ID = ?');
// Parameters are bound to the COMPILED statement not the string
$stmt->bind_param('si', $sanitized_status, $sanitized_order_ID);
$stmt->execute();
但是,我建议尽可能使用事先准备好的声明。将表单数据直接放入SQL语句是一种不好的做法,可能会导致安全问题
您应该使用如下准备好的语句:
.... " SET status = '{$_POST['form_field_name']}'";
// Store the form data in variables
$status = $_POST['status_field'];
$order_ID = $_POST['order_ID_field'];
// If you're not going to use prepared statements AT LEAST do this
// Not a necessary step if using prepared statements
$sanitized_status = mysqli_real_escape_string($dbConnection, $status);
$sanitized_order_ID = mysqli_real_escape_string($dbConnection, $order_ID);
// Prepare the SQL
// When script is run database will compile this statement first
$stmt = $dbConnection->prepare('UPDATE table_name SET status = ? WHERE order_ID = ?');
// Parameters are bound to the COMPILED statement not the string
$stmt->bind_param('si', $sanitized_status, $sanitized_order_ID);
$stmt->execute();
关键是将表单数据绑定到已编译语句,而不是SQL字符串本身。在下面这个优秀的资源中阅读更多关于准备好的陈述
参考:学习基本的PHP,也许?当心外面。。。。。。也许这是一个很好的词,我正在努力。对不起,这个愚蠢的问题:)@Alex\u TCD没有问题是愚蠢的问题!也许学习基本的PHP?当心外面。。。。。。也许这是一个很好的词,我正在努力。对不起,这个愚蠢的问题:)@Alex\u TCD没有问题是愚蠢的问题!像这样$tsql=“UPDATE dbo.[order]SET status=”、“$\u POST['status']”、“'WHERE order\u ID=”、“$\u POST['order\u ID']”、”;如果这些是HTML中的字段,那么是的。这起作用了。这只是一个内部网项目,只有几个员工,所以我觉得没有必要对它进行清理。像这样$tsql=“UPDATE dbo.[order]SET status=”、“$\u POST['status']”、“'WHERE order\u ID=”、“$\u POST['order\u ID']”、”;如果这些是HTML中的字段,那么是的。这起作用了。这只是一个内部网项目,只有几个员工,所以我觉得没有必要对它进行清理。