Php 使用ajax将表单更新到div中加载表单的数据库
我有USER.PHP,它在里面加载USERDETAIL.PHP 在USERDETAIL.PHP中有updateform(textfield的值是从mysql调用的) 当我按下更新按钮时,什么也没发生 user.phpPhp 使用ajax将表单更新到div中加载表单的数据库,php,jquery,ajax,Php,Jquery,Ajax,我有USER.PHP,它在里面加载USERDETAIL.PHP 在USERDETAIL.PHP中有updateform(textfield的值是从mysql调用的) 当我按下更新按钮时,什么也没发生 user.php <html> <a href="#" onClick="permintaanAJAX('profil.php')">My Profile</a> </html> userdetail.php <?php include
<html>
<a href="#" onClick="permintaanAJAX('profil.php')">My Profile</a>
</html>
<?php
include "session-s.php";
$username = $_SESSION['username'];
$koneksi_database = mysql_connect("localhost","root","");
if (!$koneksi_database)
{
die('Failed ' . mysql_error());
}
mysql_select_db("fff", $koneksi_database);
$query_dari_db= mysql_query("SELECT * FROM user where code_user='$username'");
if (isset($_POST['submit']))
{
$usql = "Update user set email='".$_POST['txtemail']."' where code_user='".$_POST['txtcode']."'";
$updatedata = mysql_query($usql,$koneksi_database);
print("<br><br><br> <font face = verdana size=2>You have updated your profile");
echo message.alert("aa");
}
while($baris = mysql_fetch_array($query_dari_db))
{
?>
<form action="" method="post">
<table border="0">
<tr>
<td><img src=uploads/".$baris['attach']." width=100 height=100/>
<td>
<table border="0">
<tr>
<td>Kode User</td>
<td><input type="text" name="txtkode" value="<?php echo $baris['code_user'];?>" /></td>
</tr>
<tr><td>Nama</td>
<td><input type="text" name="txtnama" value="<?php echo $baris['name'];?>" /></td>
</tr>
<tr><td>Alamat</td>
<td><input type="text" name="txtalamat" value="<?php echo $baris['adds'];?>" /></td>
</tr>
<tr><td>No Telepon</td>
<td><input type="text" name="txttelp" value="<?php echo $baris['phone'];?>" /></td>
</tr>
<tr><td>Email</td>
<td><input type="text" name="txtemail" value="<?php echo $baris['email'];?>" /></td>
</tr>
<tr><td>Status</td>
<td><input type="text" name="txtstatus" value="<?php echo $baris['status'];?>" disabled /></td>
</tr>
<tr><td>Attachment<td><input name="uploadedfile1" type="file" size=50 maxlength=50>
<tr><th colspan=2 align=right><td><input type="submit" name="submit" value="Submit"></th>
</tr>
</table>
</table>
</form>
<?php
}
mysql_close($koneksi_database);
?>
您有SQL注入和XSS@LawrenceCherone这段代码容易受到SQL注入和XSS攻击吗?我可以编写一个脚本来发布alert('Some nice JS!')
输入$\u POST['txtemail']
,然后直接输出值$baris['email']
这是XSS。
<?php
include "session-s.php";
$username = $_SESSION['username'];
$koneksi_database = mysql_connect("localhost","root","");
if (!$koneksi_database)
{
die('Failed ' . mysql_error());
}
mysql_select_db("fff", $koneksi_database);
$query_dari_db= mysql_query("SELECT * FROM user where code_user='$username'");
if (isset($_POST['submit']))
{
$usql = "Update user set email='".$_POST['txtemail']."' where code_user='".$_POST['txtcode']."'";
$updatedata = mysql_query($usql,$koneksi_database);
print("<br><br><br> <font face = verdana size=2>You have updated your profile");
echo message.alert("aa");
}
while($baris = mysql_fetch_array($query_dari_db))
{
?>
<form action="" method="post">
<table border="0">
<tr>
<td><img src=uploads/".$baris['attach']." width=100 height=100/>
<td>
<table border="0">
<tr>
<td>Kode User</td>
<td><input type="text" name="txtkode" value="<?php echo $baris['code_user'];?>" /></td>
</tr>
<tr><td>Nama</td>
<td><input type="text" name="txtnama" value="<?php echo $baris['name'];?>" /></td>
</tr>
<tr><td>Alamat</td>
<td><input type="text" name="txtalamat" value="<?php echo $baris['adds'];?>" /></td>
</tr>
<tr><td>No Telepon</td>
<td><input type="text" name="txttelp" value="<?php echo $baris['phone'];?>" /></td>
</tr>
<tr><td>Email</td>
<td><input type="text" name="txtemail" value="<?php echo $baris['email'];?>" /></td>
</tr>
<tr><td>Status</td>
<td><input type="text" name="txtstatus" value="<?php echo $baris['status'];?>" disabled /></td>
</tr>
<tr><td>Attachment<td><input name="uploadedfile1" type="file" size=50 maxlength=50>
<tr><th colspan=2 align=right><td><input type="submit" name="submit" value="Submit"></th>
</tr>
</table>
</table>
</form>
<?php
}
mysql_close($koneksi_database);
?>