如何使用php更新多个数据
我是这里的新手,我有一个问题,我自己找不到确切的解决办法。。。这是。。。我需要建立一个更新所有员工信息的系统。通过该系统,人力资源部的一名员工将输入所有员工信息。我一直在创建此代码来更新员工信息,但它似乎与我真正想要的功能不符。。。。我只想按行更新,但它会更新数据库中的所有行如何使用php更新多个数据,php,mysql,Php,Mysql,我是这里的新手,我有一个问题,我自己找不到确切的解决办法。。。这是。。。我需要建立一个更新所有员工信息的系统。通过该系统,人力资源部的一名员工将输入所有员工信息。我一直在创建此代码来更新员工信息,但它似乎与我真正想要的功能不符。。。。我只想按行更新,但它会更新数据库中的所有行 <?php session_start(); include ("includes/database.php"); include ("includes/security.php"); include ("inclu
<?php
session_start();
include ("includes/database.php");
include ("includes/security.php");
include ("includes/config.php");
$nama=$_SESSION["nama"];
$pwd=$_SESSION["status"];
$nama=$_POST["st_nama"];
$siri1=$_POST["st_siri"];
$siri2=$_POST["st_siri2"];
$siri3=$_POST["st_siri3"];
$jawatan=$_POST["st_jawatan"];
$gred=$_POST["st_gred"];
$gredh=$_POST["st_gredh"];
$gelaran=$_POST["st_gelaran"];
$elaun=$_POST["st_elaun"];
$id=$_GET["id"];
$dataPengguna2= mysql_query("SELECT * FROM tbl_rekod where id='$id'");
mysql_query("UPDATE tbl_rekod set st_nama='$nama', st_siri='$siri1', st_siri2='$siri2', st_siri3='$siri3', st_jawatan='$jawatan', st_gred='$gred', st_gredh='$gredh', st_gelaran='$gelaran', st_elaun='$elaun' WHERE id='$id'") or die (mysql_error());
$status = "REKOD BERJAYA DIKEMASKINI!<br/><a href = 'stafflogin.php'><strong>KEMBALI KE LAMAN UTAMA</strong></a>";
?>
这将有助于修复sql注入问题,还可能修复更新1与多行问题。此方法使用PHP中的PDO
库。您可以在PHP站点上查看有关使用PDO
的更多信息。它取代了PHP版本中不再包含的mysql\uuz
命令集
// Below replaces the mysql_connect() so it requires db credentials filled in
try {
$host = 'hostname';
$db = 'databasename';
$user = 'username';
$pass = 'password';
$con = new PDO("mysql:host=$host;dbname=$db",$user,$pass, array(PDO::ATTR_ERRMODE => PDO::ERRMODE_WARNING));
}
// This replaces the die("error message") potion of a mysql_connect() set-up
catch (Exception $e) {
$_errors['connect']['message'] = $e->getMessage();
$_errors['connect']['error_code'] = $e->getCode();
}
$nama = $_SESSION["nama"];
$pwd = $_SESSION["status"];
$nama = $_POST["st_nama"];
$siri1 = $_POST["st_siri"];
$siri2 = $_POST["st_siri2"];
$siri3 = $_POST["st_siri3"];
$jawatan = $_POST["st_jawatan"];
$gred = $_POST["st_gred"];
$gredh = $_POST["st_gredh"];
$gelaran = $_POST["st_gelaran"];
$elaun = $_POST["st_elaun"];
$id = $_GET["id"];
// You should do just a preliminary check that the id is a numeric value
// No sense in continuing if someone tries to foil the natural
// order of your code
if(is_numeric($id)) {
// The next 3 lines would be equivalent to the mysql_query("statement here")
// as well as a more robust version of mysql_real_escape_string(). It does more,
// but for sake of explanation it does that and more.
$dataPengguna2 = $con->prepare("SELECT * FROM tbl_rekod where id=:id");
// Binding paramaters basically sanitizes the value being inserted into your query
$dataPengguna2->bindParam(':id',$id);
$dataPengguna2->execute();
// There is no indication of what you are doing with the select above
// Set up the update statement
$query = $con->prepare("UPDATE tbl_rekod set st_nama=:st_nama, st_siri=:st_siri, st_siri2=:st_siri2, st_siri3=:st_siri3, st_jawatan=:st_jawatan, st_gred=:st_gred, st_gredh=:st_gredh, st_gelaran=:st_gelaran, st_elaun=:st_elaun WHERE id=:id");
// Bind all the values to sanitize against injection
// You could do a function that loops through an array of values,
// but this is one way to do it manually
$query->bindParam(':st_nama',$nama);
$query->bindParam(':st_siri',$siri1);
$query->bindParam(':st_siri2',$siri2);
$query->bindParam(':st_siri3',$siri3);
$query->bindParam(':st_jawatan',$jawatan);
$query->bindParam(':st_gred',$gred);
$query->bindParam(':st_gredh',$gredh);
$query->bindParam(':st_gelaran',$gelaran);
$query->bindParam(':st_elaun',$elaun);
$query->bindParam(':id',$id);
$query->execute();
// Print out error info. There may be something of value here
// that may help you figure out why it's trying to update all your rows
// instead of just the one.
print_r($query->errorInfo());
$status = "REKOD BERJAYA DIKEMASKINI!<br/><a href = 'stafflogin.php'><strong>KEMBALI KE LAMAN UTAMA</strong></a>";
} ?>
//下面替换了mysql\u connect(),因此需要填写数据库凭据
试一试{
$host='hostname';
$db='databasename';
$user='username';
$pass='password';
$con=newpdo(“mysql:host=$host;dbname=$db”、$user$pass、数组(PDO::ATTR_ERRMODE=>PDO::ERRMODE_WARNING));
}
//这将取代mysql_connect()设置中的死亡(“错误消息”)药水
捕获(例外$e){
$\错误['connect']['message']=$e->getMessage();
$\u errors['connect']['error\u code']=$e->getCode();
}
$nama=$_会话[“nama”];
$pwd=$_会话[“状态”];
$nama=$_POST[“圣纳玛”];
$siri1=$\u POST[“圣西里”];
$siri2=$_POST[“st_siri2”];
$siri3=$_POST[“st_siri3”];
$jawatan=$_POST[“st_jawatan”];
$gred=$_POST[“圣格雷德”];
$gredh=$_POST[“圣格雷德”];
$gelaran=$_POST[“st_gelaran”];
$elaun=$_POST[“st_elaun”];
$id=$_GET[“id”];
//您只需初步检查id是否为数值
//如果有人试图挫败自然,那么继续下去是没有意义的
//代码的顺序
如果(是数字($id)){
//接下来的3行相当于mysql_查询(“此处的语句”)
//以及mysql_real_escape_string()的更健壮版本。它做的更多,
//但为了解释,它会这样做,甚至更多。
$dataPengguna2=$con->prepare(“从tbl_rekod中选择*,其中id=:id”);
//绑定参数基本上清理了插入到查询中的值
$dataPengguna2->bindParam(':id',$id);
$dataPengguna2->execute();
//没有迹象表明您正在使用上面的select执行什么操作
//设置update语句
$query=$con->prepare(“更新tbl_rekod set st_nama=:st_nama,st_siri=:st_siri,st_siri2=:st_siri3=:st_siri3,st_jawatan=:st_jawatan,st_gred=:st_gred,st_gredh=:st_gredh,st_gelaran=:st_gelaran,st_elaun=:st_elaun其中id=:id”);
//绑定所有要针对注入进行消毒的值
//你可以做一个循环遍历一组值的函数,
//但这是手动操作的一种方法
$query->bindParam(':st_nama',$nama);
$query->bindParam(':st_siri',$siri1);
$query->bindParam(':st_siri2',$siri2);
$query->bindParam(':st_siri3',$siri3);
$query->bindParam(':st_jawatan',$jawatan);
$query->bindParam(':st_gred',$gred);
$query->bindParam(':st_gredh',$gredh);
$query->bindParam(':st_gelaran',$gelaran);
$query->bindParam(':st_elaun',$elaun);
$query->bindParam(':id',$id);
$query->execute();
//打印错误信息。这里可能有一些有价值的东西
//这可能会帮助您了解它为什么要更新所有行
//而不仅仅是一个。
打印($query->errorInfo());
$status=“REKOD BERJAYA DIKEMASKINI!
”;
} ?>
我希望您不要在生产中使用此功能。所有sql漏洞。到底包括什么(“includes/security.php”)代码>做什么?因为我没有看到。这是为了确保正确的人可以进入系统。。。从登录页面上看,这意味着有人破坏您的数据库或更糟的情况,您将自己置于开放状态。@Darren所说的漏洞称为sql注入。示例:有人将sql代码放入表单中,您允许您的数据库运行他们的代码,因为您没有检查$\u POST的内容。谷歌sql注入了解更多-它可以导致非常糟糕的事情。