Fatal编程技术网
  • php/
  • 如何在php mysql中记录页面的所有更新

如何在php mysql中记录页面的所有更新

php mysql model-view-controller

如何在php mysql中记录页面的所有更新,php,mysql,model-view-controller,Php,Mysql,Model View Controller,在我的项目中,我有一个产品添加页面,它有一个编辑选项 添加的产品详细信息将转到mysql数据库中的产品表 我想记录所有的编辑,包括它编辑的时间和用户 我是通过创建一个表product的副本来完成的,该表名为product\u updated 每当编辑产品时,该产品的产品表值将存储在product\u updated表中,并随时间和用户更新 然后用新值更新产品表 我是在php mvc框架中完成的。我的模型具有以下功能 这是可行的,但当产品名称包含“符号时会显示一些错误 正确的方法是什么 funct

在我的项目中,我有一个产品添加页面,它有一个编辑选项

添加的产品详细信息将转到mysql数据库中的产品表

我想记录所有的编辑,包括它编辑的时间和用户

我是通过创建一个表product的副本来完成的,该表名为
product\u updated

每当编辑产品时,该产品的产品表值将存储在
product\u updated
表中,并随时间和用户更新

然后用新值更新产品表

我是在php mvc框架中完成的。我的模型具有以下功能

这是可行的,但当产品名称包含
符号时会显示一些错误

正确的方法是什么

function product_edit_save($id = 0,$user_id) {


  $query=  $this->db->query("SELECT * FROM product WHERE product_id = $id");
  $result = $this->db->fetch_object($query);

    foreach ($result as $row) {

      $this->db->query("INSERT INTO product_updated SET product_id=$row->product_id,product_code = '$row->product_code', product_name =' $row->product_name', product_category = $row->product_category, 
     product_subcategory = $row->product_subcategory, product_supplier = ' $row->product_supplier', product_generic = $row->product_generic, 
         product_manufacturer  =$row->product_manufacturer,product_image = '$row->product_image', product_combination = $row->product_combination, product_package =$row->product_package,
             product_desc = '$row->product_desc', product_type = '$row->product_type', product_division = '$row->product_division',
                 product_chemical_name='$row->product_chemical_name',product_updatetime=now(),product_update_user=$user_id,product_banned=$row->product_banned", true);

    }

    $validate_form = true;
    $validate_error = array();
    $return['status'] = false;
    $return['message'] = '';

    if ($_POST) {

        $code = isset($_POST['code']) ? $_POST['code'] : '';
        $name = isset($_POST['name']) ? $_POST['name'] : '';
        $category = isset($_POST['category']) ? $_POST['category'] : '';
        $sub_category = isset($_POST['sub_category']) ? $_POST['sub_category'] : '';
        $generic = isset($_POST['generic']) ? $_POST['generic'] : '';
        $manufacturer = isset($_POST['manufacturer']) ? $_POST['manufacturer'] : '';
        $combination = isset($_POST['combination']) ? $_POST['combination'] : '';
        $package = isset($_POST['package']) ? $_POST['package'] : '';
        $desc = isset($_POST['desc']) ? $_POST['desc'] : '';
        $type = isset($_POST['type']) ? $_POST['type'] : '';
        $division = isset($_POST['division']) ? $_POST['division'] : '';
        $chemicalname = isset($_POST['chemicalname']) ? $_POST['chemicalname'] : '';
        $ban = isset($_POST['ban']) ? $_POST['ban'] : 0;

        if (isset($_POST['supplier'])) {
            $supplier = $_POST['supplier'];
        } else {
            $supplier = array();
        }



        if ($code == "") {
            $validate_error[] = "Code";
            $validate_form = false;
        } else {
            $esc_id = $this->db->escape($id);
            $esc_code = $this->db->escape($code);

            if ($this->db->num_rows($this->db->query("SELECT product_code FROM product WHERE product_code = $esc_code AND product_id != $esc_id")) != 0) {
                $validate_error[] = "Code Duplication";
                $validate_form = false;
            }
        }

        if ($name == "") {
            $validate_error[] = "Name";
            $validate_form = false;
        }


        if ($category == "-1") {
            $validate_error[] = "Category";
            $validate_form = false;
        }


        if ($manufacturer == "-1") {
            $validate_error[] = "Manufacturer";
            $validate_form = false;
        }


        if ($validate_form) {

            $esc_filename = $this->db->escape('');
            $isimage = "";
            if (isset($_FILES['image']['name'])) {

                $this->library('upload');
                $image = $this->library['upload']->image($_FILES['image'], UPLOAD, '180');

                if ($image['status'] == 0) {
                    $validate_error[] = 'image ( ' . $image['message'] . ' )';
                    $validate_form = false;
                } else {
                    $esc_filename = $this->db->escape($image['filename']);
                    $isimage = ",product_image = $esc_filename";
                }
            } else {
                $isimage = "";
            }
        }



        if ($validate_form) {

            $esc_id = $this->db->escape($id);
            $sub_category = isset($_POST['sub_category']) ? $_POST['sub_category'] : '';
            $generic = isset($_POST['generic']) ? $_POST['generic'] : '';
            $manufacturer = isset($_POST['manufacturer']) ? $_POST['manufacturer'] : '';
            $combination = isset($_POST['combination']) ? $_POST['combination'] : '';
            $package = isset($_POST['package']) ? $_POST['package'] : '';
            $desc = isset($_POST['desc']) ? $_POST['desc'] : '';
            $type = isset($_POST['type']) ? $_POST['type'] : '';
            $division = isset($_POST['division']) ? $_POST['division'] : '';



            $esc_code = $this->db->escape($code);
            $esc_name = $this->db->escape(strtoupper($name));
            $esc_category = $this->db->escape($category);
            $esc_sub_category = $this->db->escape($sub_category);
            $esc_supplier = $this->db->escape(implode(",", $supplier));
            $esc_generic = $this->db->escape($generic);
            $esc_manufacturer = $this->db->escape($manufacturer);
            $esc_combination = $this->db->escape($combination);
            $esc_package = $this->db->escape($package);
            $esc_desc = $this->db->escape($desc);
            $esc_type = $this->db->escape(strtoupper($type));
            $esc_division = $this->db->escape(strtoupper($division));
            $esc_ban=$this->db->escape(strtoupper($ban));
            $esc_chemicalname = $this->db->escape($chemicalname);

            try {

                $this->db->transaction();

                $this->db->query("UPDATE product SET product_code = $esc_code, product_name = $esc_name, product_category = $esc_category,product_chemical_name=$esc_chemicalname, 
                product_subcategory = $esc_sub_category, product_supplier = $esc_supplier, product_generic = $esc_generic, 
                    product_manufacturer  = $esc_manufacturer, product_combination = $esc_combination, product_package = $esc_package, 
                        product_desc = $esc_desc $isimage,product_type = $esc_type, product_division = $esc_division,product_banned=$esc_ban WHERE product_id = $esc_id", true);

                $this->db->commit();

                $return['status'] = true;
                $return['message'] = "Successfully Updated";
                return $return;
            } catch (Exception $e) {

                $this->db->rollback();
                $return['message'] = "Failed to Update";
                return $return;
            }
        } else {

            $return['message'] = "Invalid Field " . implode(", ", $validate_error);
            return $return;
        }
    }
}
为了做到这一点,当涉及到防止SQL注入时,您应该遵循最佳实践

您可以使用准备好的语句(最佳选项),或者至少使用mysqli\u real\u escape\u字符串转义您在SQL查询中输入的数据:

这样的查询

SELECT * FROM table_name WHERE column_name = 'test'data';
会变成这样吗

SELECT * FROM table_name WHERE column_name = 'test\'data';
并且您将停止收到错误。

mysql\u real\u escape\u string()已被弃用

使用
stripslashes()
清除变量,并(可选)在读取变量时使用
addslashes()
将其添加回

例如:

$supplier = stripslashes($_POST['supplier']);
请注意,不要使用
isset()
,请使用
!empty()

而不是

if(isset($your_variable)) { ... }

mysql\u real\u escape\u string()
已被弃用。感谢您提醒我,我已将其更改为与mysqli等效的版本。 
if(isset($your_variable)) { ... }