[英]Update if row exists or insert if not based on user_id
A user can edit their location via an edit form on my site. 用户可以通过我网站上的编辑表单编辑他们的位置。
Some users may not have entered a location to begin with so I need the query to create a row and insert the user's user_id and username along with the location data they are submitting. 有些用户可能没有输入一个位置,因此我需要查询来创建一行并插入用户的user_id和用户名以及他们提交的位置数据。
I'm struggling with after trying REPLACE INTO and multiple INSERT queries, obviously I'm not getting it right. 在尝试REPLACE INTO和多个INSERT查询后,我正在努力,显然我没有做对。
My Code; 我的守则;
require("includes/common.php");
if(empty($_SESSION['user']))
{
header("Location: index.php");
die("Redirecting to index.php");
}
$uid=$_SESSION['user']['id'];
$location_city = $_POST['location_city'];
$loctaion_county = $_POST['location_county'];
$loctaion_country = $_POST['location_country'];
// query
$sql = "UPDATE locations
SET location_county=?, location_city=?, location_country=?
WHERE user_id=$uid";
$q = $db->prepare($sql);
$q->execute(array($location_county,$location_city,$location_country));
header("location: edit-account.php");
Please note that I have I tried passing the username and user_id via pre-populated hidden fields into the database table and had other POST variables in the code above to insert that data. 请注意,我尝试通过预先填充的隐藏字段将用户名和user_id传递到数据库表中,并在上面的代码中使用其他POST变量来插入该数据。
The code above is working as it should for simple updates where I have manually created a user record in the locations table, for test purposes, by replacing the value in location_city. 上面的代码正好用于简单更新,我在location表中手动创建了一个用户记录,用于测试目的,方法是替换location_city中的值。
UPDATE: Two options to proceed exist, not closed to any - 1) entries are created in tables at signup therefore negating the need to insert a row if it doesn't exist when editing a location. 更新:存在两个要继续的选项,不对任何关闭 - 1)在注册表中创建条目,因此如果在编辑位置时不存在则无需插入行。 2) a new row is created if it doesn't exist. 2)如果不存在,则创建新行。
My signup code 我的注册码
<?php
// First we execute our common code to connection to the database and start the session
require("includes/common.php");
// This if statement checks to determine whether the registration form has been submitted
// If it has, then the registration code is run, otherwise the form is displayed
if(!empty($_POST))
{
// Ensure that the user has entered a non-empty username
if(empty($_POST['username']))
{
// Note that die() is generally a terrible way of handling user errors
// like this. It is much better to display the error with the form
// and allow the user to correct their mistake. However, that is an
// exercise for you to implement yourself.
die("Please enter a username.");
}
// Ensure that the user has entered a non-empty password
if(empty($_POST['password']))
{
die("Please enter a password.");
}
// Make sure the user entered a valid E-Mail address
// filter_var is a useful PHP function for validating form input, see:
// http://us.php.net/manual/en/function.filter-var.php
// http://us.php.net/manual/en/filter.filters.php
if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
{
die("Invalid E-Mail Address");
}
// We will use this SQL query to see whether the username entered by the
// user is already in use. A SELECT query is used to retrieve data from the database.
// :username is a special token, we will substitute a real value in its place when
// we execute the query.
$query = "
SELECT
1
FROM users
WHERE
username = :username
";
// This contains the definitions for any special tokens that we place in
// our SQL query. In this case, we are defining a value for the token
// :username. It is possible to insert $_POST['username'] directly into
// your $query string; however doing so is very insecure and opens your
// code up to SQL injection exploits. Using tokens prevents this.
// For more information on SQL injections, see Wikipedia:
// http://en.wikipedia.org/wiki/SQL_Injection
$query_params = array(
':username' => $_POST['username']
);
try
{
// These two statements run the query against your database table.
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}
// The fetch() method returns an array representing the "next" row from
// the selected results, or false if there are no more rows to fetch.
$row = $stmt->fetch();
// If a row was returned, then we know a matching username was found in
// the database already and we should not allow the user to continue.
if($row)
{
die("This username is already in use");
}
// Now we perform the same type of check for the email address, in order
// to ensure that it is unique.
$query = "
SELECT
1
FROM users
WHERE
email = :email
";
$query_params = array(
':email' => $_POST['email']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$row = $stmt->fetch();
if($row)
{
die("This email address is already registered");
}
// An INSERT query is used to add new rows to a database table.
// Again, we are using special tokens (technically called parameters) to
// protect against SQL injection attacks.
$query = "
INSERT INTO users (
username,
password,
salt,
email
) VALUES (
:username,
:password,
:salt,
:email
)
";
// A salt is randomly generated here to protect again brute force attacks
// and rainbow table attacks. The following statement generates a hex
// representation of an 8 byte salt. Representing this in hex provides
// no additional security, but makes it easier for humans to read.
// For more information:
// http://en.wikipedia.org/wiki/Salt_%28cryptography%29
// http://en.wikipedia.org/wiki/Brute-force_attack
// http://en.wikipedia.org/wiki/Rainbow_table
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
// This hashes the password with the salt so that it can be stored securely
// in your database. The output of this next statement is a 64 byte hex
// string representing the 32 byte sha256 hash of the password. The original
// password cannot be recovered from the hash. For more information:
// http://en.wikipedia.org/wiki/Cryptographic_hash_function
$password = hash('sha256', $_POST['password'] . $salt);
// Next we hash the hash value 65536 more times. The purpose of this is to
// protect against brute force attacks. Now an attacker must compute the hash 65537
// times for each guess they make against a password, whereas if the password
// were hashed only once the attacker would have been able to make 65537 different
// guesses in the same amount of time instead of only one.
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
// Here we prepare our tokens for insertion into the SQL query. We do not
// store the original password; only the hashed version of it. We do store
// the salt (in its plaintext form; this is not a security risk).
$query_params = array(
':username' => $_POST['username'],
':password' => $password,
':salt' => $salt,
':email' => $_POST['email']
);
try
{
// Execute the query to create the user
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}
// This redirects the user back to the login page after they register
header("Location: login.php");
// Calling die or exit after performing a redirect using the header function
// is critical. The rest of your PHP script will continue to execute and
// will be sent to the user if you do not die or exit.
die("Redirecting to login.php");
}
?>
If you're trying to insert a new row it should be like so; 如果你想插入一个新行,它应该是这样的;
$sql = "INSERT INTO locations
SET location_county=?, location_city=?, location_country=?, user_id=?
Of course this query would only be executed if a user is submitting location data for the first time. 当然,只有当用户第一次提交位置数据时才会执行此查询。 It would also be advisable to check if a row exists with the user's id & username before inserting a new row. 在插入新行之前,还应检查是否存在具有用户ID和用户名的行。
I've managed to solve the issues I was having with REPLACE INTO
, final code below for reference; 我已经设法用REPLACE INTO
解决了我遇到的问题,下面的最终代码供参考;
$user_id = $_POST['user_id'];
$username = $_POST['username'];
$location_city = $_POST['location_city'];
$loctaion_county = $_POST['location_county'];
$loctaion_country = $_POST['location_country'];
// query
$sql = "REPLACE INTO locations(user_id,username,location_city,location_county,location_country) VALUES('$_POST[user_id]','$_POST[username]',$location_city,'$location_county','$location_country')";
$q = $db->prepare($sql);
$q->execute(array($_POST[user_id],$_POST[username],$location_city,$locaion_county,$location_country));
header("location: edit-account.php");
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.