php在搜索结果的同一页上更新价格
[英]php update the price on the same page of search results
问题描述
I am new to php and sql. 
我是php和sql的新手。 I want to ask a question about how to update the price in the same page of php search result. 我想问一个问题,如何在php搜索结果的同一页面中更新价格。 I need add an input and a submit button for updating the price of the books among the search results. 我需要添加一个input和一个submit按钮,以更新搜索结果中的图书价格。 Upon submission the new price of the book should be updated onto the database and re-displayed onto the same page. 提交后,该书的新价格应更新到数据库中,并重新显示在同一页面上。
Here is the existing code of search html page and result php page. 这是搜索html页面和结果php页面的现有代码。 The search result already can show on the page, but how do I update the price? 搜索结果已经可以在页面上显示,但是如何更新价格? After I click the button the page will show error You have not entered search details. 单击按钮后,页面将显示错误消息您尚未输入搜索详细信息。 Please go back and try again. 请返回重试。 Please help me. 请帮我。
Search Page: 搜索页面:
<html>
<head>
<title>Book-O-Rama Catalog Search</title>
</head>
<body>
<h1>Book-O-Rama Catalog Search</h1>
<form action="results.php" method="post">
Choose Search Type:<br />
<select name="searchtype">
<option value="author">Author
<option value="title">Title
<option value="isbn">ISBN
</select>
<br />
Enter Search Term:<br />
<input name="searchterm" type="text" size="40">
<br />
<input type="submit" name="submit" value="Search">
</form>
</body>
</html>
Update page: 更新页面:
<html> <head> <title>Book-O-Rama Search Results</title> </head> <body> <h1>Book-O-Rama Search Results</h1> <?php // create short variable names $searchtype=$_POST['searchtype']; $searchterm=trim($_POST['searchterm']); if (!$searchtype || !$searchterm) { echo 'You have not entered search details. Please go back and try again.'; exit; } if (!get_magic_quotes_gpc()){ $searchtype = addslashes($searchtype); $searchterm = addslashes($searchterm); } @ $db = new mysqli('localhost', 'pf31ee', 'pf31ee', 'pf31ee'); if (mysqli_connect_errno()) { echo 'Error: Could not connect to database. Please try again later.'; exit; } $query = "select * from books where ".$searchtype." like '%".$searchterm."%'"; $result = $db->query($query); $num_results = $result->num_rows; echo "<p>Number of books found: ".$num_results."</p>"; for ($i=0; $i <$num_results; $i++) { $row = $result->fetch_assoc(); echo "<p><strong>".($i+1).". Title: "; echo htmlspecialchars(stripslashes($row['title'])); echo "</strong><br />Author: "; echo stripslashes($row['author']); echo "<br />ISBN: "; echo stripslashes($row['isbn']); echo "<br />Price: "; echo stripslashes($row['price']); echo "</p>"; } $result->free(); $db->close(); ?> <form action="results.php" method="post"> <input type="submit" name="submit" value="Update price"> <input type="text" name="price" maxlength="7" size="7"> <input type="hidden" name="searchtype" value="<?php echo htmlspecialchars($_POST['searchtype']);?>" /> <input type="hidden" name="searchterm" value="<?php echo htmlspecialchars($_POST['searchterm']);?>" /> <?php $updateprice=$_POST['price']; @ $db = new mysqli('localhost', 'pf31ee', 'pf31ee', 'pf31ee'); mysql_select_db('books'); $query1 = "UPDATE books SET price = ".$updateprice." WHERE ".$searchtype." like '%".$searchterm."%'"; $result1 = $db->query($query1); $result->free(); $db->close(); ?> </form> </body> </html>
create table customers ( customerid int unsigned not null auto_increment primary key, name char(50) not null, address char(100) not null, city char(30) not null ); create table orders ( orderid int unsigned not null auto_increment primary key, customerid int unsigned not null, amount float(6,2), date date not null ); create table books ( isbn char(13) not null primary key, author char(50), title char(100), price float(4,2) ); create table order_items ( orderid int unsigned not null, isbn char(13) not null, quantity tinyint unsigned, primary key (orderid, isbn) ); create table book_reviews ( isbn char(13) not null primary key, review text );
use myuser; insert into customers values (3, "Julie Smith", "25 Oak Street", "Airport West"), (4, "Alan Wong", "1/47 Haines Avenue", "Box Hill"), (5, "Michelle Arthur", "357 North Road", "Yarraville"); insert into orders values (NULL, 3, 69.98, "2007-04-02"), (NULL, 1, 49.99, "2007-04-15"), (NULL, 2, 74.98, "2007-04-19"), (NULL, 3, 24.99, "2007-05-01"); insert into books values ("0-672-31697-8", "Michael Morgan", "Java 2 for Professional Developers", 34.99), ("0-672-31745-1", "Thomas Down", "Installing Debian GNU/Linux", 24.99), ("0-672-31509-2", "Pruitt, et al.", "Teach Yourself GIMP in 24 Hours", 24.99), ("0-672-31769-9", "Thomas Schenk", "Caldera OpenLinux System Administration Unleashed", 49.99); insert into order_items values (1, "0-672-31697-8", 2), (2, "0-672-31769-9", 1), (3, "0-672-31769-9", 1), (3, "0-672-31509-2", 1), (4, "0-672-31745-1", 3); insert into book_reviews values ("0-672-31697-8", "Morgan's book is clearly written and goes well beyond most of the basic Java books out there.");
1 个解决方案
解决方案1
0 已采纳 2016-10-08 15:20:44
You need to pass the search type and value in the update form as well. 您还需要在更新表单中传递搜索类型和值。 You can use hidden input fields for that. 您可以为此使用隐藏的输入字段。
<html>
<head>
<title>Book-O-Rama Search Results</title>
</head>
<body>
<h1>Book-O-Rama Search Results</h1>
<?php
// create short variable names
$searchtype=$_POST['searchtype'];
$searchterm=trim($_POST['searchterm']);
if (!$searchtype || !$searchterm) {
echo 'You have not entered search details. Please go back and try again.';
exit;
}
if (!get_magic_quotes_gpc()){
$searchtype = addslashes($searchtype);
$searchterm = addslashes($searchterm);
}
@ $db = new mysqli('localhost', 'pf31ee', 'pf31ee', 'pf31ee');
if (mysqli_connect_errno()) {
echo 'Error: Could not connect to database. Please try again later.';
exit;
}
$query = "select * from books where ".$searchtype." like '%".$searchterm."%'";
$result = $db->query($query);
$num_results = $result->num_rows;
echo "<p>Number of books found: ".$num_results."</p>";
for ($i=0; $i <$num_results; $i++) {
$row = $result->fetch_assoc();
echo "<p><strong>".($i+1).". Title: ";
echo htmlspecialchars(stripslashes($row['title']));
echo "</strong><br />Author: ";
echo stripslashes($row['author']);
echo "<br />ISBN: ";
echo stripslashes($row['isbn']);
echo "<br />Price: ";
echo stripslashes($row['price']);
echo "</p>";
}
$result->free();
$db->close();
?>
<form action="" method="post">
<input type="submit" name="submit" value="Update price"> <input type="text" name="price" maxlength="7" size="7">
<input type="hidden" name="searchtype" value="<?php echo htmlspecialchars($_POST['searchtype']);?>" />
<input type="hidden" name="searchterm" value="<?php echo htmlspecialchars($_POST['searchterm']);?>" />
</form>
</body>
</html>
This code also is open to SQL injections. 此代码也可用于SQL注入。 You should use parameterized queries , and a whitelist for columns being passed in. The addslashes function is insufficient, per the manual: 您应该使用参数化的查询 ,并对要传入的列使用白名单。根据手册, addslashes函数不足:
Please note that use of addslashes() for database parameter escaping can be cause of security issues on most databases.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.