使用 PHP 更新数据库,没有 HTML 表单中的空值
[英]Updating database using PHP without empty values from HTML form
问题描述
I want to update my SQL db without empty values from my form.
我想更新我的 SQL 数据库,而我的表单中没有空值。 That's what I've got:这就是我所拥有的:
if(isset($_POST['account_details_submit'])) {
$user_id = array_values($_SESSION['user_info'])[9];
$edited = date('d.m.Y h:i a');
if(isset($_POST['account_details_first_name']) and !empty($_POST['account_details_first_name'])) { $add .= " and `first_name` = '$_POST[account_details_first_name]'"; }
if(isset($_POST['account_details_last_name']) and !empty($_POST['account_details_last_name'])) { $add .= " and `last_name` = '$_POST[account_details_last_name]'"; }
if(isset($_POST['account_details_phone_number']) and !empty($_POST['account_details_phone_number'])) { $add .= " and `phone_number` = '$_POST[account_details_phone_number]'"; }
if(isset($_POST['account_details_address_1']) and !empty($_POST['account_details_address_1'])) { $add .= " and `address_1` = '$_POST[account_details_address_1]'"; }
if(isset($_POST['account_details_address_2']) and !empty($_POST['account_details_address_2'])) { $add .= " and `address_2` = '$_POST[account_details_address_2]'"; }
if(isset($_POST['account_details_city']) and !empty($_POST['account_details_city'])) { $add .= " and `city` = '$_POST[account_details_city]'"; }
if(isset($_POST['account_details_post_code']) and !empty($_POST['account_details_post_code'])) { $add .= " and `post_code` = '$_POST[account_details_post_code]'"; }
if(isset($_POST['account_details_country']) and !empty($_POST['account_details_country'])) { $add .= " and `country` = '$_POST[account_details_country]'"; }
$update = "UPDATE `users` SET `edited` = '$edited'".$add." WHERE `id` = '$user_id'";
if ($conn->query($update) === TRUE) {
echo "Record updated successfully";
} else {
echo "Error updating record: " . $conn->error;
}
}
The message is "Record updated successfully" but only one row that is updating is row called edited and it's always updated to 0消息是“记录更新成功”,但只有一个正在更新的行是被称为已编辑的行,它总是更新为 0
I'm open for other ways how to do it.我对其他方法持开放态度。
PS I have tried to do it using array value but the result isn't what I wanted PS我尝试使用数组值来做,但结果不是我想要的
2 个解决方案
解决方案1
2 已采纳 2019-12-13 17:55:09
What you could do, though this is not tested, would be to use an array of form field names and database column names to help build your sql dynamically in a much safer manner using a prepared statement尽管未经测试,但您可以做的是使用表单字段名称和数据库列名称的数组来帮助使用prepared statement以更安全的方式动态构建 sql
if( !empty( $_SESSION['user_info'] ) && $_SERVER['REQUEST_METHOD']=='POST' ) {
$fields=array(
'account_details_first_name' => 'first_name',
'account_details_last_name' => 'last_name',
'account_details_phone_number' => 'phone_number',
'account_details_address_1' => 'address_1',
'account_details_address_2' => 'address_2',
'account_details_city' => 'city',
'account_details_post_code' => 'post_code',
'account_details_country' => 'country'
);
/* default variables... */
$user_id = array_values( $_SESSION['user_info'] )[9];
$edited = date('d.m.Y h:i a');
/* placeholders used to generate sql statement */
$params=array();
$values=array();
$types=array();
/*
iterate through all submitted POST fields -
if they are not empty add them to the placeholders
*/
foreach( $_POST as $field => $value ){
if( !empty( $value ) ){
$params[]=sprintf( '`%s`=?', $fields[ $field ] );
$values[]=$value;
$types[]='s';
}
}
/*
add semi-static variables to placeholders too
*/
$values[]=$user_id;
$types[]='s';
/* create a sql statement and the use that to create the `prepared statement` */
$sql = sprintf( 'update `users` set %s where `id`=?', implode( ',', $params ) );
#echo $sql;
$stmt=$db->prepare( $sql );
/* bind the types and assign variables with a SPLAT */
$stmt->bind_param( implode('',$types), ...$values );
$result=$stmt->execute();
echo $result ? 'Record updated successfully' : 'Error updating record';
}
By echo ing out the SQL prior to any calls to $db I was able to generate the following SQL which looks fine for use in the prepared statement :通过在对$db的任何调用之前echo显 SQL,我能够生成以下 SQL,它看起来可以在prepared statement中使用:
update `users` set `first_name`=?,`last_name`=?,`phone_number`=?,`address_1`=?,`address_2`=?,`city`=?,`post_code`=?,`country`=? where `id`=?
Without the schema and data I can test no further but looks OK.没有架构和数据,我无法进一步测试,但看起来还不错。 Time now for a glass of wine...现在是时候喝杯酒了……
解决方案2
-5 2019-12-13 17:03:47
You need separate fields by ',' and not 'and', I recommend you use xss protected with the function htmlspecialchars, see How to prevent XSS with HTML/PHP?您需要使用 ',' 而不是 'and' 来分隔字段,我建议您使用受函数 htmlspecialchars 保护的 xss,请参阅如何使用 HTML/PHP 防止 XSS? . . Try this:尝试这个:
if(isset($_POST['account_details_submit'])) {
$valuesToUpdate = [];
$fields = [
'first_name' => 'account_details_first_name',
'last_name' => 'account_details_last_name',
'phone_number' => 'account_details_phone_number',
'address_1' => 'account_details_address_1',
'address_2' => 'account_details_address_2',
'city' => 'account_details_city',
'post_code' => 'account_details_post_code',
'country' => 'account_details_country'
];
foreach ($fields as $key => $field) {
$protectedFromXss = trim(htmlspecialchars($_POST[$field]));
if ($protectedFromXss) {
$valuesToUpdate[] = "$key = '$protectedFromXss'";
}
}
if (count($valuesToUpdate)) {
$values = ', ' . implode(', ', $valuesToUpdate);
}
$edited = date('d.m.Y h:i a');
$user_id = array_values($_SESSION['user_info'])[9];
$update = "UPDATE `users` SET `edited` = '{$edited}' {$values} WHERE `id` = '$user_id'";
if ($conn->query($update) === TRUE) {
echo "Record updated successfully";
} else {
echo "Error updating record: " . $conn->error;
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.