[英]MySQL update doesn't work
I want to update 2 of my database's fields according to user input.My code is something like this: 我想根据用户输入更新数据库的2个字段,我的代码是这样的:
<body>
<?php
$db_server["host"] = "localhost"; //database server
$db_server["username"] = "root"; // DB username
$db_server["password"] = "mypass"; // DB password
$db_server["database"] = "mudb";// database name
$dbc = mysql_connect($db_server["host"], $db_server["username"], $db_server["password"]);
mysql_select_db($db_server["database"], $dbc);
$user = $_COOKIE['mycookie'];
$q = "SELECT * FROM members WHERE username='$user'";
$r = mysql_query( $q,$dbc);
while ($row = mysql_fetch_array($r, MYSQLI_ASSOC)) {
echo 'username: '.$row['username'], '<br/>';
$password=$row['password'];
?>
<form method="post" id="changepasswordform" >
<input type="password" id="newpassword" name="newpassword"/>
<input type="submit" name="changepasswordbutton" >
</form>
<?php
echo 'email: '.$row['email'], '<br/>';
}
?>
<form method="post" id="changeemailform" >
<input type="text" id="newemail" name="newemail"/>
<input type="submit" value="αλλαγή" name="changeemailbutton" >
</form>
<?php
}
if (isset($_POST['changepasswordbutton'])){
$newpassword=$_POST['newpassword'];
$q2 = "UPDATE members SET password=$newpassword WHERE username='$user'";
$r2 = mysql_query($q2,$dbc);
}
if (isset($_POST['changeemailbutton'])){
$newemail=$_POST['newemail'];
$q3 = "UPDATE members SET email=$newemail WHERE username='$user'";
$r3 = @mysql_query( $q3,$dbc);
}
?>
</body>
However although my connection to my db is ok(SELECT displays results as expected) when i try to UPDATE , the values inside my db remain the same.I checked the values of $newpassword and $newemail and they do contain the user inputs each time.What am i missing here? 但是,尽管我尝试更新时与数据库的连接正常(SELECT将按预期显示结果),但数据库中的值保持不变。我检查了$ newpassword和$ newemail的值,它们每次都包含用户输入我在这里想念什么?
You're missing the ''
(quotes) that supposed to surround the password field. 您缺少了密码字段周围的
''
(引号)。 change: 更改:
UPDATE members SET password=$newpassword WHERE username='$user'
to: 至:
UPDATE members SET password='{mysql_real_escape_string($password)}'
WHERE username='{mysql_real_escape_string($user)}'
IMPORTANT: 重要:
And even though it's not related, please don't use mysql_*
functions - it's deprecated and vulnerable to sql-injection. 即使它不相关,也请不要使用
mysql_*
函数-它已被弃用,并且容易受到sql注入的影响。 Better use PDO or MySQLi. 最好使用PDO或MySQLi。
This will do the trick and is save for sql injection ( mysql_real_escape_string
): 这可以解决问题,并且可以保存以进行SQL注入(
mysql_real_escape_string
):
$q2 = "UPDATE members SET
password='". mysql_real_escape_string($password) ."'
WHERE username='". mysql_real_escape_string($user) ."';
But off course you shouldn't use mysql_*
anymore, I'm just giving an example for your specific case. 但是,当然,您不应该再使用
mysql_*
,我只是为您的特定情况提供示例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.