0
其他更新功能運行良好,但我試圖更新任何數據,付款率的現有值變爲0.其他值似乎更新得很好。只有繳費率變爲0使用DECIMAL輸入(php,mysql)更新輸入
下面是小數點輸入
<div class="form-group">
<label class="control-label col-sm-4" >Payment Rate:</label>
<div class="col-sm-4">
<input type="decimal" class="form-control" name="payment" value="<?php echo "RM"; ?> <?php if(isset($row['payment_puspakom'])){ echo $row['payment_puspakom']; } ?>" required placeholder="Enter Payment Rate (RM)">
</div>
</div>
這是我更新的SQL語句的HTML。
if(isset($_POST['submit'])){
$id = mysqli_real_escape_string($link, $_POST["puspaid"]);
$vehicle = mysqli_real_escape_string($link,$_POST["vehicle"]);
$date = date("Y-m-d",strtotime($_POST["date"]));
$specification = mysqli_real_escape_string($link,$_POST["specification"]);
$stats = mysqli_real_escape_string($link,$_POST["stats"]);
$next = date("Y-m-d",strtotime($_POST["next"]));
$payment = mysqli_real_escape_string($link,$_POST["payment"]);
$status = mysqli_real_escape_string($link,$_POST["status"]);
$update = mysqli_real_escape_string($link,$_SESSION["idinfostaf"]);
$updpuspa="UPDATE puspakom SET id_fkVehicle='$vehicle', id_fkPuspakomStatus='$stats', date_puspakom='$date', specification='$specification', payment_puspakom='$payment', dateNext_puspakom='$next', status_puspakom='$status', updateby_puspakom='$update' WHERE id_puspakom=".$id;
$respuspa=mysqli_query($link,$updpuspa);
if($respuspa){
$success = "Record Updated Successfully";
}
else{
$error = "Error Updating Record. Try Again...".mysqli_error($link);
}
}
我似乎找不到我犯的錯誤。
使用預準備語句。 – Enstage
準備好聲明? – yuki
[Little Bobby](http://bobby-tables.com/)說[你的腳本存在SQL注入攻擊風險](http://stackoverflow.com/questions/60174/how-can-i-prevent- SQL注入功能於PHP)。瞭解[MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php)的[準備語句](http://en.wikipedia.org/wiki/Prepared_statement)。即使[轉義字符串](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string)是不安全的。 – junkfoodjunkie