0
我有一個簡單的html表單頁面,需要更新2列值,其中'Some_DB_Table'.id =用戶輸入的id號碼。不過,我有點困擾如何使用預處理語句來避免SQL注入。使用PHP中的表單值更新MySQL DB行
我的代碼:
HTML:
<form id="workorderMovement" name='workorderMovement_form' action="workordermovementGET.php" method="post">
<fieldset id="userid">
<span>Welcome <?php echo $user ?> </span>
</fieldset>
<fieldset id="sgnum">
<fieldset id="fieldset" style="text-align: center;">
<span>Please enter the SG Number</span>
</fieldset>
<input type="text" name="sgnumber" id="sgnumber"> <input type="button" name="searchButton" id="searchButton" value="SEARCH">
</fieldset>
<br/>
<br/>
<fieldset id="stageSelectField">
<fieldset id="fieldset" style="text-align: center;">
<span>Please select the Stage Completed</span>
</fieldset>
<select name="stageSelect" id="stageSelect">
<option value="Please Select">Please Select</option>
<option value="Film Done">Film Done</option>
<option value="Staged Done">Staged Done</option>
<option value="Cleanroom Done">Cleanroom Done</option>
<option value="GB2 Done">GB2 Done</option>
<option value="Bagging Done">Bagging Done</option>
<option value="Inspection Done">Inspection Done</option>
<option value="LC Done">LC Inspection Done</option>
<option value="IGU Done">IGU Done</option>
</select>
</fieldset>
<br/>
<br/>
<fieldset id="floorNotesField">
<fieldset id="fieldset" style="text-align: center;">
<span>Please enter any new work order notes</span>
</fieldset>
<textarea type="text" name="floorNotes" id="floorNotes" class="floorNotesText"></textarea>
</fieldset>
<br/>
<br/>
<br/>
</form> <!-- End Work Order Movement Form -->
<fieldset id="doneButtonField">
<input type="button" name="doneButton" id="doneButton" value="DONE">
</fieldset>
MY AJAX:
j("#doneButton").click(function(){
//send Workorder Movement Data values to php using ajax.
var sgnumber = j('#sgnumber').val();
var stageselect = j('#stageSelect').val();
var floornotes = j('#floorNotes').val();
j.ajax ({
method: 'POST',
url: "workordermovementUPDATE.php",
data: {sgNumber: sgnumber, stageSelect: stageselect, floorNotes: floornotes},
dataType: 'json',
success: function(data){
alert(data);
}
});
});
我的PHP:
<?php
include('inc.php');
//Get Table Options.
if (isset($_POST['sgNumber'])) {
$sgNumber = $_POST['sgNumber'];
if (isset($_POST['stageSelect'])) {
$stageSelect=$_POST['stageSelect'];
}
if (isset($_POST['floorNotes'])) {
$floorNotes=$_POST['floorNotes'];
}
//connect to the database
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if(mysqli_connect_errno()) {
printf('Could not connect: ' . mysqli_connect_error());
exit();
}
$conn->select_db($dbname);
if(! $conn->select_db($dbname)) {
echo 'Could not select database. '.'<BR>';
}
$sql= "UPDATE invoices SET productionstage = ".$stageSelect.", floornotes = ".$floorNotes." WHERE id = ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param('i', $sgNumber);
$stmt->execute();
$stmt->store_result();
if(mysqli_query($conn, $stmt)){
echo "".$sgnumber." Updated Successfully!";
} else {
echo "ERROR: Could not update ".$sgnumber."".mysqli_error($conn)."";
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//Free the result variable.
$result->free();
//Close the Database connection.
$conn->close();
}//End If statement
?>
這是正確的/有什麼建議?
謝謝!
由於您正在準備事情並進行「bind_param」調用,我不確定您是如何完全錯過了爲所有**放置佔位符的船,而不僅僅是一些任意值。在那裏做什麼'$ stageSelect'?用'?'替換所有內容並綁定這些值。 – tadman
@tadman所以像這樣:$ sql =「更新發票SET productionstage =?,floornotes =?WHERE id =?'然後執行$ stmt-> bind_param('我',$ sgNumber,$ stageSelect,$ floorNotes);?我不知道如何執行bind_param部分以避免SQL注入更新表時只是從中選擇數據。 – rdimouro