您的位置: 首页  >  技术问答  >  PHP比较2个整数和更新表与更大的一个

PHP比较2个整数和更新表与更大的一个

分类: 技术问答 2022-04-09 19:16:20
问题描述:

Firstly, sorry for my bad english. I hope you will understand what i need. I started a website with products bidding. I have a products page where users can see all the products and a button that send the user to a form where he cand input a new price for that product and it updates the existing price in the database with the new one. But i want this to happen only if the initial price is lower than the price that user inputs.

How can i do that ? I was thiking that i need another column newprice and compare it with price but i don't know how to do that...

This is the table "produse" :

id | titlu | stare | price | descriere
_____________________________________
 1 |  asd  |  asd  |  140 |    asd

This is the products page (produs_user.php)

<?php
include('connect.php');
?>

<?php
//create the query
$result = mysqli_query($con,"select * from produse");

//return the array and loop through each row
while ($row = mysqli_fetch_array($result))
{
?>

<div class="produse"> 
<div class="produse-header"> 
<h3><?php echo $row['titlu'];?></h3>
<h5><?php echo $row['stare'];?></h5>
</div>
<div class="produse-continut">
<textarea readonly><?php echo $row['descriere'];?></textarea>
</div>
<div class="produse-pret"> 
<p><?php echo $row['price'];?> lei</p>
</div>
<div class="produse-buton"> 
<form action="liciteaza.php">
  <input type="submit" value="Liciteaza">
</form>
</div></div>

<?php 
} 
mysqli_close($con);
?>

The above page sends users to liciteaza.php where i have a field where users inputs the new price This is the liciteaza.php

<?php
include('connect.php');
?>

<?php
//create the query
$result = mysqli_query($con,"select * from produse");

//return the array and loop through each row
while ($row = mysqli_fetch_array($result))
{
?>

<form method="post" action="update_pret.php">
<div class="produse"> 
<div class="produse-header"> 
<h3><?php echo $row['titlu'];?></h3>
<h5><?php echo $row['stare'];?></h5>
</div>
<div class="produse-continut">
<textarea readonly><?php echo $row['descriere'];?></textarea>
</div>
<div class="produse-pret">
<p><input name="price" class="modifica-pret" id="price" value="<?php echo $row['price']; ?>"></p>
<input name="id" type="hidden" id="id" value="<?php echo $row['id']; ?>">
</div>
<div class="produse-buton"> 
  <input type="submit" value="Liciteaza">
</form>
</div></div>

<?php 
} 
mysqli_close($con);
?>

That page send me to update_pret.php where i update the new price to mysql table

This is the update_pret.php 

<?php
include('connect.php');

// update data in mysql database 
$result=mysqli_query($con,"UPDATE produse SET price='$_POST[price]' WHERE id='$_POST[id]'");

// if successfully updated. 
if($result)
{
header("location:produse_user.php");
}
else 
{
echo "ERROR";
}
mysqli_close($con);
?>

All these scripts are working perfectly but like i said i need this to work only when the new price chosen by the user is bigger than the initial price.

Fist solution : Using IF

UPDATE `produse` 
SET `price` = IF(`price` > '$_POST[price]', `price`, '$_POST[price]') 
WHERE `id` = '$_POST[id]'

Second solution : Using CASE statement:

UPDATE `produse` 
SET `price` = (CASE WHEN `price` > '$_POST[price]' THEN `price` ELSE  '$_POST[price]' END)
WHERE `id` = '$_POST[id]'

One option would be to modify your where statement:

$result=mysqli_query($con,"UPDATE produse SET price='$_POST[price]' 
WHERE id='$_POST[id]' AND price < $_POST[price] ");

UPDATE produse SET price = '$_POST[price]' WHERE id='$_POST[id]' AND price < $_POST['price']

You should be able to check the sql response to see if the update actually affected any rows, so you can update the user accordingly.

Note that this is unsafe, you should assign $_POST['price'] to a var first, and check the contents (parse to a number), and use that var in the query. Inserting $_POST directly into a query allows attackers to modify the query.

maythesource.com's answer also contains this update:

$result=mysqli_query($con,"UPDATE produse SET price='$_POST[price]' WHERE id='$_POST[id]' and price > $_POST[price]");

should solve your problem, however, you absolutely do not protect yourself against SQL injection. You should make sure that the user input does not contain malicious code updating or deleting something else.

Read about SQL Injection attack type here. You can use prepared statements as described here.

EDIT: As requested by maythesource.com, I provide an SQL injection example which could do harm. Let's suppose you use the code I have provided in my initial answer. $_POST['price'] has the value of:

66';

then it will update all your products in the produse table to have the price of 66, therefore you will lose all your prices. Imagine if all the real-estates in the auction will have 66 lei as price. Your boss will want your head :)

相关推荐