简单的更新查询不起作用?
After writing a whole lot of much more complicated code that works beautifully, THIS is the code that is giving me issues.
Simple form
<form action="res/scripts/editsubscriber.php" method="post">
<label for="name">Name: </label>
<input name="name" type="text" value="<?php echo $name; ?>">
...etc, etc...
</form>
Submits to this script:
include('appvars.php');
if(isset($_POST['submit'])){
$id = $_POST['id'];
$name = $_POST['name'];
$email = $_POST['email'];
$month = $_POST['month'];
$day = $_POST['day'];
$year = $_POST['year'];
$date = $_POST['date'];
$time = substr($date, 0, (stripos($date, " ")+1));
$time = str_replace($time, '', $date);
$created = $year.'-'.$month.'-'.$day.' '.$time;
$query = "UPDATE newslettersubscribers SET name = '$name', email = '$email', created = '$created' WHERE id = $id)";
mysqli_query($dbc, $query);
}
It posts, I've echoed all of the variables, they change just fine, but it still won't update the database. Someone please tell me what i'm missing...
在编写了许多复杂得多的代码之后,这就是给我提出问题的代码。 p>
简单表格 p>
&lt; form action =“res / scripts / editsubscriber.php”method =“post”&gt;
&lt; ; label for =“name”&gt;名称:&lt; / label&gt;
&lt; input name =“name”type =“text”value =“&lt;?php echo $ name;?&gt;”&gt;
。 ..etc等...
&lt; / form&gt;
code> pre>
提交到此脚本: p>
包括( 'appvars.php');
if(isset($ _ POST ['submit'])){
$ id = $ _POST ['id'];
$ name = $ _POST ['name'];
$ email = $ _POST [ 'email'];
$ month = $ _POST ['month'];
$ day = $ _POST ['day'];
$ year = $ _POST ['year'];
$ date = $ _POST ['date'];
$ time = substr($ date,0,(stripos($ date,“”)+1));
$ time = str_replace($ time,'',$ date);
$ created = $ year .'-'。$ month。' - '。$ day。' '。$ time;
$ query =“UPDATE newslettersubscribers SET name ='$ name',email ='$ email',created ='$ created'WHERE id = $ id)”;
mysqli_query($ dbc,$ query );
}
code> pre>
它发布了,我回复了所有变量,它们改变得很好,但它仍然不会更新数据库。 有人请告诉我我错过了什么...... p>
div>
- remove extra
)on your update statement -
read article to avoid
SQL Injection
You got a strange trailing ) in your SQL query. Have you executed it in a SQL client ?
Do you have an ID form input?
<input name="id" type="text" value="<?php echo $id; ?>">
Also, you're not escaping sql/html.
This code will compromise your database's security severely. Since none of the parameters are sanitized before being included in the query, anyone with basic security knowledge can take over your application in seconds.
To address the security issues and your bug, you may want to look into http://php.net/manual/en/pdo.prepared-statements.php