从Mysql数据库中检索数据,显示在表单上,​​并允许用户使用PHP进行更新

时间:2022-07-02 07:42:40

I am VERY NEW to PHP. I have a page where I want a user to be able to enter a citation and that information is then passed to a php script that queries against the database, returns the information in a form, and then allows the user to update any of the fields returned in that form.

我对PHP非常新。我有一个页面,我希望用户能够输入引文,然后将该信息传递给php脚本,该脚本查询数据库,返回表单中的信息,然后允许用户更新任何字段以那种形式返回。

I have three problems:

我有三个问题:

1) When data returns, is only returns the first word in the field. Many of the fields contains multiple words.

1)当数据返回时,仅返回字段中的第一个单词。许多字段包含多个单词。

2) When the users changes data in the field, the database isn't updated.

2)当用户在字段中更改数据时,数据库不会更新。

3) I don't seem to know how to get the form fields to display like I do for data entry.

3)我似乎不知道如何使表单字段显示,就像我输入数据一样。

Here is the code that queries and returns the data for the user to review and update if necessary:

以下是查询和返回数据的代码,供用户查看和更新​​(如有必要):

<?php  


mysql_connect("***************", "*********", "****") or die(mysql_error()); 
mysql_select_db("***********") or die(mysql_error()); 

$searchterm= $_POST['searchterm'];

$query = "SELECT Citation, Category, Overview, Facts, Decision, Keywords, Link     FROM     cases WHERE citation = '$searchterm'";

$result  = mysql_query($query);

while ($row = mysql_fetch_assoc($result))
{
    echo "<form action=".$_SERVER['PHP_SELF']." method=post>" .
         "Case Citation: <input type=text name=Citation value={$row['Citation'] }><br>" .
     "Category: <input type=text name=Category value={$row['Category'] }><br>" . 
     "Overview: <input type=text name=Overview value={$row['Overview'] }><br>" . 
     "Case Facts: <input type=text name=Facts value={$row['Facts'] }><br>" . 
     "Decision: <input type=text name=decision value={$row['Decision'] }><br>" . 
     "Keywords: <input type=text name=Keywords value={$row['Keywords'] }><br>" . 
     "Weblink: <input type=text name=Link value={$row['Link'] }><br>" . 
     "<input type=submit name=submit value=Update>" .
     "</form>";
} 

//when they click submit
if (isset($_POST['submit'])) { 

$Citation=$_POST['Citation'];
$Category=$_POST['Category'];
$Overview=$_POST['Overview'];
$Facts=$_POST['Facts'];
$Decision=$_POST['Decision'];
$Keywords=$_POST['Keywords'];
$Link=$_POST['Link'];

$update = "UPDATE IGNORE cases SET citation='$citation', category='$category', overview='$overview', facts='$facts', decision='$decision', keywords='$keywords', link='$link' WHERE citation = '%$searchterm%'";
$add = mysql_query($update);

} 
  ?>

Here is the form I use to add data:

这是我用来添加数据的表单:

<form action="process.php" method="post"> 
Case Citation: <input type="text" name="citation" size=128><br> 
Category: <input type="text" name = "category" size=56><br> 
Overview: <textarea class="textarea" cols="96" row="8" name = "overview"> </textarea><br> 
Case Facts:  <textarea class="textarea" cols="96" row="8" name = "facts"></textarea><br>
Decision:  <input type="text" name = "decision" size=56><br>
Keywords: <textarea class="textarea" cols="96" row="8" name = "keywords"></textarea><br>
Web Link: <input type="text" name = "link" size=128><br>
<input type="submit" value="Submit"> 
</form>

And this is the code that saves the information to the database:

这是将信息保存到数据库的代码:

<? 
  $citation=$_POST['citation']; 
  $category=$_POST['category']; 
  $overview=$_POST['overview']; 
  $facts=$_POST['facts']; 
  $decision=$_POST['decision']; 
  $keywords=$_POST['keywords']; 
  $link=$_POST['link']; 
  mysql_connect("*************", "************", "*********") or die(mysql_error()); 
  mysql_select_db("************") or die(mysql_error()); 
  mysql_query("INSERT INTO `cases` VALUES ('$citation', '$category', '$overview', '$facts', '$decision', '$keywords', '$link')"); 
  Print "Your information has been successfully added to the database.  Add case page will automatically reload."; 

?>

2 个解决方案

#1

0  

Your first (and probably the rest...) problem is caused by how you are building your form:

您的第一个(可能还有其他......)问题是由您构建表单的方式引起的:

echo "<form action=".$_SERVER['PHP_SELF']." method=post>" .
     "Case Citation: <input type=text name=Citation value={$row['Citation'] }><br>" .
 "Category: <input type=text name=Category value={$row['Category'] }><br>" . 
 "Overview: <input type=text name=Overview value={$row['Overview'] }><br>" . 
 "Case Facts: <input type=text name=Facts value={$row['Facts'] }><br>" . 
 "Decision: <input type=text name=decision value={$row['Decision'] }><br>" . 
 "Keywords: <input type=text name=Keywords value={$row['Keywords'] }><br>" . 
 "Weblink: <input type=text name=Link value={$row['Link'] }><br>" . 
 "<input type=submit name=submit value=Update>" .
 "</form>";

Note that the values of all attributes are unquoted, so in html one of you inputs could look like:

请注意,所有属性的值都是不加引号的,因此在html中,您的一个输入可能如下所示:

Decision: <input type=text name=decision value=this is some text from that field><br>

and that is not valid html.

那是无效的HTML。

You should quote all values and prepare / escape them for use in html:

您应该引用所有值并准备/转义它们以便在html中使用:

 'Decision: <input type=text name=decision value="' . htmlspecialchars($row['Decision']) . '"><br>' . 
 etc.

Apart from that you have a sql injection problem that you should solve by switching to PDO (or mysqli) and prepared statements with bound variables.

除此之外,你有一个SQL注入问题,你应该通过切换到PDO(或mysqli)和准备语句与绑定变量来解决。

Note that a sql injection problem not only puts you at risk but it also invalidates your sql easily if one of your values contains for example a ' character.

请注意,SQL注入问题不仅会使您处于危险之中,而且如果您的某个值包含例如“字符”,它也会使您的SQL无效。

#2

0  

In the while loop check value={$row['Citation'] }.

在while循环中检查值= {$ row ['Citation']}。

Your database field name first letter is capital ?

您的数据库字段名首字母是大写吗?

Check database field name again.

再次检查数据库字段名称。

#1

0  

Your first (and probably the rest...) problem is caused by how you are building your form:

您的第一个(可能还有其他......)问题是由您构建表单的方式引起的:

echo "<form action=".$_SERVER['PHP_SELF']." method=post>" .
     "Case Citation: <input type=text name=Citation value={$row['Citation'] }><br>" .
 "Category: <input type=text name=Category value={$row['Category'] }><br>" . 
 "Overview: <input type=text name=Overview value={$row['Overview'] }><br>" . 
 "Case Facts: <input type=text name=Facts value={$row['Facts'] }><br>" . 
 "Decision: <input type=text name=decision value={$row['Decision'] }><br>" . 
 "Keywords: <input type=text name=Keywords value={$row['Keywords'] }><br>" . 
 "Weblink: <input type=text name=Link value={$row['Link'] }><br>" . 
 "<input type=submit name=submit value=Update>" .
 "</form>";

Note that the values of all attributes are unquoted, so in html one of you inputs could look like:

请注意,所有属性的值都是不加引号的,因此在html中,您的一个输入可能如下所示:

Decision: <input type=text name=decision value=this is some text from that field><br>

and that is not valid html.

那是无效的HTML。

You should quote all values and prepare / escape them for use in html:

您应该引用所有值并准备/转义它们以便在html中使用:

 'Decision: <input type=text name=decision value="' . htmlspecialchars($row['Decision']) . '"><br>' . 
 etc.

Apart from that you have a sql injection problem that you should solve by switching to PDO (or mysqli) and prepared statements with bound variables.

除此之外,你有一个SQL注入问题,你应该通过切换到PDO(或mysqli)和准备语句与绑定变量来解决。

Note that a sql injection problem not only puts you at risk but it also invalidates your sql easily if one of your values contains for example a ' character.

请注意,SQL注入问题不仅会使您处于危险之中,而且如果您的某个值包含例如“字符”,它也会使您的SQL无效。

#2

0  

In the while loop check value={$row['Citation'] }.

在while循环中检查值= {$ row ['Citation']}。

Your database field name first letter is capital ?

您的数据库字段名首字母是大写吗?

Check database field name again.

再次检查数据库字段名称。

标签:

相关文章