我有一个带有文本输入字段的表单& select下拉菜单,它将信息提交给profile-updated.php。它作为一个简单的UPDATE查询工作,但我试图使它成为参数化查询,它不起作用。它不会给我一个错误,它只是不实际更新任何东西。我为参数化的SELECT或INSERT查询做了一个教程,所以我试图使它适合我的UPDATE需求时使用“$ _POST ['age'];一部分。任何帮助极大的赞赏。文本输入的参数化查询
下面是参数化尝试查询代码:
$age = $_POST['age'];
$gender = $_POST['gender'];
$videourl = $_POST['videourl'];
$soundcloud = $_POST['soundcloud'];
$about = $_POST['about'];
$facebook = $_POST['facebook'];
$twitter = $_POST['twitter'];
$stmt = $con->stmt_init();
if ($stmt->prepare("UPDATE Users1 (age, gender, videourl, soundcloud,
about, facebook, twitter) VALUES (?, ?, ?, ?, ?, ?, ?) WHERE email = '" . $_POST['email'] . "' ")) {
$stmt->bind_param("sssssss", $age, $gender, $videourl, $soundcloud, $about, $facebook, $twitter);
$stmt->execute();
$stmt->close();
}
$con->close();
这里是一个优良的工作我的旧更新代码:
$sql = mysqli_query($con, "UPDATE Users1
SET age = '" . $_POST['age'] . "',
gender = '" . $_POST['gender'] . "',
videourl = '" . $_POST['videourl'] . "',
soundcloud = '" . $_POST['soundcloud'] . "',
about = '" . $_POST['about'] . "',
facebook = '" . $_POST['facebook'] . "',
twitter = '" . $_POST['twitter'] . "',
WHERE email = '" . $_POST['email'] . "'
");
为什么不绑定电子邮件参数?如果你不这样做,你仍然在用不可信数据构建一个SQL命令。 –