使用PHP在MySQL数据库

Question

更新记录考虑：

<form action="sql5_2.php" method="POST"> 
    <h3>Update customer Record</h3> 
    <input type = "text" name ="PATNUM" placeholder ="Enter Patient number "><br> 
    <input type = "text" name ="PAT_FORENAME" placeholder ="Enter Patient Forename "><br> 
    <input type = "text" name ="PAT_SURNAME" placeholder ="Enter Patient Lastname"><br> 
    <input type = "text" name ="STREET_ADDRESS" placeholder ="Enter Address"><br> 
    <input type = "text" name ="TOWN" placeholder ="Enter Town"><br> 
    <input type = "text" name ="POST_CODE" placeholder ="Enter Postcode"><br> 
    <input type = "text" name ="AGE" placeholder ="Enter Patient Age"><br> 
    <br><input type = "submit" value ="Save"><br> 
</form> 

<?php 
    $conn = mysqli_connect ("localhost", "B00657633", "Jpr3EjPw") 
       or die ("could not connect: " . mysqli_error($conn)); 
    print "successful connection<br>"; 

    mysqli_select_db($conn, 'B00657633') or die ('db will not open'); 

    $patnum = $_POST[PATNUM]; 
    $firstname = $_POST[PAT_FORENAME]; 
    $lastname = $_POST[PAT_SURNAME]; 
    $address = $_POST[STREET_ADDRESS]; 
    $town = $_POST[TOWN]; 
    $postcode = $_POST[POST_CODE]; 
    $age = $_POST[AGE]; 

    $sql = "UPDATE patient3 SET PATNUM='$patnum', PAT_FORNAME='$firstname', STREET_ADDRESS='$address', TOWN='$town' , POST_CODE='$postcode' , AGE='$age' WHERE PATNUM= $patnum"; 

    if (mysqli_query($conn, $sql)) { 
     echo "Record updated successfully"; 
     echo '<br><a class="button" href="sql5_2.php?PATNUM=' . $patnum . '">View updated records</a><br>'; 
    } 

    mysqli_close($conn); 
?> 
</div> 

Answer 1

你的POST变量需要在单引号：

$patnum= $_POST[PATNUM];必须是$patnum= $_POST['PATNUM'];

这适用于所有。

而且where条件必须是在单引号：

$sql = "UPDATE patient3 SET PATNUM='$patnum', PAT_FORNAME='$firstname', STREET_ADDRESS='$address', TOWN='$town' , POST_CODE='$postcode' , AGE='$age' WHERE PATNUM= '$patnum'"; 

---

注意有关错误报告的水平。

如果在服务器上未设置错误报告级别以便默认捕获它们，则不带引号的POST阵列将是有效的。

它试图将标识符解析为一个常量，如果常量不存在，PHP假定标识符应该被引用。

否则，使用error_reporting(E_ALL);时，它会产生：

E_NOTICE：类型8 - 使用未定义的常量PATNUM的 - 假设 'PATNUM'

因此，它通常是最好的捕捉所有错误并引用POST数组。

参考：

• http://php.net/manual/en/function.error-reporting.php

Answer 2

$ _ POST是一个数组，所以使用钥匙等作为

$_POST['key'] = $value; 

你错过了封闭钥匙进入引号（'），如获取值as

$patnum = $_POST['PATNUM']; 
$firstname = $_POST['PAT_FORENAME']; 
$lastname = $_POST['PAT_SURNAME']; 
$address = $_POST['STREET_ADDRESS']; 
$town = $_POST['TOWN']; 
$postcode = $_POST['POST_CODE']; 
$age = $_POST['AGE']; 

---

有关错误报告级别的注意事项。

如果在服务器上未设置错误报告级别以便默认捕获它们，则不带引号的POST阵列将是有效的。

它试图将标识符解析为一个常量，如果常量不存在，PHP假定标识符应该被引用。

否则，使用error_reporting(E_ALL);时，它会产生：

E_NOTICE：类型8 - 使用未定义的常量PATNUM的 - 假设 'PATNUM'

因此，它通常是最好的捕捉所有错误并引用POST数组。

参考：所有的

• http://php.net/manual/en/function.error-reporting.php

Answer 3

首先，认为这是一个例如，让你在正确的方向，而不是在生产中使用。

很重要的是要验证用户输入，最低将是：

• 检查如果一个变量被设置$_POST，试图访问它之前，使用isset()，empty() ...
• 验证它包含的数据，你期望一个INT，范围在2 - 99之间，一封电子邮件...
• 使用准备好的语句来防止SQL注入，如果不可能，至少使用mysqli_real_escape_string。

HTML表单：

<form action="sql5_2.php" method="POST"> 
    <h3>Update customer Record</h3>   
     <input type = "text" name ="PATNUM" placeholder ="Enter Patient number "><br> 
     <input type = "text" name ="PAT_FORENAME" placeholder ="Enter Patient Forename "><br> 
     <input type = "text" name ="PAT_SURNAME" placeholder ="Enter Patient Lastname"><br> 
     <input type = "text" name ="STREET_ADDRESS" placeholder ="Enter Address"><br> 
     <input type = "text" name ="TOWN" placeholder ="Enter Town"><br> 
     <input type = "text" name ="POST_CODE" placeholder ="Enter Postcode"><br> 
     <input type = "text" name ="AGE" placeholder ="Enter Patient Age"><br> 
     <br><input type = "submit" value ="Save"><br> 
</form> 

这里的PHP sql5_2.php文件：

<?php 
// I assume this is an example, but in real life don't print errors to the client 
$conn = mysqli_connect ("localhost", "*********", "********") 
    or die ("could not connect: " . mysqli_error($conn)); 
print "successful connection<br>"; 

mysqli_select_db($conn, 'B00657633') or die ('db will not open'); 


if (!isset($_POST['PATNUM'])) 
{ 
    die("No 'Patient number' supplied"); 
} else 
{ 
    // Here validate the patient number 
    // I assume it's a natural number auto-generated by DB 
    if (1 !== @preg_match('/(^0$)|(^[1-9]{1}\d*)$/', $_POST['PATNUM'])) 
    { 
     die("Invalid 'Patient number': ".$_POST['PATNUM']); 
    } 

    $patnum = $_POST['PATNUM']; 
} 

$firstname = $lastname = $address = $town = $postcode = $age = NULL; 

// At least some basic SQL Injection prevention 
if (isset($_POST['PAT_FORENAME']) 
{ 
    $firstname= mysqli_real_escape_string($conn, $_POST['PAT_FORENAME']); 
} 

// Use the same style for the other variables 

// Example using direct query 
$sql = "UPDATE patient3 SET " 
    ." PAT_FORNAME='$firstname' " 
    ." WHERE PATNUM= $patnum"; 

if (mysqli_query($conn, $sql)) { 
    echo "Record updated successfully"; 
} else { 
    die("Record could not be updated"); 

mysqli_close($conn); 

是使用准备好的语句，请按照下面的例子：

if (!isset($_POST['PATNUM'])) 
{ 
    die("No 'Patient number' supplied"); 
} else 
{ 
    // Here validate the patient number 
    // I assume it's a natural number auto-generated by DB 
    if (1 !== @preg_match('/(^0$)|(^[1-9]{1}\d*)$/', $_POST['PATNUM'])) 
    { 
     die("Invalid 'Patient number': ".$_POST['PATNUM']); 
    } 

    $patnum = $_POST['PATNUM']; 
} 

if (!isset($_POST['PAT_FORENAME']) 
{ 
    die('No name supplied'); 
} 

$db = new mysqli('localhost', '*******', '********', 'B00657633'); 

if (mysqli_connect_errno()) { 
    printf("Connect failed: %s\n", mysqli_connect_error()); 
    die(); 
} 

$statment = $db->prepare("UPDATE patient3 SET PATNUM=? WHERE PATNUM=?"); 
if (false === $statement) 
    die(); 

if (false === $statement->bind_param('sd', $_POST['PAT_FORENAME'], $patnum)) 
    die(); 

if (false === $statement->execute()) 
    die();