0

フォームからデータベースのデータを更新するときに問題が発生しました。[更新] ボタンを押してレコードに加えられた変更を送信すると、ドロップ リスト コントロールに対応する mysql フィールドのすべてのデータが消去されます。この問題の原因がわかりません。コードは次のとおりです。

<?php

    //include database connection
    include 'db_connect.php';

    // get value of object id that was sent from address bar
    $c_id = $_GET['c_id'];

    //check any user action
    $action = isset( $_POST['action'] ) ? $_POST['action'] : "";

    if($action == "update"){ //if the user hit the submit button

    //write our update query
    //$mysqli->real_escape_string() function helps us prevent attacks such as SQL injection

    $query = "UPDATE collections
    SET
    ctitle = '".$mysqli->real_escape_string($_POST['ctitle'])."',
    csubject = '".$mysqli->real_escape_string($_POST['csubject'])."',
    creference = '".$mysqli->real_escape_string($_POST['creference'])."',
    cyear  = '".$mysqli->real_escape_string($_POST['cyear'])."',
    cobjecttype = '".$mysqli->real_escape_string($_POST['cobjecttype'])."',
    cmaterial = '".$mysqli->real_escape_string($_POST['cmaterial'])."',
    ctechnic = '".$mysqli->real_escape_string($_POST['ctechnic'])."',
    cwidth = '".$mysqli->real_escape_string($_POST['cwidth'])."',
    cheight = '".$mysqli->real_escape_string($_POST['cheight'])."',
    cperiod = '".$mysqli->real_escape_string($_POST['cperiod'])."',
    cmarkings = '".$mysqli->real_escape_string($_POST['cmarkings'])."',
    cdescription = '".$mysqli->real_escape_string($_POST['cdescription'])."',
    csource = '".$mysqli->real_escape_string($_POST['csource'])."',
    cartist = '".$mysqli->real_escape_string($_POST['cartist'])."'
    where c_id='".$mysqli->real_escape_string($_REQUEST['c_id'])."'";

    //execute the query
    if( $mysqli->query($query) ) {

    //if updating the record was successful
    echo "The record was updated.";

    }else{

    //if unable to update new record
    echo "Database Error: Unable to update record.";

    }

    }

    //select the specific database record to update
    $query = "SELECT c_id, ctitle, csubject, creference, cyear, cobjecttype, cmaterial, ctechnic, cwidth, cheight, cperiod, cmarkings, cdescription, csource, cartist, cfilename
    FROM collections
    WHERE c_id='".$mysqli->real_escape_string($_REQUEST['c_id'])."'

    limit 0,1";

    //execute the query
    $result = $mysqli->query( $query );

    //get the result
    $row = $result->fetch_assoc();

    //assign the result to certain variable so our html form will be filled up with values
    $c_id = $row['c_id'];
    $ctitle = $row['ctitle'];
    $csubject = $row['csubject'];
    $creference = $row['creference'];
    $cyear = $row['cyear'];
    $cobjecttype = $row['cobjecttype'];
    $cmaterial = $row['cmaterial'];
    $ctechnic = $row['ctechnic'];
    $cwidth = $row['cwidth'];
    $cheight = $row['cheight'];
    $cperiod = $row['cperiod'];
    $cmarkings = $row['cmarkings'];
    $cdescription = $row['cdescription'];
    $csource = $row['csource'];
    $cartist = $row['cartist'];
    $cfilename = $row['cfilename'];

    ?>

    <!--we have our html form here where new object information will be entered-->
    <table align=left>
        <tr>
    <td> <?php echo '<img src="./images/'.$cfilename.'" width="300" height="400" />';  ?> </td>
        </tr>
    <table>

    <form action='#' method='post' border='0'> 
    <table>
    <tr>
    <td>TITLE</td>
    <td><input type='text' name='ctitle' value='<?php echo $ctitle;  ?>' /></td>
    </tr>
    <tr>
    <td>SUBJECT</td>
    <td><input type='text' name='csubject' value='<?php echo $csubject;  ?>' /></td>
    </tr>
    <tr>
    <td>REFERENCE No.</td>
    <td><input type='text' name='creference'  value='<?php echo $creference;  ?>' /></td>
    </tr>
    <tr>
    <td>YEAR</td>
    <td><input type='text' name='cyear'  value='<?php echo $cyear;  ?>' /></td>
    <tr><td>OBJECT TYPE</td>
    <td>
        <select name="cobjecttype" id="cobjecttype" tabindex="">
            <option value="">---Select object type---</option>
            <option value="ceramic">Ceramic</option>
            <option value="clock">Clock</option>
            <option value="gold">Gold and silverware</option>
            <option value="mask">Mask</option>
            <option value="painting">Painting</option>
            <option value="sculpture">Sculpture</option>
            <option value="tapestry">Tapestry</option>
        </select>
        </td></tr>
        <tr><td>MATERIAL USED</td>
    <td>
        <select name="cmaterial" id="cmaterial" tabindex="" >
            <option value="">---Select Material---</option>
            <option value="brass">Brass</option>
            <option value="oil">Oil</option>
            <option value="wood">Wood</option>
            <option value="carved">Canvas/Cotton/Fabric/Linen/Wool</option>
      </select>
        </td></tr>
    <tr><td>TECHNIC</td>
    <td>
        <select name="ctechnic" id="ctechnic" tabindex="7" >
            <option value="">---Select Technic---</option>
            <option value="cast">Cast</option>
            <option value="carved">Carved</option>
            <option value="etched">Etched</option>                      
      </select>  
        </td></tr>
    <tr>
    <td>WIDTH</td>
    <td width="100"><input name="cwidth" type="text" id="cwidth" value="<?php echo $cwidth; ?>" size="10"></td>
    </tr>
    <tr>
    <td>HEIGHT</td>
    <td width="100"><input name="cheight" type="text" id="cheight" value="<?php echo $cheight; ?>" size="10"></td>
    </tr>
    <tr>
    <td>PERIOD</td>
    <td width="100"><input name="cperiod" type="text" id="cperiod" value="<?php echo $cperiod; ?>" size="30"></td>
    </tr>
    <tr>
    <td>MARKINGS</td>
    <td width="100"><input name="cmarkings" type="text" id="cmarkings" value="<?php echo $cmarkings; ?>" size="30"></td>
    </tr>
    <tr>
    <td>DESCRIPTION</td>
    <td width="400"><textarea name="cdescription" rows="2" cols="50" id="cdescription" value="<?php echo $cdescription; ?>"></textarea></td></tr>
    <tr>
    <td>SOURCE</td>
    <td width="100"><input name="csource" type="text" id="csource" value="<?php echo $csource; ?>" size="30"></td>
    </tr>
    <tr>
    <td>ARTIST</td>
    <td width="100"><input name="cartist" type="text" id="cartist" value="<?php echo $cartist; ?>" size="30"></td>
    </tr>
    <td></td>
    <td>

    <!-- so that we could identify what record is to be updated -->
    <input type='hidden' name='c_id' value='<?php echo $c_id ?>' />

    <!-- we will set the action to update -->
    <input type='hidden' name='action' value='update' />
    <input type='submit' value='Save' />
    <a href='gallery.php'>Back to display page</a>
    </td>
    </tr>
    </table>
    </form>

誰かが問題が何であるかを特定するのを助けることができますか?

4

2 に答える 2

0

このような問題は、POST データを正しく検証しない場合に発生します。コードでは、 を使用してレコードを直接更新していますmysql_real_escape_string($variable)。ただし、これによりいくつかのセキュリティ問題が修正される可能性がありますが、データが存在するかどうかにかかわらず、すべてのデータが検証されるわけではありません。

クエリに更新する前に、変数が存在し、データを保持していることを検証します。

于 2013-02-27T10:22:10.407 に答える
-1

メソッドでフォームを投稿しますPOSTが、 c_id を取得します$_GET

$_POST['c_id']または$_REQUEST['c_id']...に変更します

于 2013-02-27T10:20:55.943 に答える