开发者

PHP Mysql update statement with embedded _POST

问答 作者: 
$result = mysql_query("UPDATE orders SET order_id='".$data['order_id']."',project_ref='".$data['project_ref']."',supp_short_code='".$data['supp_short_code']."',om_part_no='".$data['om_part_no']."',description='".$data['description']."',quantity='".$data['quantity_input']."',cost_of_items='".$data['cost_of_items']."',cost_total='".$data['cost_total_td']."' WHERE order_id = '".$data['order_id']."'") or die(mysql_error());

Oddly its set all fiel开发者_StackOverflowds to "2" (the order_id value) i'm trying to create an "edit orders" page but its not going to plan!?

EDIT:

How i send the data to the PHP:

$('#submit').live('click',function(){ 

                        var postData = {};
                        postData['data[order_id]'] = $('#order_id').text();
                        $('#items tr').not(':first').each(function(index, value) {
                            var keyPrefix = 'data[' + index + ']';
                            postData[keyPrefix + '[supp_short_code]'] = $(this).closest('tr').find('.supp_short_code').text();
                            postData[keyPrefix + '[project_ref]'] = $(this).closest('tr').find('.project_ref').text();
                            postData[keyPrefix + '[om_part_no]'] = $(this).closest('tr').find('.om_part_no').text();
                            postData[keyPrefix + '[description]'] = $(this).closest('tr').find('.description').text();
                            postData[keyPrefix + '[quantity_input]'] = $(this).closest('tr').find('.quantity_input').val();
                            postData[keyPrefix + '[cost_of_items]'] = $(this).closest('tr').find('.cost_of_items').text();
                            postData[keyPrefix + '[cost_total_td]'] = $(this).closest('tr').find('.cost_total_td').text();
                        });

                    $.ajax
                        ({
                        type: "POST",
                        url: "updateorder.php",
                        dataType: "json",
                        data: postData,
                        cache: false,
                        success: function()
                            {
                                alert("Order Updated");
                            }
                        });
                });

Complete PHP Code:

if (isset($_POST['data']) && is_array($_POST['data'])) {
                    foreach ($_POST['data'] as $row => $data) {
                        $result = mysql_query("UPDATE orders SET project_ref='".$data['project_ref']."',supp_short_code='".$data['supp_short_code']."',om_part_no='".$data['om_part_no']."',description='".$data['description']."',quantity='".$data['quantity_input']."',cost_of_items='".$data['cost_of_items']."',cost_total='".$data['cost_total_td']."' WHERE order_id = '".$data['order_id']."'") or die(mysql_error());
                    }
                }
                var_dump($data);

  1. This is unsafe. You should escape any values sent to MySQL, using mysql_real_escape_string
  2. What does the data look like? Are you sure $data contains the right values?
  3. What does the generated query look like, before it's sent to MySQL?
  4. There's no need to update the order_id (thanks, Fosco)

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9