<?phpsession_start();include_once 'DBconfig.php';extract($_GET);$CityName = $_POST['CityName'];if (isset($CityID)){ $sql = "UPDATE city SET CityName = '$CityName', Modified = NOW() WHERE city.CityID = $CityID;";}else{ $sql = "INSERT INTO city (CityID, CityName, Created, Modified) VALUES (NULL, '$CityName', NOW(), NOW());";}$result = mysqli_query($con, $sql);if ($result){ header('location: ListCity.php');}else{ header('location: AddEditCity.php');}?>仅执行插入块更新不起作用 $CityID 变量来自提取函数,因此没有命名约定问题无法解决它请帮助
1 回答
哈士奇WWW
TA贡献1799条经验 获得超6个赞
您正在从 中提取$_GET(这始终是要避免的),然后$CityName从 中获取$_POST。这是不一致的,因为请求不能同时是 GET 和 POST。它肯定必须是 POST 请求,否则插入根本无法工作。正如所评论的,您应该使用准备好的语句来避免 SQL 注入攻击:
<?php
session_start();
include_once 'DBconfig.php';
$CityName = $_REQUEST['CityName'];
if (isset($_REQUEST['CityID']))
{
$CityID = $_REQUEST['CityID'];
$sql = "UPDATE city SET CityName = ?, Modified = NOW() WHERE city.CityID = ?";
$stmt = mysqli_prepare($con, $sql);
mysqli_stmt_bind_param($stmt, "si", $CityName, $CityID);
}
else
{
$sql = "INSERT INTO city (CityID, CityName, Created, Modified) VALUES (NULL, ?, NOW(), NOW())";
$stmt = mysqli_prepare($con, $sql);
mysqli_stmt_bind_param($stmt, "s", $CityName);
}
$result = mysqli_stmt_execute($stmt);
if ($result)
{
header('location: ListCity.php');
}
else
{
header('location: AddEditCity.php');
}
- 1 回答
- 0 关注
- 73 浏览
添加回答
举报
0/150
提交
取消