我创建了一个函数来显示表格的内容。这是函数:
function query_tabel ($sql){
$query = $sql;
$result = mysql_query($query);
$kolomen_tellen = mysql_num_fields($result);
if (!$result) {
die("Error Query: " . mysql_error());
}
print "<table border=1>'n";
print "<tr>";
for ($column_num = 0; $column_num < $kolomen_tellen; $column_num++)
{
$fieldname = mysql_field_name($result, $column_num);
print "<TH>$fieldname</TH>";
}
print "</tr>";
while ($row = mysql_fetch_row($result)) {
print ("<TR>");
for ($column_num = 0; $column_num < $kolomen_tellen; $column_num++)
print ("<TD>$row[$column_num]</TD>'n");
print ("</TR>'n");
}
print "</table>";
它可以工作,并且可以随时在任何文件中调用该函数。但是我想要另一个函数来创建带有输入字段的编辑表单。
这是我的初稿:
function query_tabel_edit ($sql, $filename){
$query = $sql;
$result = mysql_query($query);
$kolomen_tellen = mysql_num_fields($result);
if (!$result) {
die("Error Query: " . mysql_error());
}
print "<table class=edit>'n";
print "<tr>";
for ($column_num = 0; $column_num < $kolomen_tellen; $column_num++)
{
$fieldname = mysql_field_name($result, $column_num);
print "<TH class=edit>$fieldname</TH>";
}
print "</tr>";
while ($row = mysql_fetch_row($result)) {
print "<form action=$filename method=post>";
print ("<TR>");
for ($column_num = 0; $column_num < $kolomen_tellen; $column_num++)
print ("<TD class=edit> <input class=edit type=text name=$row[$column_num] value=$row[$column_num] </TD>'n");
print ("<TD class=edit> <input class=edit type=submit name=update value=edit> <TD>'n");
print ("</TR>'n");
}
print "</table>";
}
所以我添加了编辑链接,就像一个魅力,但我如何以及在何处创建和放置修改记录的 SQL 行。?
知道如何创建此编辑sql语句,我是否需要将数据sql行放在函数或调用该函数的PHP文件中的某个位置?
你可以或多或少地这样做。很难使其完全灵活,因为您需要知道如何构建更新语句。这意味着您必须知道要更新哪个表以及哪些字段。您不能依赖HTML表单中的内容,因为有人可能会伪造虚假表单并发布非法字段名称,从而使您受到攻击。
我认为最好的方法是在用户的会话中存储有关正在更新的表和字段的信息,但由于我不知道您是否了解会话,因此我暂时将其留在这里。
请注意,我已经使用了mysql函数,因为您正在使用它们,我不想强迫您更改它,但是它们已被弃用,强烈建议您更改为mysqli或PDO。
mysqli,您还可以使用预准备语句。但这也是我留给你在文档中阅读的内容。
与您的代码相比,我最重要的更改是我使用了 mysql_fetch_array ,它返回一个值数组,其中还包含字段名称作为键。这样,您就可以使用这些名称进行编辑,并且可以在$_POST数据中找到这些名称。从那里,您应该能够再拼出一些谜题以使其正常工作。
<?php
// This is how to do it in a single script: Check if a value is posted and
// act on it.
// If you have separate scripts, you don't actually need this, although it's
// still a good idea to thoroughly check the input to your scripts to prevent
// attacks from malicious users.
if (array_key_exists('id', $_POST)
{
// Post data found. Update record.
// Assuming id is an integer, I int-cast it. If it's not, make sure to
// properly escape it or you'll be vulnerable to SQL injection attacks!
$id = (int)$_POST['id'];
// You will need to validate if the posted field names are valid. You can
// do this by specifying a list of updatable fields and then check if the
// posted values are in that list.
// You could also run query to get the field names from the database, so
// so you will have more flexibility.
// You can also store the fields to be updated in the session of the user
// That will save you a query, but you'll have to read about sessions as well.
$updatableFields = array('firstname', 'lastname');
foreach ($_POST as $fieldname => $value)
{
// Validate the field names! You don't want field names that don't
// exist, or your query will break. Also, it will make you vulnerable
// to SQL injection attacks.
if (array_search($fieldname, $updatableFields) !== false)
{
$value = mysql_real_escape_string($value);
$update[] = "$fieldname = '$value'";
}
}
$sql = 'UPDATE YourTable SET ' . implode($update) . " WHERE id = $id";
// Execute statement.
}
else
{
// Query your database here
// <<code omitted>>
// Show edit form
while ($row = mysql_fetch_array($result))
{
foreach ($row as $fieldname => $value)
{
$value = htmlspecialchars($value);
$type = 'text';
// Store the id in an hidden input, so you know which row to update.
if ($fieldname == 'id')
{
$type = 'hidden';
}
?>
<label for="<?=$fieldname?>"><?=$fieldname?></label>
<input type="<?=$type?>" id="<?=$fieldname?>" name="<?=$fieldname?>" value="<?=$value?>">
<?php
}
?>
<input type="submit" value="save">
<?php
}
}