我正在创建一个非常基本的图书馆系统,该系统将允许用户登录、注册、搜索一本书并预订该书。我的登录和注册功能正在工作,搜索数据库的功能也在工作。当我想预订这本书时,我的问题就出现了。当我点击保留按钮时,它不会显示任何错误,但我的数据库不会更新。如果你们中的任何人能帮助我发现问题所在,我将不胜感激。
还有一点需要注意的是,我知道我的代码不是很好,可以进行注射。一旦应用程序正常运行,我就会进行注射。
我的代码低于
<?php
session_start();
if(!isset($_SESSION['username']) || (trim($_SESSION['username']) == '')) {
header("location: login.php");
exit();
}
?>
<html>
<head>
<style type="text/css">
ul li{
list-style-type:none;
}
</style>
<title>Search for and Reserve a Book</title>
</head>
<p><body>
<h3>Book Details</h3>
<p>You may search either by Book Title, Author or Book Category</p>
<form method="post" action="search_submit.php?go" id="searchform">
<input type="submit" name="submit" value="Search">
</form>
</body>
</html>
<?php
if(isset($_POST['submit'])){
if(isset($_GET['go']))
{
if(preg_match("/[^a-zA-Z0-9]+/", $_POST['name']))
{
$name=$_POST['name'];
//connect to the database
$db=mysql_connect ("localhost", "root", "") or die ('I cannot connect to the database because: ' . mysql_error());
//-select the database to use
$mydb=mysql_select_db("bookreservations");
//-query the database table
$sql="SELECT * FROM books WHERE Author LIKE '%" . $name . "%' OR BookTitle LIKE '%" . $name ."%'";
//-run the query against the mysql query function
$result=mysql_query($sql);
//-create while loop and loop through result set
while($row=mysql_fetch_array($result))
{
$ID = $row['id'];
$ISBN = $row['ISBN'];
$Author =$row['Author'];
$BookTitle=$row['BookTitle'];
$CategoryId=$row['CategoryId'];
echo '<table cellpadding ="10" border = "2">';
echo '<th> ID </th>';
echo '<th> Author </th>';
echo '<th> Book Title </th>';
echo '<th> CategoryId </th>';
echo '<th> ISBN </th>';
echo '<th> Reserved </th>';
echo '<th> Reserve Book </th>';
echo'<tr>';
echo'<td>' .$ID.'</td>';
echo'<td>' .$BookTitle.'</td>';
echo'<td>' .$Author.'</td>';
echo'<td>' .$CategoryId.'</td>';
echo'<td>' .$ISBN.'</td>';
echo'<td>' .$Reserved.'</td>';
echo'<td><form method = "post" action="reserve.php">';
echo'<input type="submit" name="submit1" value="Reserve"> </input>
</td>';
if(isset($_POST['submit1']))
{
$sql = "UPDATE books SET 'Reserved = 1' WHERE 'Reserved=0'";
}
echo'</tr>';
echo '</table>';
}
}
else
{
echo "<p>Please enter a valid search query</p>";
}
}
}
?>
a)您的sql中有一个错误。删除Reserved=X周围的单引号,然后使用:
"UPDATE books SET Reserved = 1 WHERE Reserved=0"
问题:这会保留所有的书。
b) 要进行此声明,只预订1本书,您需要将要预订的书的id添加到您的预订表格中:
echo'<td><form method = "post" action="reserve.php?book=' . $ID. '">';
echo'<input type="submit" name="submit1" value="Reserve">
c) 使用b)中的$ID仅预订$ID 指定的图书
"UPDATE books SET Reserved = 1 WHERE Reserved=0 and id = ". $_GET['book']
d) SQL注入是代码中的一个严重问题。请仔细检查所有sql语句。例如,d)中的语句受到影响。我将把这作为一个练习留给您,或者简单地问另一个关于如何确保代码安全的问题。