mycode 上的 BUG 我花了几个小时找不到问题所在 - BUG on mycode i spend hours dont find what the issue

BUG on mycode i spend hours dont find what the issue

嗨，请看这个代码，我正在使用此代码更新当前项目，$current_project_id 使用 i 正在获取要编辑的当前项目我已经检查了数据以发布我在执行 echo 语句时获得的变量。当我使用该对象将其传递给我的类函数时，可能会出现一些问题。

另外：感谢您的帮助，如果您在我的代码:)上发现一些安全问题

用户端：

<?php 
    $current_project_id = (int)$_GET["pid"]; //Getting current project to Update from URL parameter.
    $currentproject = $touchObj->get_projects_by_id($current_project_id); // Using  project id to update, we are taking all project data.
?>

<?php
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
if(isset($_POST['project_name']) && isset($_POST['project_location'] )) { 
    include('inc/handleUpload.php'); // Image uplaod class
    $up->config('20000000','jpg,gif,png,pdf,txt,doc,docx,xls,xlsx,zip,rar');
    $up->upload('project_file','xxxxxxxxxxxxxxxxxxxxxxxxx/'); //Server file location for upload folder.

    $project_investor_id = implode(",",$_POST["project_investor_id"]); // Our table field store data as comma seperated separated
    $project_name = mysql_real_escape_string($_POST['project_name']);
    $project_location = mysql_real_escape_string($_POST['project_location']);
    $project_phase = mysql_real_escape_string($_POST['project_phase']);
    $project_capital = mysql_real_escape_string($_POST['project_capital']);
    $project_total = mysql_real_escape_string($_POST['project_total']);
    $project_notes = mysql_real_escape_string($_POST['project_notes']);
    $file = $up->fileInfo['fname'];

    $touchObj->update_project(
        $current_project_id,
        $project_investor_id,
        $project_name, 
        $project_location,
        $$project_phase,
        $project_capital,
        $project_total,
        $project_notes,
        $file
        );
}
else 
{
    echo '<div class="alert alert-info"><h6>Please fill datas...</h6></div>';
}
}
?>

我在这个特定类的功能：

 public function update_project($project_id, $project_investor_id, $project_name, $project_location, $project_phase, $project_capital, $project_total, $project_notes, $file){
    $result = mysql_query("UPDATE project_table SET 
    project_investor_id = $project_investor_id, 
    project_name = $project_name,    
    project_location = $project_location,
    project_phase = $project_phase,
    project_capital = $project_capital,
    project_total = $project_total,
    project_notes = $project_notes,
    project_file = $file
    WHERE project_id =$project_id");
    if($result) {
    echo '<div class="alert alert-success"><h6>Project updates... Do not refresh window...</h6></div>';
    }
    else {
    echo '<div class="alert alert-error"><b>Some error while updating the project. Please try again...</b></div>';
    }
}

结果：更新项目时出现一些错误。请重试...

我无法使用此功能更新数据请重新骂它，让我知道我错过了什么？有什么想法吗？

非常感谢您宝贵的时间

我很确定基于字符的字段需要用'标记包围，例如：

project_notes = '$project_notes',

而不是：

project_notes = $project_notes,

您应该调查术语"SQL 注入"，以了解为什么将用户输入的值推入查询中是一个坏主意。他们所要做的就是以某种方式输入类似的东西

', salary = salary * 1.5, project_notes = 'actual project notes

进入$project_notes文本输入框（或您正在使用的任何内容），您将度过一些有趣的时光。

参数化查询要安全得多。