I am trying to update 'company_name', 'company_add', 'price' as primary key 'id' but it shows me a 'something went wrong' message along with an 'undefined id' error. please help me!
include('data_conn.php');
if(isset($_POST['sub']))
{
$comname=$_POST['cname'];
$comadd=$_POST['cadd'];
$pri=$_POST['price'];
$query ="UPDATE login SET company_name=$comname,company_add=$comadd,price=$pri WHERE id=$id";
$result = mysql_query($query);
echo $result;
if(!$result)
{
echo '
echo 'alert("something went Wrong...:("); location.href="edit.php"';
echo '';
}else{
echo '
echo 'alert("successfully updated!!!"); location.href="edit.php"';
echo '';
}
}
?>
解决方案
Instead of using direct substitution values, you could use below methods to avoid sql injection.
You basically have two options to achieve this:
Using PDO (for any supported database driver):
$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute(array('name' => $name));
foreach ($stmt as $row) {
// do something with $row
}
Using MySQLi (for MySQL):
$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
// do something with $row
}