$id = $_REQUEST['id'];
$Section = $_REQUEST['section'];
$Subject = $_REQUEST['subject'];
$type = $_REQUEST['type'];
$Start_date1 = isset($_REQUEST['startTxt'])?($_REQUEST['startTxt']):"";
$Venue = isset($_REQUEST['venTxt'])?($_REQUEST['venTxt']):"";
$Facilitator = isset($_REQUEST['faciTxt'])?($_REQUEST['faciTxt']):"";
$Level = isset($_REQUEST['lvlLst'])?($_REQUEST['lvlLst']):"";
$Date1 = $_REQUEST['date1'];
if(isset($_REQUEST['EDIT']))
{
mysql_query("UPDATE service SET Start_date='$Date1', Venue='$Venue', Facilitator='$Faci' WHERE ServiceID ='$id'");
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo '<script type="text/javascript">';
echo 'alert("Changes have been save!");';
echo 'window.location="Admin_RecSchedMapLst.php";';
echo '</script>';
mysql_close($con);
}
当我点击保存时,它返回"错误:查询为空" - 这是为什么?
Gre*_*reg 17
您正在调用mysql_query()两次,一次使用不存在的$sql参数:
mysql_query("UPDATE service SET Start_date='$Date1', Venue='$Venue', Facilitator='$Faci' WHERE ServiceID ='$id'");
if (!mysql_query($sql,$con))
应该:
if (!mysql_query("UPDATE service SET Start_date='$Date1', Venue='$Venue', Facilitator='$Faci' WHERE ServiceID ='$id'"))
你也没有逃避输入,让你开始注入SQL.您应该理想地使用绑定参数,或者至少运行您的参数mysql_real_escape_string().
例如:
$Date1 = mysql_real_escape_string($Date1, $conn);
| 归档时间: |
|
| 查看次数: |
38318 次 |
| 最近记录: |