I'm trying to make an update form. The update part is already working, but it would be better if I'm going to put a view button so that the users will not input the data all over again just to update it.
I'm working on this code, there's a button in the html form with the following code as its form action. Its job is to populate the textboxes with the appropriate data depending on the telephone number entered.
<?php
$con = mysql_connect("localhost","root","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("hospital", $con);
$result = mysql_query("SELECT * FROM t2 WHERE TELNUM='{$_POST["telnum"]}'");
while ($row = mysql_fetch_开发者_JAVA技巧array($result))
{
<form>
<input name="lname" type="text"<?php echo $result["lname"];">
</form>
?>
What's wrong with my code? I'm still a beginner in PHP.
Your HTML doesn't look correct; the value for a text input field is specified with the value
attribute, e.g.
<input name="lname" type="text" value="<?php echo( htmlspecialchars( $row['lname'] ) ); ?>" />
The row data will be present in the $row
hash; $result
is just a pointer to the MySQL result buffer. In addition, you're missing a ?>
tag after the echo
statement, and the final ?>
is misplaced. There also appears to be no closing brace for the while
loop
Note the use of htmlspecialchars()
to escape HTML entities in the text. This will prevent the text in the database from inadvertently closing the tag and spewing rubbish all over your HTML (and prevent against malicious input from users having any effect).
Overall, the correct solution might look something like:
<?php
$con = mysql_connect( 'localhost', 'root', '' );
if( !$con ) {
die( 'Could not connect: ' . mysql_error() );
} else {
mysql_select_db( 'hospital', $con );
$result = mysql_query( "SELECT * FROM t2 WHERE TELNUM='{$_POST["telnum"]}'" );
while( $row = mysql_fetch_array( $result ) ) {
?>
<form>
<input name="lname" type="text" value="<?php echo( htmlspecialchars( $row['lname'] ) ); ?>" />
</form>
<?php
}
}
?>
Finally, not to second-guess you, but be careful about inserting arbitrary values from user-supplied data (like $_GET
and $_POST
) into SQL queries - a malicious user could use this to intentionally construct queries you don't want performed, or a non-malicious user could quite reasonably provide data that unintentionally breaks the SQL, causing an unexpected error (or again, some form of unknown broken behaviour). Take a look at the SQL injection page on the PHP web site as a good starting point to learn more about this.
It should be:
<input name="lname" type="text"<?php echo $row['lname'];
Not
<input name="lname" type="text"<?php echo $result['lname'];
$result is just that - the boolean result of the mysql_query() call.
$row is the actual data on each iteration of the loop.
A number of things are wrong here.
You're opening and closing PHP tags don't match. You can open them at the beginning and close them at the bottom like you're doing, you just have to echo the HTML when doing that.
The input takes a value attribute, which you can use to preset its value.
The array you want to be pulling your MySQL fetched array from is
$row
, not$result
.It would help to close your while loop.
It'd be good for you to escape output, depending on what's being output.
while($row = mysql_fetch_array($result)){ echo " "; }
Why htmlspecialchars instead htmlentities, i allways use htmlentities.
精彩评论