我试图用ajax按类没有标识更新的行数量 我看过对谷歌几个小时努力工作了这一点,但所有我能找到没有似乎工作
我的code迄今
包括('config.php文件');
的$ id = $ _ GET [ID]
$ SQL2 =SELECT * FROM`orders` WHERE`ID` =的$ id。;
$结果2 =请求mysql_query($ SQL2);
$ ROW2 = mysql_fetch_array($结果2);
$为了= $ _ GET [为了]
$数量= $ _ GET [数量];
$ SQL =SELECT * FROM`stock` WHERE`part` =$一部分。;
$结果= mysql_query($ SQL);
$ ROW1 = mysql_fetch_array($结果);
$ lineprice = $数量* $ ROW2 [价格];
$ sqlins1 =UPDATE`orders` SET数量='$数量',lineprice ='$ lineprice'WHERE ID ='的$ id。';
如果(!的mysql_query($ sqlins1,$ CON))
{
死亡(错误:mysql_error());
}
$ SQL =SELECT * FROM`orders` WHERE`invoice` ='ORDER BY ID DESC$秩序。;
$结果= mysql_query($ SQL);
回声<表ID ='POITableWIDTH =100%的边界='1'>
&其中; TR>
< TD> SKU< / TD>
< TD>数量< / TD>
< TD宽度= '45%'>项目< / TD>
< TD>单价< / TD>
< TD>线路价格与LT; / TD>
< TD>删除< / TD>
&所述; / TR>中;
而($行= mysql_fetch_array($结果))
{
回声< TR>< TD>中。 $行[部分。 < / TD>< TD><表格名称='测试'>
<输入类型=隐藏值=$行[ID]。'ID ='一部分'> <输入类型='文本'ID ='数量'值=的onblur =updateqty(this.id)'&GT'[数量'。$行。'';< /形式GT;< / TD> < TD>&LT$行['说明']。; / TD>< TD>中$行[价格]。< / TD>< TD>中$行['。 lineprice']< / TD>< TD> <输入类型=形象SRC =图像/ btn_delete.png'值=$行[ID]。的onclick ='deletesku(THIS.VALUE)身高= '30'/>< / TD>
;
}
有这方面的帮助将不胜AP preciated,
感谢
解决方案 您$ C $ c是容易受到SQL注入。 您使用的是它不支持$ P $脱precated API ppared语句prevent SQL注入 您可以将您的更新
和 SELECT
组合成一个单独的语句。 Here's一个想法
您扣减应基于数据库的,基于没有价值
更新TBL更新COL = COL - 1
i'm trying to update rows quantity using ajax by class not id i have looked on google for hours trying to work this out but everything i could find didnt seem to work
my code so far is
include('config.php');
$id=$_GET[id];
$sql2="SELECT * FROM `orders` WHERE `id` = '".$id."'";
$result2 = mysql_query($sql2);
$row2 = mysql_fetch_array($result2);
$order=$_GET[order];
$qty=$_GET[qty];
$sql="SELECT * FROM `stock` WHERE `part` = '".$part."'";
$result = mysql_query($sql);
$row1 = mysql_fetch_array($result);
$lineprice=$qty * $row2[price];
$sqlins1 = "UPDATE `orders` SET qty='$qty', lineprice='$lineprice' WHERE id = '".$id."'";
if (!mysql_query($sqlins1,$con))
{
die('Error: ' . mysql_error());
}
$sql="SELECT * FROM `orders` WHERE `invoice` = '".$order."' ORDER BY id DESC";
$result = mysql_query($sql);
echo" <table id='POITable' width='100%' border='1'>
<tr>
<td>SKU</td>
<td>QTY</td>
<td width='45%'>item</td>
<td>Unit Price</td>
<td>Line Price</td>
<td>Delete</td>
</tr>";
while($row = mysql_fetch_array($result))
{
echo"<tr><td>" . $row['part'] . "</td><td><form name='test'>
<input type='hidden' value='" . $row[id] . "' id='part'> <input type='text' id='qty' value='" . $row['qty'] . "' onblur='updateqty(this.id)'></form></td><td>" . $row['description'] . "</td><td>" . $row['price'] . "</td><td>" . $row['lineprice'] . "</td><td> <input type='image' src='images/btn_delete.png' value='" . $row[id] . "' onclick='deletesku(this.value)' height='30'/></td>
";
}
any help on this would be greatly appreciated,
Many thanks
解决方案 Your code is vulnerable to SQL injection. You're using a deprecated API which does not support prepared statements to prevent SQL injection You can combine yourUPDATE
and SELECT
into a single statement. Here's an idea
Your deduction should be database based, not value based
UPDATE tbl UPDATE col = col - 1