PHP表单发布更新数据库和刷新页面，但在刷新后不会更新页面上的数据

发布于 2025-02-11 18:20:52 字数 2119 浏览 0 评论 0原文

我似乎无法在Stackoverflow中找到工作解决方案。我希望使用表格帖子中提交的更新数据更新表单值。数据库更新，但是刷新后，值仍然相同。任何帮助将不胜感激。谢谢！

<?php
global $wpdb;

$user_id  = get_current_user_id();
$org_id = get_user_meta($user_id, '_org_id', true);
$orgs = $wpdb->get_results("select * from wp_organization");
$user_org = null;

foreach($orgs as $struct) {
    if ($org_id == $struct->id) {
        $user_org = $struct;
        break;
    }
}
?>
<?php
$connection = mysqli_connect("address", "login", 'password');
$db = mysqli_select_db($connection, 'databasename');
    
if(isset($_POST['update'])) {
    $id = $org_id;
    
    $query = "UPDATE `wp_organization` SET         
        name = '$_POST[org_name]',
        shortname = '$_POST[shortname]',
        industry = '$_POST[industry]',
        description = '$_POST[description]'
        where id = $id ";
        
    $query_run = mysqli_query($connection, $query);
}
}
?>
<!-- organization info form -->
<form class="py-4 col-md-6 mx-auto" method="post" action="">
    <h2 class="mb-3 text-center">Organization Information</h2>
    <label class="form-label">Name</label>
    <input type="text" required name="org_name" value="<?php echo $user_org-> name; ?>" 
        class="form-control mb-3" />
    <label class="form-label">Industry</label>
    <input type="text" name="industry" value="<?php echo $user_org-> industry; ?>" class="form-control mb-3" />
    <label class="form-label">Short name (4 characters)</label>
    <input type="text" name="shortname" required maxlength="4" value="<?php echo $user_org-> shortname; ?>" class="form-control mb-3" />
    <label class="form-label">Description</label>
    <textarea class="form-control mb-3" name="description" rows="5" cols="50"><?php echo trim(stripslashes($user_org-> description)); ?></textarea>
    <div class="d-flex justify-content-center">
        <input type="submit" name="update" value='Update' class='btn btn-primary'> 
    </div>
</form>

原文

I can't seem to find a working solution in stackoverflow. I wish to update the form values with the updated data that is submitted in the form post. The database updates but after the refresh, the values are still the same. Any help would be appreciated. Thanks!

<?php
global $wpdb;

$user_id  = get_current_user_id();
$org_id = get_user_meta($user_id, '_org_id', true);
$orgs = $wpdb->get_results("select * from wp_organization");
$user_org = null;

foreach($orgs as $struct) {
    if ($org_id == $struct->id) {
        $user_org = $struct;
        break;
    }
}
?>
<?php
$connection = mysqli_connect("address", "login", 'password');
$db = mysqli_select_db($connection, 'databasename');
    
if(isset($_POST['update'])) {
    $id = $org_id;
    
    $query = "UPDATE `wp_organization` SET         
        name = '$_POST[org_name]',
        shortname = '$_POST[shortname]',
        industry = '$_POST[industry]',
        description = '$_POST[description]'
        where id = $id ";
        
    $query_run = mysqli_query($connection, $query);
}
}
?>
<!-- organization info form -->
<form class="py-4 col-md-6 mx-auto" method="post" action="">
    <h2 class="mb-3 text-center">Organization Information</h2>
    <label class="form-label">Name</label>
    <input type="text" required name="org_name" value="<?php echo $user_org-> name; ?>" 
        class="form-control mb-3" />
    <label class="form-label">Industry</label>
    <input type="text" name="industry" value="<?php echo $user_org-> industry; ?>" class="form-control mb-3" />
    <label class="form-label">Short name (4 characters)</label>
    <input type="text" name="shortname" required maxlength="4" value="<?php echo $user_org-> shortname; ?>" class="form-control mb-3" />
    <label class="form-label">Description</label>
    <textarea class="form-control mb-3" name="description" rows="5" cols="50"><?php echo trim(stripslashes($user_org-> description)); ?></textarea>
    <div class="d-flex justify-content-center">
        <input type="submit" name="update" value='Update' class='btn btn-primary'> 
    </div>
</form>

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

[浮城] 2025-02-18 18:20:52

导致旧数据出现的主要问题是，您在更新它之前先查询数据库。在页面执行的开头查询以表格显示的数据，然后，如果有帖子数据，则数据库将更新。结果，用于渲染表单的数据是旧数据，而不是最近更新的数据。因此，以非常最小的方式，您可以通过数据库更新切换数据库查询，并且数据流将按预期工作。

但是，此代码还有其他几个问题，最著名的是SQL攻击漏洞。结果，我将解决所有这些问题，以为这个问题创建一个完整且安全的答案。

这是

基于$ wpdb变量的存在以及某些表名称，看来这是作为WordPress站点的一部分（看来）（否则，与WordPress安装一起）。结果，您无需进行任何原始mysqli _调用。而是使用方法 $ wpdb class> class 可以安全访问数据库，还将有助于确保WordPress数据库系统的任何将来更改不会破坏您的代码。

结果：删除mysqli _方法。

提防不必要的语法

有几个不必要的语法，这些语法可能具有不良的副作用。例如，在代码的中间，您拥有

?>

<?php

此代码段的实际要做的是将幻影位插入一个幻影（在这种情况下，一个字面的newline字符或\ n）中的页面输出。例如，如果您尝试在此值之后设置标头，那么您将在已经发送的输出方面遇到困难而神秘的错误。一个很好的做法是，您的所有业务代码都生活在一个连续的块中，只有一个＆lt;？php在您的文件顶部。

此外，如果（ISSET（$ _ post ['update']））以额外的悬挂式闭合括号}结束。

此外，在您的实际更新部分中，$ _ post superglobal的调用不是实际字符串，而是原始令牌（例如$ _ post [shortname]。我怀疑您做到了这一点。为了利用phps字符串插值。。

字符串

>在您的

中将未经信任的字符串（以$ _ post变量的形式）传递给SQL。他们想要进入表单字段的数据，包括可以使用原始SQL删除您的数据库并妥协的SQL命令。 PHP为此包括一个很棒的库PDO，还有许多其他选项。但是，如上所述，由于您使用的是WordPress，因此您可以使用$ WPDB，该还可以保护对内置的SQL注入，并提供与WordPress数据库的进一步兼容性好处。

结果：不要使用RAW SQL

更新然后查询（但也首先查询）

核心问题导致您发布问题的核心问题是数据未在网页中更新提交表格直到下一个加载时。这是因为您当前从数据库中查询数据，然后更新数据库。由于您使用早期查询的结果在网页中显示值，因此它们自然不是新值。

我怀疑您这样做是因为您需要$ org_id的值才能创建和查询，结果您的所有查询都集成在一起。但是，$ org_id的主要获取需要开始，但是更新后的查询其余部分。

结果：修复查询并更新订购。

没有数据验证

您盲目地使用$ _ POST值的值，但可能无法设置这些值。在您的示例中，这可能只会导致空数据库值，但在其他情况下，这可能是灾难性的。如上所述，任何人都可以使用他们想要的任何$ _发布数据请求您的页面。因此，如果发送到服务器的数据丢失某些字段，则确保您提供默认值是一个好习惯。

结果：验证存在所有预期数据。

此代码的一个版本在查询之前更新数据库，因此每个页面加载和更新以及提到的其他修复程序的数据是正确的，可能看起来像这样：

<?php

/// 1. Get the global WordPress Database Object
global $wpdb;

/// 2. Use WP helper functiosn to query the current user and org IDs
$user_id  = get_current_user_id();
$org_id = get_user_meta($user_id, '_org_id', true);

/// 3. Update the database if necessary
if (isset($_POST['update'])) {
    /// 3.i Prepare the variables

    // Note: In new versions of PHP, each of the isset ? : lines below could be replaced
    // with something like:
    //
    // $name = $_POST['org_name'] ?? "default org name";
    //
    // I've used the long version here, so you can really see what ?? means. You can also
    // put any value you want in the final string of these expressions, so for example
    //
    // $name = isset($_POST['org_name']) ? $_POST['org_name'] : "unknown";
    //
    // would provide the value "unknown" into the database. You could inline all of these
    // checks into the following call to $wpdb, but that would make for a very hard to read
    // line. Setting local variables to these values makes the code easier to follow.
    $name = isset($_POST['org_name']) ? $_POST['org_name'] : "";
    $short = isset($_POST['shortname']) ? $_POST['shortname'] : "";
    $ind = isset($_POST['industry']) ? $_POST['industry'] : "";
    $desc = isset($_POST['description']) ? $_POST['description'] : "";

    /// 3.ii Execute the query

    // Note: I assume that $org_id is an integer. If it's actually a string, then that
    // line in the query should read
    //
    // where id = %s
    $wpdb->query(
        $wpdb->prepare("
        UPDATE `wp_organization` SET         
            name = %s,
            shortname = %s,
            industry = %s,
            description = %s
            where id = %d 
        ",
            $name, $short, $ind, $desc, $org_id
        )
    );

    // Alternatively to the raw $wpdb->query above, you could use the built in update method
    // of $wpdb, like so
    //
    // $wpdb->update('wp_organization', array(
    //      'name' => $name,
    //      'shortname' => $short,
    //      'industry' => $ind,
    //      'description' => $desc,
    //  ),
    //  array( 'id' => $org_id ),
    //  array('%s', '%s', '%s', '%s'),
    //  array('%d')
    // );
    //
    // This has the advantage that you don't have to write any SQL, but may be harder to understand
    // if you come back to maintain this code far in the future.
}

/// 4. Load the current value of $user_org, this will reflect any database changes made above

$orgs = $wpdb->get_results("SELECT * FROM `wp_organization`");
$user_org = null;

foreach($orgs as $struct) {
    if ($org_id == $struct->id) {
        $user_org = $struct;
        break;
    }
}

/// 5. Render the form
?>
<!-- organization info form -->
<form class="py-4 col-md-6 mx-auto" method="post" action="">
    <h2 class="mb-3 text-center">Organization Information
    <label class="form-label">Name
    <input type="text" required name="org_name" value="<?php echo $user_org->name; ?>" class="form-control mb-3" />
    <label class="form-label">Industry
    <input type="text" name="industry" value="<?php echo $user_org->industry; ?>" class="form-control mb-3" />
    <label class="form-label">Short name (4 characters)
    <input type="text" name="shortname" required maxlength="4" value="<?php echo $user_org->shortname; ?>" class="form-control mb-3" />
    <label class="form-label">Description
    <textarea class="form-control mb-3" name="description" rows="5" cols="50"><?php echo trim(stripslashes($user_org->description)); ?>
    <div class="d-flex justify-content-center">
        <input type="submit" name="update" value='Update' class='btn btn-primary'>
    </div>
</form>

The main issue that's causing old data to appear is that you are querying the database before you update it. The data displayed in the form is queried at the beginning of the page's execution, and later, if there's POST data, the database is updated. As a result, the data used to render the form is the old data, not the recently updated data. So in a very minimal way, you could simply switch the database query with the database update, and your data flow would work as intended.

However, there's several other issues with this code, most notably the SQL attack vulnerability. As a result, I'll address all of these issues in creating a complete and safe answer to this question.

This is WordPress!

Based on the presence of the $wpdb variable, as well as some of the table names, it appears that this is running as part of a WordPress site (or else alongside a WordPress install). As a result, you never need to make a any of the raw mysqli_ calls. Instead, use the the methods documented in the $wpdb class which provide safe access to the database, and also will help ensure that any future changes to the WordPress database system don't break your code.

Result: Remove mysqli_ methods.

Watch out for unnecessary syntax

There's several unnecessary bits of syntax which may have undesirable side effects. For instance, in the middle of the code you have

?>

<?php

What this code snippet actually does is insert a phantom bit of whitespace (in this case one literal newline character or \n) into the output of your page. If, for instance, you tried to set a header after this value you would get a difficult and mysterious error about output already having been sent. A good practice is that all of your business code lives in a single, contiguous block with just a single <?php at the top of your file.

In addition, your block that begins if(isset($_POST['update'])) ends with an extra dangling closing bracket }.

Furthermore, inside your actual update section, the calls to the $_POST superglobal are not actual strings but raw tokens (such as $_POST[shortname]. I suspect you did this in order to take advantage of PHPs string interpolation. While this raw format does work for legacy reasons, it's much clearer and safer when interpolating a string like this to use something like {$_POST['shortname']} inside your string.

Result: Remove and clean up unnecessary syntax.

SQL Injection! Oh My!

The biggest scary bit of this code is wide open SQL injection attack that's enabled by passing un-trusted strings (in the form of the $_POST variables) to SQL. This has been the bane of thousands (if not millions) of websites. Anyone who can access your web page can pass any data they want into the form field, including SQL commands which can delete your database and compromise your server. Using raw SQL like this is wildly dangerous and should never be used. PHP includes a great library PDO for this, and there are many other options. However, as discussed above, since you're using WordPress, you can just use the $wpdb, which also has protections against SQL injection built in and provides further compatibility benefits with the WordPress database.

Result: Don't use raw SQL

Update then Query (but Query first, too)

The core problem that caused you to post the question was data not updating in the web page when a form is submitted until the next load. This is because you currently query the data from the database, then update the database after that. Since you use the result from the early query to display values in the web page, they're naturally not the new values.

I suspect you did this because you need the value of $org_id in order to create and query and as a result all your querying got clumped together. Nonetheless, this primary fetch of the $org_id needs to be in the beginning, but the rest of the query after the update.

Result: Fix query and update ordering.

No data validation

You blindly use the value of $_POST values, but these may not be set. In your example this will probably only lead to empty database values, but in other context this could be catastrophic. As mentioned above, anyone can request your page with any $_POST data they desire. Therefore, it's good practice to ensure that you provide default values in case the data sent to the server is missing some fields.

Result: Validate that all expected data is present.

A version of this code that updates the database before querying, so the data is correct on each page load and update, as well as incorporating the other fixes mentioned, might look something like this:

<?php

/// 1. Get the global WordPress Database Object
global $wpdb;

/// 2. Use WP helper functiosn to query the current user and org IDs
$user_id  = get_current_user_id();
$org_id = get_user_meta($user_id, '_org_id', true);

/// 3. Update the database if necessary
if (isset($_POST['update'])) {
    /// 3.i Prepare the variables

    // Note: In new versions of PHP, each of the isset ? : lines below could be replaced
    // with something like:
    //
    // $name = $_POST['org_name'] ?? "default org name";
    //
    // I've used the long version here, so you can really see what ?? means. You can also
    // put any value you want in the final string of these expressions, so for example
    //
    // $name = isset($_POST['org_name']) ? $_POST['org_name'] : "unknown";
    //
    // would provide the value "unknown" into the database. You could inline all of these
    // checks into the following call to $wpdb, but that would make for a very hard to read
    // line. Setting local variables to these values makes the code easier to follow.
    $name = isset($_POST['org_name']) ? $_POST['org_name'] : "";
    $short = isset($_POST['shortname']) ? $_POST['shortname'] : "";
    $ind = isset($_POST['industry']) ? $_POST['industry'] : "";
    $desc = isset($_POST['description']) ? $_POST['description'] : "";

    /// 3.ii Execute the query

    // Note: I assume that $org_id is an integer. If it's actually a string, then that
    // line in the query should read
    //
    // where id = %s
    $wpdb->query(
        $wpdb->prepare("
        UPDATE `wp_organization` SET         
            name = %s,
            shortname = %s,
            industry = %s,
            description = %s
            where id = %d 
        ",
            $name, $short, $ind, $desc, $org_id
        )
    );

    // Alternatively to the raw $wpdb->query above, you could use the built in update method
    // of $wpdb, like so
    //
    // $wpdb->update('wp_organization', array(
    //      'name' => $name,
    //      'shortname' => $short,
    //      'industry' => $ind,
    //      'description' => $desc,
    //  ),
    //  array( 'id' => $org_id ),
    //  array('%s', '%s', '%s', '%s'),
    //  array('%d')
    // );
    //
    // This has the advantage that you don't have to write any SQL, but may be harder to understand
    // if you come back to maintain this code far in the future.
}

/// 4. Load the current value of $user_org, this will reflect any database changes made above

$orgs = $wpdb->get_results("SELECT * FROM `wp_organization`");
$user_org = null;

foreach($orgs as $struct) {
    if ($org_id == $struct->id) {
        $user_org = $struct;
        break;
    }
}

/// 5. Render the form
?>
<!-- organization info form -->
<form class="py-4 col-md-6 mx-auto" method="post" action="">
    <h2 class="mb-3 text-center">Organization Information
    <label class="form-label">Name
    <input type="text" required name="org_name" value="<?php echo $user_org->name; ?>" class="form-control mb-3" />
    <label class="form-label">Industry
    <input type="text" name="industry" value="<?php echo $user_org->industry; ?>" class="form-control mb-3" />
    <label class="form-label">Short name (4 characters)
    <input type="text" name="shortname" required maxlength="4" value="<?php echo $user_org->shortname; ?>" class="form-control mb-3" />
    <label class="form-label">Description
    <textarea class="form-control mb-3" name="description" rows="5" cols="50"><?php echo trim(stripslashes($user_org->description)); ?>
    <div class="d-flex justify-content-center">
        <input type="submit" name="update" value='Update' class='btn btn-primary'>
    </div>
</form>

回复收藏 0 原文

~没有更多了~