php - 通过 PHP/MySql 更新表数据

Question

我试图创建一个页面来创建或更新数据库表中的数据。

如果我通过输入新数据(在我的例子中是新玩家)来调用链接，则数据会正确插入到表中。相反，如果我去调用已存在数据的链接来更新表，我总是会收到回显“错误更新”，并且第一个 UPDATE if 永远不会执行。

谁能告诉我哪里错了？

<?php
include "coredb.php";

if (isset($_GET["player"]) && isset($_GET["score"]))
{
    //Check id player is already present in leaderboard database
    if ($query = $mysqli->prepare('SELECT Player FROM leaderboard WHERE Player = ?'))
    {
        $query->bind_param("s", $_GET["player"]);
        $query->execute();
        $query->fetch();
        // If player already present in leaderboard (result > 0)
        if ($query->num_rows > 0)
        {
            // Update existing database record
            if ($query = $mysqli->prepare('UPDATE leaderboard SET Score = ? WHERE Player = ?')) {
                $query->bind_param("i", $_GET["score"]);
                $query->execute();
                echo "Existing player record updated!";
            }
            else
            {
                echo "Error Update";
            }   
        }
        else
        {
            // Create new record in database
            if ($query = $mysqli->prepare('INSERT INTO leaderboard (Player, Score) VALUES (?, ?)'))
            {
                $query->bind_param("si", $_GET["player"], $_GET["score"]);
                $query->execute();
                echo "New player record create!";
            }
            else
            {
                echo "Error Create";
            } 
        }
    }
}
else
{
    echo "Error database";
}

// Connection close
$mysqli->close();
?>

Answer 1

请始终使用 PDO 或准备好的 MySQLI 以避免 SQL 注入(inject)。
有人可能会删除您的表或执行其他危险的操作，从而破坏您的数据。

还要确保使用 POST 请求将敏感信息发送到您的服务器。
如果您使用 GET，每个人都将能够看到您正在传输的数据。

引用这个例子:

<?php

$dbhost     = 'localhost';
$dbname     = 'pdo';
$dbusername = 'root';
$dbpassword = '845625';

if (!empty($_POST['submit'])) {

    $conn = new PDO("mysql:host=$dbhost;dbname=$dbname", $dbusername, $dbpassword);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    //Select player
    $stmt = $conn->prepare("SELECT player FROM leaderboard WHERE player = :player");
    $stmt->execute([
        'player' => $_POST['player']
    ]);
    $result = $stmt->fetchColumn();

    if (!$result) {

        //Insert data
        $stmt = $conn->prepare('INSERT INTO `leaderboard` (player, score) VALUES (:player, :score)');

        $stmt->execute([
            'player' => $_POST['player'],
            'score' => $_POST['score']
        ]);

        echo 'New data inserted';

    } else {

        $stmt = $conn->prepare('UPDATE `leaderboard` SET score = :score WHERE player = :player');
        $stmt->execute([
            'score' => $_POST['score'],
            'player' => $_POST['player']
        ]);

        echo 'Existing data updated: ' . $stmt->rowCount() . ' rows.';

    }

}   

?>

<form method="POST" action="">
   <input type="text" name="player">
   <input type="text" name="score">
   <button type="submit" name="submit">
      Submit data
   </button>
</form>