我一直试图通过阻止sql注入来保护我的网页一段时间。但是,在我提交表单后,现在页面上根本没有显示任何内容。这是我的完整代码,因为我不知道我的错误发生在哪里。
<?php
require_once 'db_connect.php';
?>
<head>
<title> Data </title>
<link href = "ss2.css" type = "text/css" rel = "stylesheet" >
</head>
<body>
<h1> Research Center </h1>
<a href = "home.php"> Data Home Page </a>
<ol class = 'instructions'>
<li> Step 1: Please select your first year you want to gather data from. </li>
<li> Step 2: Next, select a second year to create a time interval. </li>
<li> Step 3: Then, select the time of year you want to retrieve data from. </li>
<li> Step 4: Finally, specify a specific regional location. </li>
</ol>
<form action="unemployed2.php" method ="post">
<input type="hidden" name="submitted" value="true" />
<fieldset>
<legend>
Specify Date, Month, and County
</legend>
<p class = 'year'>
<label for="year">
Please Select years: From
</label>
<select name= 'year'>
<option value= ''> </option>
<?php
$query = "select distinct year from unemployed";
$result = $conn->query($query);
while($row = $result->fetch_object()) {
echo "<option value='".$row->year."'>".$row->year."</option>";
}
?>
</select>
</p>
<p class = 'year'>
<label for="year">
To
</label>
<select name= 'year2'>
<option value= ''> </option>
<?php
$query = "select distinct year from unemployed";
$result = $conn->query($query);
while($row = $result->fetch_object()) {
echo "<option value='".$row->year."'>".$row->year."</option>";
}
?>
</select>
</p>
<p>
<label for="month">
Please select a month
<label>
<select name= 'month'>
<option value= ''> </option>
<?php
$query = "select distinct month from unemployed";
$result = $conn->query($query);
while($row = $result->fetch_object()) {
echo "<option value='".$row->month."'>".$row->month."</option>";
}
?>
<option value = "All Months"> All Months </option>
</select>
</p>
<p>
<label for="location">
Please specify a location
</label>
<select name='location'>
<option value= ''> </option>
<option value = 'Fayette'> Fayette County (IN) </option>
<option value = 'Henry'> Henry County (IN) </option>
<option value = 'Randolph'> Randolph County (IN) </option>
<option value = 'Rush'> Rush County (IN) </option>
<option value = 'Union'> Union County (IN) </option>
<option value = 'Wayne'> Wayne County (IN) </option>
<option value = 'INCounties'> Local Indiana Counties </option>
<option value = 'Indiana'> Indiana </option>
<option value = 'Butler'> Butler County (OH) </option>
<option value = 'Darke'> Darke County (OH) </option>
<option value = 'Mercer'> Mercer County (OH) </option>
<option value = 'Preble'> Preble County (OH) </option>
<option value = 'OHCounties'> Local Ohio Counties </option>
<option value = 'Ohio'> Ohio </option>
<option value = 'US'> United States </option>
</select>
</p>
<input type ="submit" />
</fieldset>
</form>
<?php
if (isset($_POST['submitted'])) {
$gYear = $_POST["year"];
$gYear2 = $_POST["year2"];
$gMonth = $_POST["month"];
$array = array('loc1' => 'Fayette', 'loc2' => 'Henry', 'loc3' => 'Randolph',
'loc4' => 'Rush', 'loc5' => 'Union', 'loc6' => 'Wayne',
'loc7' => 'INCounties','loc8' => 'Indiana', 'loc9' => 'Butler', 'loc10' => 'Darke',
'loc11' => 'Mercer', 'loc12' => 'Preble', 'loc13' => 'OHCounties',
'loc14' => 'Ohio', 'loc15' => 'US');
if ($gYear > $gYear2) {
die('ERROR: Your second year cant be a time period before the first year you selected');
}
else {
if (array_key_exists($_POST["location"], $array)) {
$column = $_POST["location"];
}
else {
echo "ERROR";
}
$sql = "SELECT `$column`, `Year`, `Month` FROM unemployed WHERE year BETWEEN ? AND ? and month= ?";
$query = $conn->prepare($sql);
$query->bind_param('sss', $gyear, $gYear2, $gMonth);
$query->execute();
$result = $query->get_result();
echo "<table>";
echo "<tr><th>Year</th><th>Month</th><th>$column</th></tr>";
while ($row = $result->fetch_object()){
echo "<tr><td>";
echo $row->$column;
echo "</td><td>";
echo $row->Year;
echo "</td><td>";
echo $row->Month;
echo "</td></tr>";
}
$query->close();
echo "</table>";
}
} // end of main if statement
?>
</body>
如果我不得不猜测,我的错误就在于这些代码行,因为在我按下提交按钮后网页显示错误:
$array = array('loc1' => 'Fayette', 'loc2' => 'Henry', 'loc3' => 'Randolph',
'loc4' => 'Rush', 'loc5' => 'Union', 'loc6' => 'Wayne',
'loc7' => 'INCounties','loc8' => 'Indiana', 'loc9' => 'Butler', 'loc10' => 'Darke',
'loc11' => 'Mercer', 'loc12' => 'Preble', 'loc13' => 'OHCounties',
'loc14' => 'Ohio', 'loc15' => 'US');
else {
if (array_key_exists($_POST["location"], $array)) {
$column = $_POST["location"];
}
else {
echo "ERROR";
}
有谁知道我的错误是什么?任何帮助将不胜感激。
答案 0 :(得分:0)
添加error_reporting(E_ALL);和ini_set(“display_errors”,1);在代码顶部,并检查错误
答案 1 :(得分:0)
我认为有一件事是行不通的是你的第二个代码块中的这行代码:
if (array_key_exists($_POST["location"], $array)) {
这永远不会返回true,因为HTML代码中select输入中的值不是$ array的键,而是值。所以$ _POST [“location”]将始终包含$ array中的值,而不是键。因此array_key_exists将始终在该行代码中返回false。
这意味着将执行else-block,这将导致打印“ERROR”。
您的意思是使用in_array($_POST["location"], $array)(PHP Manual)而不是吗?
答案 2 :(得分:0)
您的代码ERROR会打印在以下内容的{@ 1}}中。检查数据库,确保没有空值,并且值与映射数组array_key_exists($_POST["location"], $array)中的值完全相同,键区分大小写。
此外,在$array语句后,您不需要else,因为程序已停止。您可以将结构保留为:
die()还要尝试正确格式化,或者至少坚持使用可读结构,例如:
if (...) die();
//rest of code
答案 3 :(得分:0)
您正在检查匹配键的位置数组,但您的位置实际上是一个值。您也在两次重复您的位置。我建议在文件顶部创建一个$ locations数组,使用它来填充选项标签,然后将其用于验证测试。这将导致您的“array_key_exists”测试按照您的预期进行。
<?php
// top
$locations = array(
'Fayette' => 'Fayette Counter (IN)',
'Henry' => 'Henry County (IN)',
'Randolph' => 'Randolph County (IN)',
'Rush' => 'Rush County (IN)',
'Union' => 'Union County (IN)',
'Wayne' => 'Wayne County (IN)',
'INCounties' => 'Local Indiana Counties (IN)',
'Indiana' => 'Indiana',
'Butler' => 'Butler County (OH)',
'Darke' => 'Darke County (OH)',
'Mercer' => 'Mercer County (OH)',
'Preble' => 'Preble County (OH)',
'OHCounties' => 'Local Ohio Counties',
'Ohio' => 'Ohio',
'US' => 'United States'
);
?>
<!-- middle -->
<select name='location'>
<option value= ""> </option>
<?php
foreach($locations as $k => $v){
echo "<option value=\"{$k}\">{$v}</option>";
}
?>
</select>
<?php
// bottom
if (array_key_exists($_POST["location"], $locations)){
$column = $_POST["location"];
} else {
echo "ERROR";
}
?>