我的MSSQL表products有一个先进而简单的PHP搜索引擎。搜索引擎有三个文本输入。第一个输入用于表的make列,第二个输入用于表的product_name列,最后一个输入用于表中的material列。根据我的看法,我的问题是当我将两个输入留空并输入valve时,查询应该回显SELECT * FROM products WHERE 1=1 AND product_name = 'valve'。相反,查询回显SELECT * FROM products WHERE 1=1。我不知道为什么会这样,我想我可以用另一双眼睛来解决这个问题。
以下是完整的PHP代码:
<form action="<?php $_PHP_SELF ?>" method="post">
<input type="text" name="make">
<input type="text" name="parttype">
<input type="text" name="material">
<input type="submit" name="submit">
</form>
<?php
$conn = mssql_connect('gdm','ger','Rr1!');
mssql_select_db('Ggler',$conn);
if (isset($_POST['submit'])) {
$cheack = "";
if(isset($_GET["make"])&&$_GET["make"] != ""){
$make = $_POST['make'];
$cheack.=" AND make = '$make' ";
}
if(isset($_GET["parttype"])&&$_GET["parttype"] != ""){
$parttype = $_POST['parttype'];
$cheack.=" AND product_name = '$parttype' ";
}
if(isset($_GET["material"])&&$_GET["material"] != ""){
$material = $_POST['material'];
$cheack.=" AND material = '$material' ";
}
$DB = "SELECT * FROM products WHERE 1=1 ".$cheack;
$runquery = mssql_query($DB, $conn);
$dad = mssql_fetch_assoc($runquery);
echo "".$DB."";
}else {
echo "No search made"; }
?>
感谢您的帮助。非常感谢所有帮助。
答案 0 :(得分:3)
发现问题:
<form action="<?php $_PHP_SELF ?>" method="post">
^^^^^
if(isset($_GET["make"])&&$_GET["make"] != ""){
^^^^ ^^^^
同样,您很容易受到SQL injection attacks的攻击。</ p>