变量中的PHP空格用于超链接

时间:2014-12-17 16:19:12

标签: php mysql hyperlink

我对php很新,我正在尝试将一系列变量添加到html超链接中。但是,任何以空格返回的变量都会使超链接混乱。

    <html>
        <head>
            <title>Grants Test</title>
        </head>
        <body>
     <?php
     // Connect to Database 
     mysql_connect("XXXXXXXX", "XXXXXXX", "XXXXXXXXXX") or die(mysql_error()); 
     mysql_select_db("XXXXXXXXX") or die(mysql_error()); 

    $mode = $_GET['mode'];
    $Name = $_GET['Name'];
    $DOP = $_GET['DOP'];
    $SRN = $_GET['SRN'];
    $SUP = $_GET['SUP'];
    $COG = $_GET['COG'];
    $CUST = $_GET['CUST'];
    $Comments = $_GET['Comments'];
    $Upload_T = $_GET['Upload_T'];
    $Edit_T = $_GET['Edit_T'];
    $PONumber = $_GET['PONumber'];
    $self = $_SERVER['PHP_SELF'];


    //Edit Mode
     if ( $mode=="edit") 
     { 
     Print '<h2>Edit</h2> 
     <p> 
     <form action=';
     echo $self; 
     Print '
     method=GET> 
     <table> 

    <tr><td>PONumber:</td><td><input type="text" disabled="disabled" value="'; 
     Print $PONumber; 
     print '" name="PONumber" /></td></tr> 

     <tr><td>Name:</td><td><input type="text" value="'; 
     Print $Name; 
     print '" name="Name" /></td></tr> 

     <tr><td>Date of Purchase:</td><td><input type="text" value="'; 
     Print $DOP; 
     print '" name="DOP" /></td></tr> 

     <tr><td>Service Report:</td><td><input type="text" value="'; 
     Print $SRN; 
     print '" name="SRN" /></td></tr>

    <tr><td>Supplier:</td><td><input type="text" value="'; 
     Print $SUP; 
     print '" name="SUP" /></td></tr> 

    <tr><td>Cost ex.VAT:</td><td><input type="text" value="'; 
     Print $COG; 
     print '" name="COG" /></td></tr> 

    <tr><td>Customer:</td><td><input type="text" value="'; 
     Print $CUST; 
     print '" name="CUST" /></td></tr> 

    <tr><td>Comments:</td><td><input type="text" value="'; 
     Print $Comments; 
     print '" name="Comments" /></td></tr> 

     <tr><td colspan="2" align="center"><input type="submit" /></td></tr> 
     <input type=hidden name=mode value=edited> 
     <input type=hidden name=PONumber value='; 
     Print $PONumber; 
     print '> 
     </table> 
     </form> <p>'; 
     } 

     if ( $mode=="edited") 
     { 
     mysql_query ("UPDATE purchase SET Name = '$Name', DOP = '$DOP', SRN = '$SRN', SUP = '$SUP', COG = '$COG', CUST = '$CUST', Comments = '$Comments', Upload_T = '$Upload_T', Edit_T = NOW() WHERE PONumber = $PONumber"); 
     Print "Data Updated!<p>"; 
     } 

//Delete Mode
    if ( $mode=="remove") 
     {
     mysql_query ("DELETE FROM purchase where PONumber=$PONumber");
     Print "Entry has been removed <p>";
     }

//Show Table
     $data = mysql_query("SELECT * FROM purchase ORDER BY PONumber ASC") 
     or die(mysql_error()); 
     Print "<h2>Purchase Orders</h2><p>"; 
     Print "<table border cellpadding=3>"; 
     Print "<tr><th width=100>PONumber</th><th width=100>Name</th><th width=100>Date of Purchase</th><th width=100>Service Report</th><th width=100>Supplier</th><th width=100>Cost ex.VAT</th><th width=100>Customer</th><th width=100>Comments</th><th width=100>Time Requested</th><th width=100>Last Edited</th></tr>"; 
     while($info = mysql_fetch_array( $data )) 
     { 
     Print "<tr><td>".$info['PONumber'] . "</td> "; 
     Print "<td>".$info['Name'] . "</td> "; 
    Print "<td>".$info['DOP'] . "</td> "; 
    Print "<td>".$info['SRN'] . "</td> "; 
    Print "<td>".$info['SUP'] . "</td> "; 
    Print "<td>".$info['COG'] . "</td> "; 
    Print "<td>".$info['CUST'] . "</td> "; 
    Print "<td>".$info['Comments'] . "</td> "; 
    Print "<td>".$info['Upload_T'] . "</td> "; 
    Print "<td>".$info['Edit_T'] . "</td> "; 
    Print "<td><a href=" .$_SERVER['PHP_SELF']. "?PONumber=" . $info['PONumber'] ."&DOP=" . $info['DOP'] . "&Name=" . $info['Name'] . "&mode=edit>Edit</a></td>"; Print "<td><a href=" .$_SERVER['PHP_SELF']. "?PONumber=" . $info['PONumber'] ."&mode=remove>Remove</a></td></tr>"; 
    } 
     Print "</table>";

这是我遇到问题的一条线,数据从数据库中被拉出,但任何带空格的数据都会缩短。 

Print "<td><a href=" .$_SERVER['PHP_SELF']. "?PONumber=" . $info['PONumber'] ."&DOP=" . $info['DOP'] . "&Name=" . $info['Name'] . "&mode=edit>Edit</a></td>"; Print "<td><a href=" .$_SERVER['PHP_SELF']. "?PONumber=" . $info['PONumber'] ."&mode=remove>Remove</a></td></tr>";

见输出:

<a href="/beta/testscript.php?PONumber=3697&DOP=2014-11-23&Name=Joe" bloggs&mode="edit">Edit</a>

如何阻止这种情况发生?

谢谢, 格兰特

2 个答案:

答案 0 :(得分:2)

您需要使用urlencode对URL参数进行编码。

另外,不要使用mysql_-functions,它们容易出错导致安全漏洞,稍后将从PHP中删除。转而学习PDO。

答案 1 :(得分:0)

这是经典的文本文本问题。要这样做:

您实际上正在生成两者,因此您需要同时进行两次转义。

不要忘记只编码应该是自由文本的特定位。

要使用rawurlencode()函数,您只需将其与每个输入参数一起提供,并将其outoup连接到URL:

$url = $_SERVER['PHP_SELF']. "?PONumber=" . rawurlencode($info['PONumber']) ."&DOP=" . rawurlencode($info['DOP']) . "&Name=" . .....;

获得网址后,只需将其注入HTML:

Print "<td><a href=" . htmlspecialchars($url) . ">Remove</a></td></tr>";
相关问题
最新问题