将数据插入数据库是行不通的

时间:2012-04-09 15:21:01

标签: php mysql

我有点卡住了,我可以手动更新数据库,但是通过PHP它无法正常工作。

数据库字段:

Column     Type          Collation          Attributes   Null  Default  Extra
id         int(10)                          UNSIGNED     No             auto_increment    
addedby    varchar(100)  latin1_swedish_ci               No            
location   text          latin1_swedish_ci               No            
details    text          latin1_swedish_ci               No            
deadline   text          latin1_swedish_ci               No            
datefixed  int(200)                                      No    0        
completed  int(11)                                       No    0

Add_jobs.php:

<?php

$pagetitle = "Add Job";

$checkrank = 3;

include ($_SERVER['DOCUMENT_ROOT'].'/header.inc.php');


$helpfaerie = mysql_fetch_array(mysql_query("SELECT * FROM helpfaerie WHERE page = 'reportbug'"));
$helpfaerie2 = mysql_fetch_array(mysql_query("SELECT * FROM members WHERE username = '$username'"));

if ($helpfaerie2[helpfaerie] == 1)
{
echo "<div id=\"helpfaerie\" style=\"overflow: auto; position:fixed; bottom:0; right:0; \"><table width=\"200\" border=\"0\" cellspacing=\"0\" cellpadding=\"4\" style=\"border-top: 1pt solid black;border-bottom: 1pt solid black;border-left: 1pt solid black;border-right: 1pt solid black; background-color:#ffffff;\">
  <tr>
    <td><center><img src=\"http://images.neopets.com/items/toy_faerie_psellia.gif\" border=\"0\"></center></td>
  </tr>
  <tr>
    <td><p>$helpfaerie[text]</p></td>
  </tr>
  <tr>
    <td style=\"text-align: right;\">[<a href=\"$baseurl/closehelp.pro.php\">x</a>]</td>
  </tr>
</table></div>";
}





ECHO <<<END






<center>
<FORM ACTION="add_jobs.pro.php" enctype="multipart/form-data" METHOD=POST>
<table width="366" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td colspan="2"><center>Add Job<p></center></td>
  </tr>
  <tr>
    <td width="118">Job Location (If any):</td>
    <td width="249"><textarea name="page"  cols="20" rows="1" value="" ></textarea></td>
  </tr>
  <tr>
    <td width="118">Details::</td>
    <td width="249"><textarea  name="wrong" cols="20" rows="10" value=""  ></textarea></td>
  </tr>

  <tr>
    <td width="118">Deadline::</td>
    <td width="249"><textarea name="line" cols="20" rows="1" value=""></textarea></td>
  </tr>
    <tr>
    <td>&nbsp;</td>
    <td>&nbsp;</td>
  </tr>
  <tr>
    <td colspan="2"><center><font size="-1"><i>
      <input type=submit name=Submit value="Add Jobs">
    </i></font></center></td>
  </tr>
</table></FORM>
<p>&nbsp;</p></center>









END;




include ($_SERVER['DOCUMENT_ROOT'].'/footer.inc.php');


?>

注意:dblink(链接到我的数据库,工作正常),Addon,基本上是用于表情符号和语法。

基本上这是一个工作页面,我们会更新我们需要在网站周围完成的工作。

add_jobs.pro.php:

<?php

$pagetitle = "Add Jobs";

$checkrank = 3;

include ($_SERVER['DOCUMENT_ROOT'].'/addon.php');

include ($_SERVER['DOCUMENT_ROOT'].'/dblink.php');

include ($_SERVER['DOCUMENT_ROOT'].'/security/stripusers.php');




$page = $_POST['page'];
$wrong = $_POST['wrong'];
$line = $_POST['line'];



$page = mysql_real_escape_string($page);
$page = stripslashes($page);
$page = stripusers($page);


$wrong = mysql_real_escape_string($wrong);
$wrong = stripslashes($wrong);
$wrong = stripusers($wrong);

$line = mysql_real_escape_string($line);
$line = stripslashes($line);
$line = stripusers($line);

if ((!$page) OR (!$wrong)  OR (!$line)) 

{

               die(header("Location: $baseurl/add_jobs.php?error=Please+do+not+leave+any+info+blank."));

}





else

{

        mysql_query("INSERT INTO assignments (addedby,location,details,deadline,datefixed) VALUES ('$username','$page','$wrong','$line','$timestamp','0')");

        header("Location: add_jobs.php?error=Thank+you.+Your+Job+has+been+submitted.");

}



?>

我刚刚进入了另一个问题。

提交工作后,他们就会在此

上列出 
<?php



$pagetitle = "Active Jobs";

$checkrank = 0;


include ($_SERVER['DOCUMENT_ROOT'].'/header.inc.php');


$view=$_GET['view'];

$num = mysql_num_rows(mysql_query("SELECT * FROM `assignments` WHERE 1"));



if ($num <= 0)
{
    echo "


<p><center>

There are no active jobs :D";
}



$sort = mysql_query("SELECT * FROM `assignments` WHERE 1");
while($sort2 = mysql_fetch_array($sort))


{





 if($sort2[id])


{

$tym = date("H:i",$sort2[date]);
$wcd = date("M j Y",$sort2[date]);  

echo("
<center>
<table width=\"607\" border=\"0\" cellspacing=\"0\" cellpadding=\"4\" style=\"border-top: 1pt solid black;border-bottom: 1pt solid black;border-left: 1pt solid black;border-right: 1pt solid black; \">
  <tr>
    <td width=\"139\" valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#5eaed4;\">Submitted By:</td>
    <td width=\"450\" valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[addedby]</td>
  </tr>
  <tr>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#8cc7e3;\">Date Submitted:</td>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\"> $wcd @ $tym NST</td>
  </tr>
  <tr>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#5eaed4;\">Job Location:</td>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[location] [<a href=\"$sort2[location]\">View</a>]</td>
  </tr>
  <tr>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#8cc7e3;\">Job Description:</td>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[details]</td>
  </tr>
  <tr>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#8cc7e3;\">Deadline:</td>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[deadline]</td>
  </tr>
  <tr>
    <td valign=\"top\" style=\"border-right: 1pt solid black; background-color:#5eaed4;\">completed?:</td>
    <td valign=\"top\" style=\"background-color:#f4f4f4;\">Click When Completed [<a href=\"$baseurl/staff/submitted/completed_job.pro.php?id=$sort2[id]\">x</a>]</td>
  </tr>
</table>
<p>&nbsp;</p></center>



"); }







}




echo "<p></center>\n";

echo "</center>\n";


include ($_SERVER['DOCUMENT_ROOT'].'/footer.inc.php');


?>

然后你点击一个X,然后将它们分类为已完成,然后将其从页面中删除,但它没有做,它们只是保持列表,

但他们也正在注册他们的固定,并在完成的工作页面上显示。

completed_jobs.php 

    <?php



    $pagetitle = "Active Jobs";

    $checkrank = 0;


    include ($_SERVER['DOCUMENT_ROOT'].'/header.inc.php');


    $view=$_GET['view'];

    $num = mysql_num_rows(mysql_query("SELECT id FROM assignments WHERE completed =1"));


    if ($num <= 0)
    {
        echo "


    <p><center>

    There are no complete Jobs at this time.";
    }




    $sort = mysql_query("SELECT * FROM assignments WHERE completed =1");
    while($sort2 = mysql_fetch_array($sort))


    {





     if($sort2[id])


    {

    $tym = date("H:i",$sort2[date]);
    $wcd = date("M j Y",$sort2[date]);  

    $ftym = date("H:i",$sort2[datefixed]);
    $fwcd = date("M j Y",$sort2[datefixed]);  

    echo("
    <center>
    <table width=\"607\" border=\"0\" cellspacing=\"0\" cellpadding=\"4\" style=\"border-top: 1pt solid black;border-bottom: 1pt solid black;border-left: 1pt solid black;border-right: 1pt solid black; \">
      <tr>
        <td width=\"139\" valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#5eaed4;\">Submitted By:</td>
        <td width=\"450\" valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[addedby]</td>
      </tr>
      <tr>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#8cc7e3;\">Date Submitted:</td>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\"> $wcd @ $tym NST</td>
      </tr>
      <tr>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#5eaed4;\">Job Location:</td>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[location] [<a href=\"$sort2[location]\">View</a>]</td>
      </tr>
      <tr>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#8cc7e3;\">Job Description:</td>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[details]</td>
      </tr>
      <tr>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#8cc7e3;\">Deadline:</td>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[deadline]</td>
      </tr>
      <tr>
        <td valign=\"top\" style=\"border-right: 1pt solid black; background-color:#5eaed4;\">Completed On:</td>
        <td valign=\"top\" style=\"background-color:#f4f4f4;\">$fwcd @ $ftym NST</td>
      </tr>
    </table>
    <p>&nbsp;</p></center>



    "); }







    }




    echo "<p></center>\n";

    echo "</center>\n";


    include ($_SERVER['DOCUMENT_ROOT'].'/footer.inc.php');


    ?>

and then completed_job.pro.php


<?php


$pagetitle = "Completed Jobs";

$checkrank = 30;
include ($_SERVER['DOCUMENT_ROOT'].'/addon.php');

include ($_SERVER['DOCUMENT_ROOT'].'/dblink.php');


$id=$_GET['id'];





mysql_query("UPDATE assignments SET completed = '1' WHERE id = '$id'");
mysql_query("UPDATE assignments SET datefixed = '$timestamp' WHERE id = '$id'");



        header("Location: completed_jobs.php?error=Job+has+been+updated+to+complete+:)");



?>

3 个答案:

答案 0 :(得分:3)

请勿在致电stripslashes()后致电mysql_real_escape_string()事实上,除非启用了magic_quotes_gpc()(不推荐),否则请勿致电{ {1}}。通过stripslashes()之后调用它,您撤消该函数提供的转义。

您在插入列列表中指定了5列,但在mysql_real_escape_string()列表中提供了6列。从您的表格结构来看,我猜您也打算包含VALUES()

completed

我们假设变量mysql_query("INSERT INTO assignments (addedby,location,details,deadline,datefixed) VALUES ('$username','$page','$wrong','$line','$timestamp','0')"); //-------------------------------------------------------------------------------------------^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ $username已在其中一个包含文件中定义并已正确转义。

某些错误检查会显示查询错误的来源:

$timestamp

答案 1 :(得分:2)

您收到错误了吗?如果是这样,它是什么?

乍一看,您的插入查询似乎有比列更多的值:

INSERT INTO assignments 
  (addedby,location,details,deadline,datefixed) 
  VALUES 
  ('$username','$page','$wrong','$line','$timestamp','0')

这肯定会引发错误。

顺便说一句,不推荐使用mysql_函数系列。如果不是PDO,你至少应该使用mysqli。

答案 2 :(得分:1)

你有一些语法错误/陷阱:

$helpfaerie = mysql_fetch_array(mysql_query("SELECT * FROM helpfaerie WHERE page =  'reportbug'"));

您认为查询有效。这是不好的做法。即使SQL语句本身在语法上完美,它也可能因任何其他原因而失败。在对查询结果进行任何操作之前,您应始终检查查询是否成功。 e.g。

$result = mysql_query(...);
if ($result === FALSE) {
    die(mysql_error());
}

应该是开发/测试时无处不在的。

if ($helpfaerie2[helpfaerie] == 1)
                 ^--       ^--

你忽略了在这里引用数组键。在此特定代码段中,不带引号的helpfaerie将被解析为defined()常量。但是,它可能尚未定义,因此PHP会“礼貌地”将其自动转换为字符串并发出警告。

然后立即你

{
echo "<div id=\"helpfaerie\"

并输出大量的多行HTML。然后你使用HEREDOC。为什么不在这里使用一个呢?它可以避免你必须转义echo语句中的所有"个字符。

$page = mysql_real_escape_string($page);
$page = stripslashes($page);
$page = stripusers($page);

这没有任何意义。你正确地转义了$ page,但是你做了striplashes,它基本上是对mysql_real_escape_string()调用。虽然不完全准确,但您可以将m_r_e_s()视为addslashes()的高级版本,因此您基本上是转义,然后再次转义,使您容易受到SQL注入。

我不知道stripusers()做了什么,但无论如何,操作的顺序应该是

$page = stripusers($page);
$page = mysql_real_escape_string($page);

m_r_e_s()应始终是在查询字符串中使用该位数据之前执行的 LAST 操作。如果在转义完成后对转义字符串执行任何操作,则可能会撤消转义和/或引入另一种方式进行注入攻击。

相关问题
最新问题