字符串%0D%0A导致SQL中的比较问题?

时间:2012-08-22 12:15:40

标签: php sql

我有一个下拉框,其中包含名称列表和搜索字段。

下拉列表中填充了数据库中的名称列表,搜索字段允许您执行外卡搜索。

目前,外卡搜索按预期工作,但从下拉列表中选择名称不起作用。

我相信这可能是因为某些不需要的字符,因为我在浏览器的地址栏中看到下面的内容,从下拉列表中选择了一个名称,然后点击了搜索按钮:

http://localhost:81/connect/players/?name=%0D%0A3&text=&action=search

我认为上面的文字(%0D%0A)导致了问题,因为我的代码如下所示:

if (isset($_GET['action']) and $_GET['action'] == 'search')
{
include $_SERVER['DOCUMENT_ROOT'] . '/includes/db.inc.php';

    $id = $_GET['name'];  // name slightly confusing but does return the id
    $text = $_GET['text'];

try
{

$sql = "SELECT id, name, age FROM player
    WHERE player.id = '$id'
    OR player.name LIKE '%$text%'
    GROUP BY player.id";

$s = $pdo->query($sql);

}
catch (PDOException $e)
{
    $error = 'Error fetching names.' . $e->getMessage();;
    include 'error.html.php';
    exit();
}
// This is responsible for populating the new player info underneath all
foreach ($s as $row)
{
    $names[] = array('id' => $row['id'], 'name' => $row['name'], 'age' => $row['age']);
}
include 'searchprofiles.html.php';
exit();

}

我相信这会阻止它将数据库中的id与存储在变量$ id中的id进行比较。

然而,我只是手动从地址栏中删除了%0D%0A,它仍然无效,所以可能还有其他问题?

还应注意,如果没有从下拉列表中选择任何值,并且未输入外卡,则返回所有行。

HTML如下:

SEARCHPROFILES.HTML.PHP

<?php include_once $_SERVER['DOCUMENT_ROOT'] . '/includes/helpers.inc.php'; ?>

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Manage Jokes: Search Results</title>
</head>

<body>

<h1>Search Results</h1>

<?php if (isset($names)): ?>

<table>
<tr><th>Name</th><th>Options</th></tr>
<?php foreach ($names as $name): ?>
<tr>
<td><?php htmlout($name['name']); ?></td>
<td><?php htmlout($name['age']); ?></td>
<td>
<form action="?" method="post">
<div>
<input type="" name="id" value="<?php
htmlout($name['id']); ?>">
<input type="submit" name="action" value="Edit">
<input type="submit" name="action" value="Delete">
</div>
</form>

</td>
</tr>
<?php endforeach; ?>
</table>
<?php endif; ?>
<p><a href="?">New search</a></p>
<p><a href="..">Return to JMS home</a></p>
</body>
</html>

以下是有关增加值的表单的HTML。

<?php include_once $_SERVER['DOCUMENT_ROOT'] . '/includes/helpers.inc.php'; ?>

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Manage Profiles</title>
</head>

<body>

<h1>Manage Profile</h1>

<p><a href="?add">Add new profile</a></p>

<form action="" method="get">

<p>View player profiles satisfying the following criteria:</p>

<div>

<label for="name">By name:</label>

<select name="name" id="name">

<option value="">Any name</option>

<!-- populates the drop down with names -->
<?php foreach ($names as $name): ?>
<option value="
<?php htmlout($name['id']); ?>">
<?php htmlout($name['name']); ?>
</option>
<?php endforeach; ?>

</select>

</div>

<div>
<label for="text">Containing text:</label>
<input type="text" name="text" id="text">
</div>

<div>
<input type="hidden" name="action" value="search">
<input type="submit" value="Search">
</div>

</form>

</body>
</html>

非常感谢任何帮助。

由于

1 个答案:

答案 0 :(得分:0)

原因是您在表单控件中的换行符:

更改

<option value="
<?php htmlout($name['id']); ?>">
<?php htmlout($name['name']); ?>
</option>

<option value="<?php htmlout($name['id']); ?>">
    <?php htmlout($name['name']); ?>
</option>