我正在尝试清除POST值以避免SQL注入。我使用的是与我在整个项目中使用的相同的功能,并且每次都运行良好,但是在这个特定的文件上它无法正常工作我已经完成了调试,发现帖子正在正确地提交值因为我可以让$_POST['tag']正确返回POST值的值,但是当我清理字符串时它变成空白。目前,标记值正在测试为6004,因为它是数据库中唯一的标记。
<?php
if($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST['submit']))
{
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
//Sanitize the POST values
$tag = clean($_POST['tag']);
$rev = clean($_POST['rev']);
$date = clean($_POST['date']);
$description = clean($_POST['description']);
$subCategory = clean($_POST['subCategory']);
$hvl = clean($_POST['HVL']);
$hvlcc = clean($_POST['HVLCC']);
$metalClad = clean($_POST['metalClad']);
$mvmcc = clean($_POST['MVMCC']);
$specialItems = clean($_POST['specialItems']);
$notes = clean($_POST['notes']);
$installCost = clean($_POST['installCost']);
$priceNote = clean($_POST['priceNote']);
$createdBy = clean($_POST['createdBy']);
//create query to main information
$query = "SELECT Tag_num, Rev_num FROM TAG WHERE ";
if(!empty($tag))
$query .= "Tag_num = '$tag' AND";
if(!empty($rev))
$query .= "Rev_num = '$rev' AND";
if(!empty($date))
$query .= "Tag_date = '$date' AND";
if(!empty($description))
$query .= "Descrip = '$description' AND";
if(!empty($subCategory))
$query .= "Sub_cat = '$subCategory' AND";
if(!empty($notes))
$query .= "Tag_notes = '$notes' AND";
if(!empty($installCost))
$query .= "Install_cost = '$installCost' AND";
if(!empty($priceNote))
$query .= "Price_notes = '$priceNote' AND";
if(!empty($createdBy))
$query .= "Created_by = '$createdBy' AND";
//code to retrieve last 4 letters of query
$queryEnd = substr($query, strlen($query)-4, strlen($query));
//code to remove last 4 letters if equal to ' AND'
if($queryEnd === ' AND')
substr($string, 0, -3);
}
?>
<html>
<head>
<link href="styles/stylesheet.css" rel="stylesheet" type="text/css">
</head>
<body>
<form name="addform" action="tagSearch.php" method="post">
<table>
<tr>
<td>TAG</td>
<td>Rev#</td>
<td>DATE</td>
<td>DESCRIPTION</td>
<td>Sub Category</td>
<td>HVL</td>
<td>HVL/CC</td>
<td>Metal Clad</td>
<td>MVMCC</td>
<td>Special Items</td>
<td>Notes</td>
<td>Install Cost</td>
<td>Price Note</td>
<td>Created By</td>
</tr>
<tr>
<td><input type="text" name="tag" value="" style="width:75px"></td>
<td><input type="text" name="rev" value="" style="width:50px"></td>
<td><input type="text" name="date" value="" style="width:75px"></td>
<td><input type="text" name="description" value=""></td>
<td><input type="text" name="subCategory" value=""></td>
<td><input type="text" name="HVL" value="" style="width:40px"></td>
<td><input type="text" name="HVLCC" value="" style="width:40px"></td>
<td><input type="text" name="metalClad" value="" style="width:40px"></td>
<td><input type="text" name="MVMCC" value="" style="width:40px"></td>
<td><input type="text" name="specialItems" value="" style="width:40px"></td>
<td><input type="text" name="notes" value=""></td>
<td><input type="text" name="installCost" value=""></td>
<td><input type="text" name="priceNote" value=""></td>
<td><input type="text" name="createdBy" value=""></td>
</tr>
</table>
<div class="searchButton">
<input name="submit" type="submit" value="Search" />
<button style="margin-left:5%;"><a href="homeAdmin.php">Back to Menu</a></button>
</div>
</form>
<div id="table-wrapper-search">
<div id="table-scroll">
<table>
<thead>
<tr>
<th>TAG</th>
<th>Rev#</th>
<th>DATE</th>
<th>DESCRIPTION</th>
<th>Sub Category</th>
<th>HVL</th>
<th>HVL/CC</th>
<th>Metal Clad</th>
<th>MVMCC</th>
<th>Special Items</th>
<th>Notes</th>
<th>Install Cost</th>
<th>Price Note</th>
<th>Created By</th>
</tr>
</thead>
</table>
</div>
</div>
</body>
</html>