PHP $ _Get没有收到查询字符串值

时间:2014-10-22 13:38:00

标签: php html mysql ajax

我正在创建一个下拉菜单,用于发送"国家/地区代码"查询MySQL的PHP​​文件。然后生成一个html表。一切似乎都有效,除了$ _GET总是什么也得不到。即使我将查询字符串硬编码为代码。我错过了什么?

HTML:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
     <title>Test</title>
     <script type="text/javascript">
         function showCountry(str) {
             if (str == "") {
              document.getElementById("SurveyContainer").innerHTML = "";
              return;
             }
            if (window.XMLHttpRequest) {
                // code for IE7+, Firefox, Chrome, Opera, Safari
                xmlhttp = new XMLHttpRequest();
            } 
            else {  // code for IE6, IE5
                xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
            }
            xmlhttp.onreadystatechange = function () {
                if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
                    document.getElementById("SurveyContainer").innerHTML = xmlhttp.responseText;
                }
            }

            xmlhttp.open("GET", "getSurveys.php?q=" + str, true);
            xmlhttp.send();
        }
     </script>
</head>
<body>
    <select name="countries" onchange="showCountry(this.value)">
        <option value="">Select Country:</option>
        <option value="WW">WW</option>
        <option value="AU">AU</option>
        <option value="USA">USA</option>
    </select>

    <div id="SurveyContainer"><b>Survey table</b></div>
</body>
</html>

getSurveys.php:

<?php

//Get Country Code
$q = ( isset( $_GET['q'] ) && is_numeric( $_GET['q'] ) ) ? intval( $_GET['q'] ) :'WW';

$con = mysqli_connect('localhost','myusername','mypassword','mydatabase');

if (!$con) {
    die('Could not connect: ' . mysqli_error($con));
}

mysqli_select_db($con,"mydatabase");

$sql="SELECT * FROM tblSurveys WHERE country = '".$q."'";

$result = mysqli_query($con,$sql);

echo "<table class='surveytable'>";
echo "<tr><th width='61'>Country</th><th>Link To Join Paying Survey Panel Web Site</th><th>About Survey Panel</th><th width='93'>Survey Incentives</th></tr>";

while($row = mysqli_fetch_array($result)) {
    echo "<tr><td><b>$row[country]</b></td><td><a href='$row[link]' target='_blank'>$row[name]</a></td><td>$row[description] </td><td>$row[incentives]</td></tr>";
}

echo "</table>"; 

mysqli_close($con);

?>

提前致谢!

1 个答案:

答案 0 :(得分:2)

我不确定您正在检查的是什么值:$q$_GET['q'],但PHP脚本顶部的逻辑错误:

$q = ( isset( $_GET['q'] ) && is_numeric( $_GET['q'] ) ) ? intval( $_GET['q'] ) :'WW';

您正在检查数值并转换为整数,而查询字符串的值为空或国家/地区代码字符串。

因此,您的实际$_GET['q']值永远不会在您的脚本中使用。

你只需要:

$q = isset( $_GET['q'] ) ? $_GET['q'] :'WW';

然后你需要一个预备语句(或mysqli_real_escape_string() ...)来阻止sql注入。

相关问题
最新问题