我的想法是搜索查询然后点击图片按钮后它会重定向到查询以获得优秀的代码
这是我的图像按钮代码
$expQuery = SELECT * FROM reginformation WHERE name LIKE '%da%' AND deleted = 0; //This is an example query
<a id="exportbutton" style="margin-left:5px;" href="regListToExcel.php?query=<?php echo $expQuery ?> " ><img src="images/export_to_excel.png" style="margin-left:0px; width:5%" title='Download List'></a>
regListToExcel.php的代码
<?php
header('Content-type: application/excel');
header('Content-Disposition: attachment; filename="EventRegistrationLogs('.date("Y-m-d").').xls"');
?>
<html>
<table border=2>
<tr>
<th>Registration ID</th><th>Name</th><th>Gender</th><th>Age</th><th>Birthdate</th><th>Address</th>
<th>Email Address</th><th>Employment Status</th><th>Contact No.</th><th>Facebook</th>
<th>Twitter</th><th>Instagram</th><th>Event</th>
<th>Where did you hear about this event?</th><th>Photo Link</th><th>Province</th><th>Friend's Name</th>
<th>Friend's Email Address</th><th>Friend's Name</th>
<th>Friend's Email Address</th><th>Date Registered</th>
</tr>
<?php
include("dbcon.php");
$query=$_GET['query'];
echo "$query";
$export = mysql_query($query) or die(mysql_error());
$bgcolor = "F6F7EA";
while($data=mysql_fetch_array($export))
{
if ($bgcolor == "ECEFD7")
{
$bgcolor = "F6F7EA";
}
else
{
$bgcolor = "ECEFD7";
}
if($data['province'] == "")
{
$province = "";
}
else
{
$query = "SELECT province FROM province WHERE provid = $data[province]";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_array($result);
$province = $row['province'];
}
?>
<tr><td width="1000px" style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['regID']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['name']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['gender']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['age']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['bdate']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['address']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['emailadd']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['employmentstatus']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['contactno']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['facebook']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['twitter']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['instagram']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['event']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['wherehearevent']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['photolink']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $province?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['referfriend1']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['referemail1']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['referfriend2']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['referemail2']?></td>
<td style="background-color:#<?echo $bgcolor;?>;>"><?php echo $data['date_register']?></td>
</tr>
<?php } ?>
</table>
</body>
</html>
它给excel的查询是
SELECT * FROM reginformation WHERE nameLIKE'Ú%'AND deleted = 0
我该如何解决这个问题?
答案 0 :(得分:0)
此示例的一个基本问题是查询在传递到后续页面之前不会被转义。
特别值得在$ expQuery上使用PHP的“htmlentities”函数,然后验证通过请求传递的内容。像Firebug这样的浏览器工具可以帮助您解决这个问题。
此外,您的代码受到任意SQL注入攻击。您应该在查询中使用mysqli_escape_string(理想情况下,只能通过实际动态的部分)。