无法在下一个文件中调用未定义的ID

时间:2015-10-01 02:26:38

标签: php sql

我试图一次更新多个条目,但我无法调用id,更新工作正常。错误显示:注意:未定义的索引:第24行的C:\ xampp \ htdocs \ poshproject \ multiedit.php中的id 

<?php include 'header.php'; ?>

<div id="container4"><?php
require ("dbfunction.php");
$con = getDbConnect();


$checkbox2 = $_POST['checkbox2'];

if (!mysqli_connect_errno($con)) {
    $str = implode($checkbox2);
    $queryStr = "SELECT * " .
            "FROM crewlist WHERE  ($str) && crew_id";
}

$result = mysqli_query($con, $queryStr);

if (isset($_POST['submit'])) {
    $checkbox2 = $_POST['checkbox2'];
    foreach ($checkbox2 as $crewname) {

        ?> <form action="handlemultiedit.php" method="post">
            <input type="hidden" name="crew_id" value="<?php echo       $_GET['id']; ?>" />
        <?php echo "<tr><th>" . $crewname . ":</th><br>";
        echo "                    <tr>
                    <td>Shift 1:</td>
                    <td><input type=\"time\" name=\"start_hour\" value=\"start_hour\" id=\"start_hour\" step=\"1800\" required> to <input type=\"time\" name=\"end_hour\" value=\"end_hour\" id=\"end_hour\" step=\"1800\" required>
                    </td>       
                </tr>
                <tr>
                    <td>Shift 2:</td>
                    <td><input type=\"time\" name=\"start_hour2\" value=\"start_hour2\" id=\"start_hour2\" step=\"1800\" required> to <input type=\"time\" name=\"end_hour2\" value=\"end_hour2\" id=\"end_hour2\" step=\"1800\" required>
                    </td>       
                </tr><br><br>";
        ?><?php
    }?><td><input type="submit" value="Submit" ></td></form><?php
}
?>

这是句柄页面

<?php

print_r($_POST);
require 'dbfunction.php';
$con = getDbConnect();
$crew_id = $_POST["crew_id"];

$start_hour = $_POST["start_hour"];
$end_hour = $_POST["end_hour"];
 $start_hour2 = $_POST["start_hour2"];
 $end_hour2 = $_POST["end_hour2"];

if (!mysqli_connect_errno($con)) {
$sqlQueryStr = "UPDATE crewlist SET start_hour = '$start_hour',end_hour = '$end_hour', start_hour2 = '$start_hour2',end_hour2 = '$end_hour2' WHERE crew_id = " . $crew_id . "";
mysqli_query($con, $sqlQueryStr);
}


//header('Location: crewlisting.php');
 mysqli_close($con);
 ?>

1 个答案:

答案 0 :(得分:0)

第一:你正在为MySQL注入攻击做好准备!  您是在MySQL查询中直接使用用户POST的数据,而不检查它是否包含恶意代码!

$checkbox2 = $_POST['checkbox2'];

if (!mysqli_connect_errno($con)) {
    $str = implode($checkbox2);
    $queryStr = "SELECT * " .
            "FROM crewlist WHERE  ($str) && crew_id";
}

打开错误消息:multiedit.php的第24行:

<input type="hidden" name="crew_id" value="<?php echo       $_GET['id']; ?>" />

错误告诉您未设置GET的参数“id”。 确保它在URL中设置,因为这是GET从以下位置检索数据的地方:

multiedit.php?id=123456


header("Location: crewlisting.php?id=$crew_id");
如果有意的话,从句柄页面

但是,您的代码中似乎存在一些漏洞并且无法按预期运行。你能澄清它应该做什么吗?

我猜是

if (isset($_POST['submit'])) {
应将

移至处理页面以检查是否实际提交了任何内容,并

foreach ($checkbox2 as $crewname) {

实际上应该循环来自MySQL查询的$ result。

相关问题
最新问题