更新$ _POST代码到php7,isset问题?

时间:2017-02-27 21:16:07

标签: php mysqli php-7

我升级到php7后出现此错误,我已解决了大多数问题。

  

错误:您的SQL语法出错;检查手册   对应于您的MySQL服务器版本,以便使用正确的语法   靠近''第1行

这是代码的开头(这似乎导致了问题)。当页面加载$ _POST没有设置时,有一个下拉列表(从sql1创建),这个结果将在后面的脚本中提供给其他sql查询。

<?php include 'connect.php'; ?>

<?php
$post_pub = isset($_POST['site']) ?: $_POST['site'] = '';

// Perform queries 
$sql1="SELECT Site_ID, Site_name_1 FROM `Sites` ORDER BY `Sites`.`Site_ID` ASC"; 

这是完整的代码

    <?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
?>

<?php include 'header.php'; ?> 
<div class='container'> 
<?php include 'menu.php'; ?> 
<?php include 'connect.php'; ?>

<?php
$post_pub = isset($_POST['site']) ?: $_POST['site'] = '';

// Perform queries 
$sql1="SELECT Site_ID, Site_name_1 FROM `Sites` ORDER BY `Sites`.`Site_ID` ASC"; 
//$sql1="SELECT Site_ID, Site_name_1 FROM 'Sites' ORDER BY 'Sites'.'Site_ID' ASC"; 

$sqltable1="SELECT Publications.Pub_ID, Publications.ART_TITEL FROM `Publications` where Pub_ID=$post_pub";
$sqltable2="SELECT Aspects.Aspect, Aspect_Pub_join.Pub_ID FROM `Aspects` INNER JOIN `Aspect_Pub_join` ON Aspects.Aspect_ID=Aspect_Pub_join.Aspect_ID WHERE Aspect_Pub_join.Pub_ID=$post_pub"; 
$sqltable3="SELECT Publications.Pub_ID, Questions.Question FROM `Publications` LEFT JOIN `Aspect_Pub_join` ON Publications.Pub_ID=Aspect_Pub_join.Pub_ID LEFT JOIN `Aspect_question_join` ON Aspect_Pub_join.Aspect_ID=Aspect_question_join.Aspect_ID LEFT JOIN `Questions` ON Aspect_question_join.Question_ID=Questions.Question_ID Where Publications.Pub_ID=$post_pub GROUP BY Question ORDER BY Publications.Pub_ID ASC";

$sqltable4="SELECT Publications.Pub_ID, Publications.ART_TITEL FROM `Publications` where Pub_ID=$post_pub"; 
$sqltable5="SELECT Publications.Pub_ID, Publications.ART_TITEL FROM `Publications` where Pub_ID=$post_pub"; 

$result1=mysqli_query($mysqli, $sql1) or die("Error: ".mysqli_error($mysqli));

$result_table1=mysqli_query($mysqli, $sqltable1) or die("Error: ".mysqli_error($mysqli));
$result_table2=mysqli_query($mysqli, $sqltable2) or die("Error: ".mysqli_error($mysqli));
$result_table3=mysqli_query($mysqli, $sqltable3) or die("Error: ".mysqli_error($mysqli));
$result_table4=mysqli_query($mysqli, $sqltable4) or die("Error: ".mysqli_error($mysqli));
$result_table5=mysqli_query($mysqli, $sqltable5) or die("Error: ".mysqli_error($mysqli));



$site_array = array();

while (list($id, $name) = mysqli_fetch_row($result1)) {$site_array[$id] = $name;}


//// Free result set
//mysqli_free_result($result);

function get_options($arr, $current=null) 
{
    $opts = '';
    foreach ($arr as $k => $v) {
        $sel = $k==$current ? 'selected="selected"' : '';
        $opts .= "<option value='$k'  $sel>$k $v</option>\n";

    }
    return $opts;
}



?>

<html>
<body>
<br/>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
  <select name="site" onchange="this.form.submit();">
<?php echo"<option>Select Site</option>";?>
    <?php echo get_options($site_array);?>

  </select>



</form>
<br/>

<p> Displaying all information for:<?php if(isset($_POST['site'])){echo $_POST['site'];} ?></p>



<div style="void:both;";></div>



<div class='table_holder'>
  <div class='table' style='height:100px; margin-right:20px;'>
    <table width='100%' align='center' id='table1' class='tablesorter'>
      <thead>
        <tr>
          <th>Publication Title</th>
        </tr>
      </thead>



<?php while($rows1=mysqli_fetch_array($result_table1)){ ?>
        <tr>
          <td><?php echo $rows1['ART_TITEL']; ?></td>
        </tr>
<?php } ?>

    </table>
  </div> 
</div> 


<br/><br/>
<div style="void:both;";></div>
<br/><br/>

<div class='table_holder'>
  <div class='table' style='height:200px;'>
    <table width='100%' align='center' id='table2' class='tablesorter'>
      <thead>
        <tr>
          <th>Aspects</th>
        </tr>
      </thead>

<?php while($rows2=mysqli_fetch_array($result_table2)){ ?>
        <tr>
          <td><?php echo $rows2['Aspect']; ?></td>
        </tr>
<?php } ?>

    </table>
  </div> 
</div> 

<br/><br/>
<div style="void:both;";></div>
<br/><br/>

<div class='table_holder'>
  <div class='table' style='height:200px;'>
    <table width='100%' align='center' id='table3' class='tablesorter'>
      <thead>
        <tr>
          <th>Question</th>
        </tr>
      </thead>
<?php while($rows3=mysqli_fetch_array($result_table3)){ ?>
        <tr>
          <td><?php echo $rows3['Question']; ?></td>
        </tr>
<?php } ?>

    </table>
  </div> 
</div> 






<?php include 'footer.php' ?>

2 个答案:

答案 0 :(得分:1)

如果字符串不存在,您似乎将$post_pub设置为字符串,但在后续语句中进行比较,就好像它是数字一样

$post_pub = isset($_POST['site']) ?: $_POST['site'] = ''

此处$post_pub将设置为&#39;&#39;如果它不在POST中

当您构建像这样的SQL

$sqltable1="SELECT Publications.Pub_ID, Publications.ART_TITEL FROM `Publications` where Pub_ID=$post_pub";

声明看起来像

SELECT Publications.Pub_ID, Publications.ART_TITEL FROM `Publications` where Pub_ID=

你想要像

这样的地方
SELECT Publications.Pub_ID, Publications.ART_TITEL FROM `Publications` 

SELECT Publications.Pub_ID, Publications.ART_TITEL FROM `Publications` where Pub_ID=''

SELECT Publications.Pub_ID, Publications.ART_TITEL FROM `Publications` where Pub_ID is null

您还应该考虑在查询中使用参数而不是字符串连接作为您打开sql注入攻击的代码。

答案 1 :(得分:-1)

检查短路条件。 似乎应该是:

$post_pub = isset($_POST['site']) ? $_POST['site'] : '';

检查此示例:

$post_pub = isset($_POST['site']) ?: $_POST['site'] = '';
echo $post_pub; // empty string

$_POST['site'] = 'test';
$post_pub = isset($_POST['site']) ?: $_POST['site'] = '';
echo $post_pub; // true - 1

你是在db中搜索,是&#39; true&#39;还是concrect id?