好吧,让我在这里解释一下:
我正在制作基于在线文字的游戏。我有一个页面,可以发生三件事:
到目前为止,我已经创建了一个职位。我接着删除了一个位置。一切都很好,我没有错误,没有警告等等。当我运行它时,它回到屏幕,它应该在脚本删除位置后运行。它只应该在查询运行后来到这里。
没有任何事情发生,经过3个小时的尝试,我会来找你们b / c我在最后一站。我仍然没有严重的错误,没有任何东西让它失败:这是我的代码。
<?php
//In the include file is the connection to the db
include("library/new_library.php");
//Below is the session id, gets their position id from the DB, than grabs whether or not they can edit the company
$user_id = $_SESSION['user_id'];
$sql = "SELECT ID, PositionID FROM users WHERE ID = '$user_id'";
$query = mysql_query($sql);
while($row = mysql_fetch_assoc($query))
{
$position = $row['PositionID'];
}
$sql = "SELECT * FROM tblCPositions WHERE PositionID = '$position'";
$query = mysql_query($sql);
while($row = mysql_fetch_assoc($query))
{
$editCompany = $row['Edit_Company'];
}
//Next I check for position edit and if they try to put in the position id of a position the company does not control it gives them a "nice" message.
$company = $_SESSION['company'];
if($_GET['pidedit']){
$position = $_GET['pidedit'];
$sql = "SELECT * FROM tblCPositions WHERE PositionID = '$position'";
$query = mysql_query($sql);
while($row = mysql_fetch_assoc($query))
{
if($row['CompanyID'] != $company)
{
$warning = "<div class='warning'>You are trying to edit a position that does not belong to your company. DO NOT TRY TO CHEAT THE SYSTEM!</div>";
}
else
{
$positionArray[] = array(ID => $row['PositionID'], name => $row['Name'], hire => $row['Hire'], fire => $row['Fire'], bid => $row['Contract'], edit => $row['Edit_Company'], finances => $row['Finances']);
}
}
}
//Here I check for $_GET delete
elseif($_GET['piddelete'])
{
$position = $_GET['piddelete'];
$sql = "SELECT * FROM tblCPositions WHERE PositionID = '$position'";
$query = mysql_query($sql);
while($row = mysql_fetch_assoc($query))
{
if($row['CompanyID'] != $company)
{
$warning = "<div class='warning'>You are trying to delete a position that does not belong to your company. DO NOT TRY TO CHEAT THE SYSTEM!</div>";
}
}
}
else
{
$sql = "SELECT * FROM tblCPositions WHERE CompanyID = '$company'";
$query = mysql_query($sql);
$number = mysql_num_rows($query);
$numberLeft = 12 - $number;
while($row = mysql_fetch_assoc($query))
{
$positionArray[] = array(ID => $row['PositionID'], name => $row['Name'], hire => $row['Hire'], fire => $row['Fire'], bid => $row['Contract'], edit => $row['Edit_Company'], finances => $row['Finances']);
}
}
//
if($_POST['submitNewPosition'])
{
$name = $_POST['positionName'];
$hire = $_POST['hire'];
$fire = $_POST['fire'];
$bid = $_POST['bid'];
$edit = $_POST['edit'];
$finances = $_POST['finances'];
$cid = $_SESSION['company'];
$sql = "INSERT INTO tblCPositions(CompanyID, Name, Hire, Fire, Contract, Edit_Company, Finances) VALUES ('$cid','$name','$hire','$fire','$bid','$edit','$finances')";
$query = mysql_query($sql);
if($query)
{
header("location: view_company.php?newp=success");
}
}
//Haven't finished this section yet
if($_POST['submitEditPosition'])
{
$name = $_POST['positionName'];
$fire = $_POST['hire'];
$fire = $_POST['fire'];
$bid = $_POST['bid'];
$edit = $_POST['edit'];
$finances = $_POST['finances'];
}
//This this is my problem area, this is where it says its running the query but its not.
if(isset($_POST['deletePosition']))
{
$deleteID = $_GET['piddelete'];
$deleteSql = "DELETE FROM tblCPositions WHERE PositionID = '$deleteID'";
$deleteQuery = mysql_query($deleteSql);
if($deleteQuery)
{
header("location: view_company.php?delete=success");
}
if(!$deleteQuery)
{
header("location: view_company.php?delete=failure");
}
}
更新 -
好的,所以我得到它的工作问题是我忘了,这个表格只是意味着“是或否形式”所以我只是发帖子发布提交按钮,表格上没有其他内容。我忘记的是在action =“file.php”(我有什么)我忘记传递get变量所以一旦我把它改成action =“file.php?piddelete = 12”就可以了。
感谢大家的帮助,我真的很感激。
答案 0 :(得分:2)
10到1您的变量$_GET['piddelete'];为空。当你这样做时你会得到什么:
var_dump($_GET['piddelete']);
禁用标题重定向,以便您可以看到输出。
修改
或者,正如Nick指出的那样,您可以在查询中添加die()语句:
$deleteQuery = mysql_query($deleteSql) or die(mysql_error());
如果您的查询仍然运行,并且脚本没有死亡,并且仍未的位置未被删除,则应检查查询,它可能是成功删除0行。尝试在die($deleteSql);处查杀并通过MySQL的控制台运行查询。
<强> /修改
另外,我不得不把你介绍给我的好朋友SQL injection attack。在将它们移交给MySQL服务器之前,您应该过滤$_POST和$_GET超全局中包含的所有数据。使用mysql_real_escape_string()。
试着理解这个:
whatever.com/your_url.php?pidedit=x'%3B%20DROP%20TABLE%20tblCPositions%3B%20--
如果我要在您的应用程序上执行该查询字符串,那么您的tblCPositions表将被删除。