我想创建一个易受攻击的搜索栏并完成所有操作但不幸的是,当我按提交时,搜索功能不会显示任何结果。 但终端显示成功,“POST / injection / HTTP / 1.1”200 596
views.py
@csrf_exempt
def search_form(request):
if 'searchField' in request.POST:
query= "SELECT * FROM injection_search WHERE injection_search.name LIKE '%searchField%'"
print(query)
item = search.objects.raw(query)
else:
item = search.objects.all()
return render(request, 'home.html', {'item' : item})
template/home.html
{% load static %}
<link href="{% static 'css/style.css' %}" rel="stylesheet"></link>
<h1 class="page-header">INJECTION</h1>
<form action="" method="POST">
<input type="text" name="searchField" id="searchField" placeholder="search trainers..">
<button type="submit">Find</button>
</form>
<h1> Search Page </h1>
<h3> Injection demo</h3>
<div class="shopping-container">
<table border="3" cellspacing="0" cellpadding="10">
<tbody>
<tr>
<th>Title</th>
<th>Description</th>
<th>Quantity</th>
</tr>
<!--{% for search in item %}-->
<tr>
<td>{{ search.name}}</td>
<td>{{ search.description }}</td>
<td>{{ search.price}}</td>
</tr>
<!--{%endfor%}-->
</tbody>
</table>
</div>
model.py
app_name = 'injection'
urlpatterns = [
url(r'^$', views.index, name='index'),
url(r'^injection/$', views.search_form, name='search_form'),
]
答案 0 :(得分:0)
这也不适用于PHP,因为你在SQL字符串中没有使用变量。您只是使用文字值“searchField”。
为了使代码正常工作,您实际需要将字符串的值放入SQL命令中。在Python中有多种方法可以做到这一点,例如:
query= "SELECT * FROM injection_search WHERE injection_search.name LIKE '%{}%'".format(searchField)