我正在制作一个页面,该页面将获取我的所有数据库值。我希望页面从数据库自动获取Driver_id和Vehicle_id的值,用户需要知道自己的ID和密钥是什么。但是我被困在这里。
我正在使用的工具是phpMyAdmin。
下表是我的代码:
<!doctype html>
<html>
<style>
<table>
<th>Vehicle ID</th>
<th>Vehicle Model</th>
<th>Vehicle Color</th>
<th>Plate Number</th>
<th>Seats</th>
<th>Driver ID</th>
<th> </th>
<?php
$link=mysqli_connect("localhost","root","","jomsewa");
mysqli_select_db($link,"jomsewa") or die(mysqli_error($link));
$select = "SELECT * FROM vehicle";
$row = mysqli_query($link,$select);
while ($array = mysqli_fetch_array($row)){
echo "<tr><td>".$array['Vehicle_id']."</td>
<td>".$array['Vehicle_model']."</td>
<td>".$array['Vehicle_color']."</td>
<td>".$array['Vehicle_model']."</td>
<td>".$array['Vehicle_seats']."</td>
<td>".$array['Driver_id']."</td>
<td><a href='Dmaintenance.php?Driverid=".$array['Driver_id']."'>Select</a></td>"."</tr>";
}
mysqli_close($link);
?>
</table>
</body>
</html>
链接链接到Dmaintenance.php:
<?php
$link=mysqli_connect("localhost","root","","jomsewa");
if (!$link)
{
echo "Failed to connect to database: " . mysqli_connect_error();
}
mysqli_select_db($link,"jomsewa") or die(mysqli_error($link));
?>
<h3>Please update your maintenance details in the form below.</h3>
<form action="maintenance.php" method="post">
<fieldset>
<legend>Vehicle Maintenance Information:</legend>
<table cellpadding="10">
<tr>
<td>
<?php
if(isset($GET['Driver_id']))
{
$txt = $GET['Driver_id'];
while($row = mysqli_fetch_array($result))
{
echo "<td>".$row['Vehicle_id']."</td>";
echo "<td>".$row['Driver_id']."</td>";
}
}?></td>
</tr>
我想要的是,当单击下一页上的特定行链接时,它必须自动显示我选择的行内容。
答案 0 :(得分:1)
使用$_GET['Driverid]代替$_GET['Driver_id]
Dmaintenance.php上没有SQL查询可基于Driverid来获取行。应该有
$query = "SELECT * FROM vehicle WHERE Vehicle_id=".$_GET['Driverid'];
$row = mysqli_query($link,$query);
while ($array = mysqli_fetch_array($row)){
print_r($array);
}
例如
<a href="Dmaintenance.php?Driverid=123">Click Here</a>
,仅在Dmaintenance.php中使用以下命令,您将看到参数值
if(isset($_GET['Driverid'])){
echo $_GET['Driverid'];
}
答案 1 :(得分:0)
每当像Dmaintenance.php中那样处理用户提供的数据时,您都需要采取额外的预防措施,以确保您的脚本不会受到SQL注入或其他令人讨厌的意外的攻击。在这种情况下,由于您直接在SQL中使用用户提供的数据(或者采用@Rakesh给出的查询样式,直接将GET数据嵌入查询中),因此SQL容易受到SQL Injection的攻击并可能带来灾难。
下面显示了如何使用prepared statements来帮助避免sql注入。到处都是自由主义的评论,希望对您有所帮助。
<?php
/*********************
Dmaintenance.php
*********************/
try{
/*
encapsulate everything within a `TRY/CATCH` block
so that you can throw your own Exceptions if needed.
The db methods here are using OO methods because
they are less verbose and, imo, easier to read/remember.
*/
$link=new mysqli( 'localhost', 'root', '', 'jomsewa' );
if( $link ){
/* The `driver_id` is vital for the query to be run */
$id=!empty( $_GET['Driverid'] ) ? $_GET['Driverid'] : false;
if( $id ){
/*
create a general SELECT statement to
return specific fields. The reason for
doing this is because we bind the query
results directly to PHP variables using
`bind_result` later
*/
$sql='select `Vehicle_id`, `Vehicle_model`, `Vehicle_color`, `Vehicle_seats`
from `vehicle`
where `driver_id`=?';
/* create the prepared statement */
$stmt=$link->prepare( $sql );
if( $stmt ){
$stmt->bind_param( 's', $id );
$res=$stmt->execute();
if( $res ){
/*
Query succeeded - process recordset
*/
$stmt->store_result();
$stmt->bind_result( $vid, $model, $colour, $seats );
/* open form & table */
echo "
<h3>Please update your maintenance details in the form below.</h3>
<form action='maintenance.php' method='post'>
<fieldset>
<legend>Vehicle Maintenance Information:</legend>
<table cellpadding='10'>"; # padding should be done in CSS and there should be a unit here, probably px
/* add dynamic data from db query */
while( $stmt->fetch() ){
echo "
<tr>
<td>$vid</td>
<td>$model</td>
<td>$colour</td>
<td>$seats</td>
</tr>";
}
/* close the table */
echo "
</table>
</fieldset>
</form>";
$stmt->free_result();
$stmt->close();
} else {
throw new Exception('Query failed');
}
} else {
throw new Exception('Failed to prepare SQL');
}
} else {
throw new Exception('No driver id');
}
} else {
throw new Exception('No database connection made');
}
}catch( Exception $e ){
exit( $e->getMessage() );
}
?>
如果在程序运行过程中遇到问题,可以使用上面的try/catch来指定自己的消息。如果您使用mysqli_error($link)之类的代码来描述生产代码中的错误,则会无意间泄露了有关服务器/应用程序的潜在敏感信息。