使用POST变量查询变量可防止后续删除查询成功完成

时间:2011-07-25 22:54:49

标签: php mysql

我正在尝试修改this script,以便不会将所有结果都返回到数据库中,而是仅限于一小组。

但是,当我利用POST来获取传递的搜索词时,我打破了删除记录的能力。

我可以使用没有变量的查询或事先设置变量的查询,但不能使用POST命令。

e.g。

$sql="SELECT * FROM $table WHERE name='bob'"; //deleting items works after this query

$name='bobo';
$sql="SELECT * FROM $table WHERE name='$name'"; //deleting items works after this query

$name=mysql_real_escape_string($_POST['searchterm'];
$sql="SELECT * FROM $table WHERE name='$name'"; //deleting items fails after this query

我试图查看结果集返回的内容,但似乎无法从查询中捕获任何输出。

我不确定为什么使用post命令会破坏查询。

这是我修改后的代码:

<?php
$host="localhost";                     
$username="foo";
$password="bar";
$db_name="Alerts";
$tbl_name="SearchTermsAndContactAddress";

mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$address=mysql_real_escape_string($_POST['SearchAddress']);
$sql=sprintf( "SELECT * FROM $tbl_name WHERE contactaddress = '007@gmail.com' ORDER BY searchterms ASC"); //the delete does work                    
$sql=sprintf( "SELECT * FROM $tbl_name WHERE contactaddress = '$address' ORDER BY searchterms ASC"); //delete doesn't work                                   
$sql=sprintf( "SELECT * FROM $tbl_name WHERE contactaddress = '%s' ORDER BY searchterms DESC", mysql_real_escape_string($_POST['SearchAddress']) ); //this doesn't work either
$sql=sprintf( "SELECT * FROM $tbl_name WHERE contactaddress = '$_POST[SearchAddress]' ORDER BY searchterms DESC" ); // it doesn't work with this query       
#$sql=sprintf( "SELECT * FROM $tbl_name  ORDER BY searchterms DESC" ); //it does work with this query                                                        
echo $sql;
$result=mysql_query($sql);
$count=mysql_num_rows($result);
?>
<table width="400" border="0" cellspacing="1" cellpadding="0">
    <tr>
        <td><form name="form1" method="post" action="">
            <table width="400" border="0" cellpadding="3" cellspacing="1" bgcolor="#CCCCCC">
                <tr>
                    <td bgcolor="#FFFFFF">&nbsp;</td>
                <td colspan="4" bgcolor="#FFFFFF"><strong>Delete multiple rows in mysql</strong> </td>
            </tr>
            <tr>
                <td align="center" bgcolor="#FFFFFF">#</td>
                <td align="center" bgcolor="#FFFFFF"><strong>Id</strong></td>
                <td align="center" bgcolor="#FFFFFF"><strong>Search Term</strong></td>
                <td align="center" bgcolor="#FFFFFF"><strong>Address</strong></td>
                <td align="center" bgcolor="#FFFFFF"><strong>Attach Image</strong></td>
            </tr>
            <?php
                while($rows=mysql_fetch_array($result)){
                    ?>
                    <tr>
                        <td align="center" bgcolor="#FFFFFF"><input name="checkbox[]" type="checkbox" id="checkbox[]" value="<? echo $rows['prim_key']; ?>"></td>
                        <td bgcolor="#FFFFFF"><? echo $rows['prim_key']; ?></td>
                        <td bgcolor="#FFFFFF"><? echo $rows['searchterms']; ?></td>
                        <td bgcolor="#FFFFFF"><? echo $rows['contactaddress']; ?></td>
                        <td bgcolor="#FFFFFF"><? echo $rows['ImageAttachment']; ?></td>
                    </tr>
                    <?php
                    }
                ?>
                <tr>
                    <td colspan="5" align="center" bgcolor="#FFFFFF"><input name="delete" type="submit" id="delete" value="Delete"></td>
                </tr>
                <?
                //try closing and starting a new connection
                /*
                mysql_close();
                mysql_connect("$host", "$username", "$password") or die("cannot connect");
                mysql_select_db("$db_name")or die("cannot select DB"); // yeah this didn't work
                */

                // Check whether delete button active, start this
                if ($delete) {
                    for ($i=0;$i<$count;$i++) {
                        $del_id = $checkbox[$i];
                        $sql = "DELETE FROM $tbl_name WHERE prim_key='$del_id'";
                        // $sql = "DELETE FROM $tbl_name WHERE id='10'"; //using a static query didn't solve the problem.                                           
                        $result = mysql_query($sql);
                    }

                    // if successful redirect to delete_multiple.php
                    if ($result) {
                        echo $result; // this will return "Resource id #2" when it fails or it will return the # of affected rows when it succeeds
                        // while($row = mysql_fetch_assoc($result)) {
                        while ($row = mysql_fetch_array($result)) {
                            echo $row['num'];
                            echo "damn"; //this isn't being printed
                        }

                        echo "<meta http-equiv=\"refresh\" content=\"4;URL=delete_multiple3.php\">";
                    }
                }
                mysql_close();
                ?>
                </table>
            </form>
        </td>
    </tr>
</table>

我对php非常陌生并且对MySQL有一定的了解。

2 个答案:

答案 0 :(得分:0)

为什么你使用sprintf但没有提供任何参数(所以你真的没有用sprintf做任何事情)。

下面:

$sql = 'SELECT * FROM `'.$tbl_name.'` WHERE contactaddress = \''.mysql_real_escape_string($_POST['SearchAddress']).'\' ORDER BY searchterms ASC';

你应该真正研究Mysqli或PDO,因为不推荐使用ext / mysql库。

注意:是的,我在字符串中取出了变量解析,因为我个人而言,讨厌它。

编辑:我没有充分阅读你的代码。你在哪里设置$ delete?你没有使用register_globals,是吗......?

编辑编辑:你在这段代码中想做什么?你正在抛出像疯了似的变量,认为它们不是它们,反之亦然。你能解释一下你对这段代码的意图吗?

最终编辑:

我理解为什么代码无法正常工作。当您第一次提交到页面时,您发送$ _POST ['SearchAddress']变量,因此第一个查询正确执行。但是,当您提交要删除的字段时(从第一个选择查询中打印的HTML),您将POST到完全相同的页面。这使$ _POST ['SearchAddress']为空并填充其他$ _POST变量。因为第一次SELECT查询第二次失败(返回0行),$ count = 0,这将使任何DELETE语句都不执行。您必须分开代码,或添加:

<input type="hidden" name="SearchAddress" value="<? echo $_POST['SearchAddress']; ?>" />
HTML中的

(表单内)。

你也依赖于注册全局变量,这是一个不好的想法。可以在此处找到一个示例:http://php.net/manual/en/security.globals.php

答案 1 :(得分:0)

$sql=sprintf( "SELECT * FROM $tbl_name WHERE contactaddress = '%s' ORDER BY searchterms DESC", mysql_real_escape_string($_POST['SearchAddress']) );

假设您在$_POST['SearchAddress']

中拥有正确的值,这应该有效
print_r($_POST);

运行它,看看你期望的值是否存在,然后开始讨论@Chris所涉及的更广泛的问题。