对此没有真正直接的答案,所以我想我会试一试。
$myid = $_POST['id'];
//Select the post from the database according to the id.
$query = mysql_query("SELECT * FROM repairs WHERE id = " .$myid . " AND name = '' AND email = '' AND address1 = '' AND postcode = '';") or die(header('Location: 404.php'));
上面的代码应该将变量$ myid设置为id的发布内容,然后在SQL WHERE子句中使用该变量根据提交的id从数据库中获取数据。忘记潜在的SQL注入(我稍后会修复它们)为什么这不起作用?
好的,这是我测试的完整代码:
<?php
//This includes the variables, adjusted within the 'config.php file' and the functions from the 'functions.php' - the config variables are adjusted prior to anything else.
require('configs/config.php');
require('configs/functions.php');
//Check to see if the form has been submited, if it has we continue with the script.
if(isset($_POST['confirmation']) and $_POST['confirmation']=='true')
{
//Slashes are removed, depending on configuration.
if(get_magic_quotes_gpc())
{
$_POST['model'] = stripslashes($_POST['model']);
$_POST['problem'] = stripslashes($_POST['problem']);
$_POST['info'] = stripslashes($_POST['info']);
}
//Create the future ID of the post - obviously this will create and give the id of the post, it is generated in numerical order.
$maxid = mysql_fetch_array(mysql_query('select max(id) as id from repairs'));
$id = intval($maxid['id'])+1;
//Here the variables are protected using PHP and the input fields are also limited, where applicable.
$model = mysql_escape_string(substr($_POST['model'],0,9));
$problem = mysql_escape_string(substr($_POST['problem'],0,255));
$info = mysql_escape_string(substr($_POST['info'],0,6000));
//The post information is submitted into the database, the admin is then forwarded to the page for the new post. Else a warning is displayed and the admin is forwarded back to the new post page.
if(mysql_query("insert into repairs (id, model, problem, info) values ('$_POST[id]', '$_POST[model]', '$_POST[version]', '$_POST[info]')"))
{
?>
<?php
$myid = $_POST['id'];
//Select the post from the database according to the id.
$query = mysql_query("SELECT * FROM repairs WHERE id=" .$myid . " AND name = '' AND email = '' AND address1 = '' AND postcode = '';") or die(header('Location: 404.php'));
//This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
if( mysql_num_rows($query) < 1 )
{
header('Location: 404.php');
exit;
}
//Assign variable names to each column in the database.
while($row = mysql_fetch_array($query))
{
$model = $row['model'];
$problem = $row['problem'];
}
//Select the post from the database according to the id.
$query2 = mysql_query('SELECT * FROM devices WHERE version = "'.$model.'" AND issue = "'.$problem.'";') or die(header('Location: 404.php'));
//This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
if( mysql_num_rows($query2) < 1 )
{
header('Location: 404.php');
exit;
}
//Assign variable names to each column in the database.
while($row2 = mysql_fetch_array($query2))
{
$price = $row2['price'];
$device = $row2['device'];
$image = $row2['image'];
}
?>
<?php echo $id; ?>
<?php echo $model; ?>
<?php echo $problem; ?>
<?php echo $price; ?>
<?php echo $device; ?>
<?php echo $image; ?>
<?
}
else
{
echo '<meta http-equiv="refresh" content="2; URL=iphone.php"><div id="confirms" style="text-align:center;">Oops! An error occurred while submitting the post! Try again…</div></br>';
}
}
?>
答案 0 :(得分:2)
表中的id是什么数据类型?您可能需要用单引号括起来。
$query = msql_query("SELECT * FROM repairs WHERE id = '$myid' AND...")
编辑:您也不需要使用双引号字符串连接。
答案 1 :(得分:0)
检查$ myid的值和整个动态创建的SQL字符串,以确保它包含您认为包含的内容。
您的问题很可能是因为对可能包含NULL值的列使用空字符串比较而产生的。对所有空字符串尝试name IS NULL,依此类推。
答案 2 :(得分:0)
$myid为空的唯一原因是它是否未被浏览器发送。确保您的表单操作设置为POST。您可以使用以下内容验证$_POST中是否有值:
print_r($_POST);
然后,回应您的查询以确保它符合您的预期。尝试通过PHPMyAdmin或MySQL Workbench手动运行它。
答案 3 :(得分:0)
使用$something = mysql_real_escape_string($POST['something']);
不仅阻止SQL注入,它还可以防止因人们输入数据而导致的语法错误:
name = O'Reilly <<-- query will bomb with an error
memo = Chairman said: "welcome"
etc.
因此,为了拥有一个有效且有效的应用程序,它确实是不可或缺的
"I'll fix it later"的论点有一些逻辑缺陷: