如果在mysql / php脚本中忽略了语句?

时间:2011-11-22 21:39:22

标签: php mysql

我的变量sqlConditions仅在用户输入该字段的文本时才会附加。我把“if(isset($ _ POST ['example']))”用来检查这个,但这似乎并不能阻止每个变量附加。

例如:如果用户仅在“lastname”字段中插入文本,则$ query变量应返回:

 UPDATE students SET lastname = whateveruserputin 

然而,它看起来像这样:

 UPDATE students SET lastname = test , firstname = , major = , gpa = 

我该如何解决这个问题!?我真的想让这段代码正常工作。提前致谢。

代码:

//connect to server

if(isset($_POST['submit']))
{

$id=$_POST['id'];
$lastname=$_POST['lastname'];
$firstname=$_POST['firstname'];
$color=$_POST['color'];
$number=$_POST['number'];

    //need id to be filled and need at least one other content type to change
    if(empty($id) || empty($lastname) and empty($firstname) and empty($color) and empty($number))
{

        echo "<font color='red'>Invalid Submission. You did not enter an ID or did not input an additional form element.  </font><br/>";

}

else // if all the fields are filled (not empty)
{   

$sqlConditions = array();

   if(isset($_POST['lastname'])){
    $lastName = filter_var($_POST['lastname'], FILTER_SANITIZE_STRING);
    $sqlConditions[] = 'lastname = ' . $lastName;
    } else {
    $lastName = '';
    }

if(isset($_POST['firstname'])){
    $firstName = filter_var($_POST['firstname'], FILTER_SANITIZE_STRING);
    $sqlConditions[] = 'firstname = ' . $firstName;
    } else {
    $firstName = '';
    }

    if(isset($_POST['color'])){
    $color = filter_var($_POST['color'], FILTER_SANITIZE_STRING);
    $sqlConditions[] = 'color = ' . $color;
    } else {
    $color = '';
    }

if(isset($_POST['number'])){
    $number = filter_var($_POST['number'], FILTER_SANITIZE_STRING);
    $sqlConditions[] = 'number = ' . $number;
    } else {
    $number= '';
    }
print $sqlConditions;

$query = 'UPDATE students SET ' . join (' , ', $sqlConditions);
print $query;

    insert data to database     
    //$query = mysql_query("UPDATE students SET lastname = '$lastname', firstname = '$firstname', color = '$color', number = '$number'
    //WHERE id = '$id'");
    //if (!query)
    //{
    //die('Error: ' . mysql_error());
    //}


    // Close connection to the database
    mysql_close($con);

}

 }

3 个答案:

答案 0 :(得分:4)

isset还不够;同时添加!empty支票,例如:

if(isset($_POST['lastname']) && !empty($_POST['lastname'])

修改
此外,为了使代码中的注释更好地反映您的需求,您的if语句应该是:

//need id to be filled and need at least one other content type to change
if(empty($id) && (empty($lastname) || empty($firstname) || empty($color) || empty($number))

以下是您的代码,其中包含一些改进 * 以及有关在字符串中添加引号的注释的修正:

<?php

//connect to server

if(isset($_POST['submit']))
{

$id=$_POST['id'];
$lastname=$_POST['lastname'];
$firstname=$_POST['firstname'];
$color=$_POST['color'];
$number=$_POST['number'];

    //need id to be filled and need at least one other content type to change
    if(empty($id) && (empty($lastname) || empty($firstname) || empty($color) || empty($number))
    {
        echo "<font color='red'>Invalid Submission. You did not enter an ID or did not input an additional form element.  </font><br/>";
    }
    else // if all the fields are filled (not empty)
    {   
        $sqlConditions = array();

        if(isset($lastname) && !empty($lastname)){
            $lastName = filter_var($lastname, FILTER_SANITIZE_STRING);
            $sqlConditions[] = "lastname = '" . $lastname . "'";
        } 
        else 
        {
            $lastName = '';
        }

        if(isset($firstname))
        {
            $firstName = filter_var($firstname, FILTER_SANITIZE_STRING);
            $sqlConditions[] = "firstname = '" . $firstname . "'";
        } 
        else 
        {
            $firstName = '';
        }

        if(isset($color) && !empty($color))
        {
            $color = filter_var($color, FILTER_SANITIZE_STRING);
            $sqlConditions[] = "color = '" . $color . "'";
        } 
        else 
        {
            $color = '';
        }

        if(isset($number))
        {
            $number = filter_var($number, FILTER_SANITIZE_STRING);
            $sqlConditions[] = "number = '" . $number . "'";
        } 
        else 
        {
            $number= '';
        }
        print $sqlConditions;

        $query = 'UPDATE students SET ' . join (' , ', $sqlConditions);
        print $query;

        //insert data to database     
        //$query = mysql_query("UPDATE students SET lastname = '$lastname', firstname = '$firstname', color = '$color', number = '$number'
        //WHERE id = '$id'");
        //if (!query)
        //{
        //die('Error: ' . mysql_error());
        //}

        // Close connection to the database
        mysql_close($con);
    }
}

* 由于您已经将所有$_POST项定义为变量,因此无需继续回到集合中。

答案 1 :(得分:1)

我建议你使用这种编码方法:

$lastName = mysql_real_escape_string($lastName);
$sqlConditions[] = "lastname = '$lastName'";

即使变量是空的,也可以解决您的问题...并使您的代码更安全地进行SQL注入攻击(非常值得推荐!!!)

答案 2 :(得分:0)

在else片段中,您只检查变量是否已设置但变量是否已设置但可能为空。

Isset()检查变量的值是否包含False,0或Empty string但不是NULL。

Empty()函数检查变量是否为空值空字符串,0,NULL或False。

示例:

<?php
 $var = 0;

 if (empty($var)) {
  echo 'it is empty since it has value 0 ';
}
if (isset($var)) {
 echo '$var is set though it is empty';
}
?>