我的变量sqlConditions仅在用户输入该字段的文本时才会附加。我把“if(isset($ _ POST ['example']))”用来检查这个,但这似乎并不能阻止每个变量附加。
例如:如果用户仅在“lastname”字段中插入文本,则$ query变量应返回:
UPDATE students SET lastname = whateveruserputin
然而,它看起来像这样:
UPDATE students SET lastname = test , firstname = , major = , gpa =
我该如何解决这个问题!?我真的想让这段代码正常工作。提前致谢。
代码:
//connect to server
if(isset($_POST['submit']))
{
$id=$_POST['id'];
$lastname=$_POST['lastname'];
$firstname=$_POST['firstname'];
$color=$_POST['color'];
$number=$_POST['number'];
//need id to be filled and need at least one other content type to change
if(empty($id) || empty($lastname) and empty($firstname) and empty($color) and empty($number))
{
echo "<font color='red'>Invalid Submission. You did not enter an ID or did not input an additional form element. </font><br/>";
}
else // if all the fields are filled (not empty)
{
$sqlConditions = array();
if(isset($_POST['lastname'])){
$lastName = filter_var($_POST['lastname'], FILTER_SANITIZE_STRING);
$sqlConditions[] = 'lastname = ' . $lastName;
} else {
$lastName = '';
}
if(isset($_POST['firstname'])){
$firstName = filter_var($_POST['firstname'], FILTER_SANITIZE_STRING);
$sqlConditions[] = 'firstname = ' . $firstName;
} else {
$firstName = '';
}
if(isset($_POST['color'])){
$color = filter_var($_POST['color'], FILTER_SANITIZE_STRING);
$sqlConditions[] = 'color = ' . $color;
} else {
$color = '';
}
if(isset($_POST['number'])){
$number = filter_var($_POST['number'], FILTER_SANITIZE_STRING);
$sqlConditions[] = 'number = ' . $number;
} else {
$number= '';
}
print $sqlConditions;
$query = 'UPDATE students SET ' . join (' , ', $sqlConditions);
print $query;
insert data to database
//$query = mysql_query("UPDATE students SET lastname = '$lastname', firstname = '$firstname', color = '$color', number = '$number'
//WHERE id = '$id'");
//if (!query)
//{
//die('Error: ' . mysql_error());
//}
// Close connection to the database
mysql_close($con);
}
}
答案 0 :(得分:4)
isset
还不够;同时添加!empty
支票,例如:
if(isset($_POST['lastname']) && !empty($_POST['lastname'])
修改强>
此外,为了使代码中的注释更好地反映您的需求,您的if
语句应该是:
//need id to be filled and need at least one other content type to change
if(empty($id) && (empty($lastname) || empty($firstname) || empty($color) || empty($number))
以下是您的代码,其中包含一些改进 * 以及有关在字符串中添加引号的注释的修正:
<?php
//connect to server
if(isset($_POST['submit']))
{
$id=$_POST['id'];
$lastname=$_POST['lastname'];
$firstname=$_POST['firstname'];
$color=$_POST['color'];
$number=$_POST['number'];
//need id to be filled and need at least one other content type to change
if(empty($id) && (empty($lastname) || empty($firstname) || empty($color) || empty($number))
{
echo "<font color='red'>Invalid Submission. You did not enter an ID or did not input an additional form element. </font><br/>";
}
else // if all the fields are filled (not empty)
{
$sqlConditions = array();
if(isset($lastname) && !empty($lastname)){
$lastName = filter_var($lastname, FILTER_SANITIZE_STRING);
$sqlConditions[] = "lastname = '" . $lastname . "'";
}
else
{
$lastName = '';
}
if(isset($firstname))
{
$firstName = filter_var($firstname, FILTER_SANITIZE_STRING);
$sqlConditions[] = "firstname = '" . $firstname . "'";
}
else
{
$firstName = '';
}
if(isset($color) && !empty($color))
{
$color = filter_var($color, FILTER_SANITIZE_STRING);
$sqlConditions[] = "color = '" . $color . "'";
}
else
{
$color = '';
}
if(isset($number))
{
$number = filter_var($number, FILTER_SANITIZE_STRING);
$sqlConditions[] = "number = '" . $number . "'";
}
else
{
$number= '';
}
print $sqlConditions;
$query = 'UPDATE students SET ' . join (' , ', $sqlConditions);
print $query;
//insert data to database
//$query = mysql_query("UPDATE students SET lastname = '$lastname', firstname = '$firstname', color = '$color', number = '$number'
//WHERE id = '$id'");
//if (!query)
//{
//die('Error: ' . mysql_error());
//}
// Close connection to the database
mysql_close($con);
}
}
* 由于您已经将所有$_POST
项定义为变量,因此无需继续回到集合中。
答案 1 :(得分:1)
我建议你使用这种编码方法:
$lastName = mysql_real_escape_string($lastName);
$sqlConditions[] = "lastname = '$lastName'";
即使变量是空的,也可以解决您的问题...并使您的代码更安全地进行SQL注入攻击(非常值得推荐!!!)
答案 2 :(得分:0)
在else片段中,您只检查变量是否已设置但变量是否已设置但可能为空。
Isset()检查变量的值是否包含False,0或Empty string但不是NULL。
Empty()函数检查变量是否为空值空字符串,0,NULL或False。
示例:
<?php
$var = 0;
if (empty($var)) {
echo 'it is empty since it has value 0 ';
}
if (isset($var)) {
echo '$var is set though it is empty';
}
?>