PHP变量错误地传递给MySQL
PHP变量错误地传递给MySQL
提问于 2009-06-30 07:54:47
我以前问过这个问题,但不是很好!基本上,我有一个CMS的编辑页面,沿线的某处(从元素向上)的字段显示在框中旁边的地方,他们应该是显示。你知道为什么吗?
<?php
if(isset($_GET['id']))
{
$query = "SELECT * ".
"FROM studies ".
"WHERE id = '".$_GET['id']."'";
$result = mysql_query($query) or die('Error : ' . mysql_error());
list($id, $pagetitle, $title, $date, $copy, $outputs, $strategies, $client, $niche, $media, $thumbmedia, $newfieldtitle, $newfieldcontent) = mysql_fetch_array($result, MYSQL_NUM);
}
if(isset($_POST['update1']))
{
$id = $_POST['id'];
$pagetitle = $_POST['pagetitle'];
$title = $_POST['title'];
$date = $_POST['date'];
$copy = $_POST['copy'];
$outputs = $_POST['outputs'];
$strategies = $_POST['strategies'];
$client = $_POST['client'];
$niche = $_POST['niche'];
$media = $_POST['media'];
$thumbmedia = $_POST['thumbmedia'];
$newfieldtitle = $_POST['newfieldtitle'];
$newfieldcontent = $_POST['newfieldcontent'];
if(!get_magic_quotes_gpc())
{
$pagetitle = addslashes($pagetitle);
$title = addslashes($title);
$date = addslashes($date);
$copy = addslashes($copy);
$outputs = addslashes($outputs);
$strategies = addslashes($strategies);
$client = addslashes($client);
$niche = addslashes($niche);
$media = addslashes($media);
$thumbmedia = addslashes($thumbmedia);
$newfieldtitle = addslashes($newfieldtitle);
$newfieldcontent = addslashes($newfieldcontent);
}
// update the article in the database
$query = "UPDATE studies
SET pagetitle = '$pagetitle', title = '$title', date = '$date', copy = '$copy', outputs = '$outputs', strategies = '$strategies', client = '$client', niche = '$niche', media = '$media', thumbmedia = '$thumbmedia', newfieldtitle = '$newfieldtitle', newfieldcontent = '$newfieldcontent' ".
"WHERE id = '$id'";
mysql_query($query) or die('Error : ' . mysql_error());
// then remove the cached file
$cacheDir = dirname(__FILE__) . '/cache/';
$cacheFile = $cacheDir . '_' . $_GET['id'] . '.html';
@unlink($cacheFile);
// and remove the index.html too because the file list
// is changed
@unlink($cacheDir . 'index.html');
echo "<b>Article '$title' updated</b>";
// now we will display $title & content
// so strip out any slashes
$pagetitle = stripslashes($pagetitle);
$title = stripslashes($title);
$date = stripslashes($date);
$copy = stripslashes($copy);
$outputs = stripslashes($outputs);
$strategies = stripslashes($strategies);
$client = stripslashes($client);
$niche = stripslashes($niche);
$media = stripslashes($media);
$thumbmedia = stripslashes($thumbmedia);
$newfieldtitle = stripslashes($newfieldtitle);
$newfieldcontent = stripslashes($newfieldcontent);
}
?>
<div class="container">
<form method="post">
<input type="hidden" name="id" value="<?php echo $id; ?>">
<p class="subheadsmall">Browser Title</p>
<textarea cols="40" rows="1" class="box" name="pagetitle" id="editbox"><?php echo $pagetitle; ?></textarea>
<p class="subheadsmall">Story Title</p>
<textarea cols="40" rows="1" class="box" name="title" id="editbox"><?php echo $title; ?></textarea>
<p class="subheadsmall">Date</p>
<textarea cols="40" rows="1" class="box" name="date" id="editbox"><?php echo $date; ?></textarea>
<p class="subheadsmall">Story</p>
<textarea cols="80" rows="10" class="box" name="copy" id="editbox"><?php echo $copy; ?></textarea>
<p class="subheadsmall">Outputs</p>
<textarea cols="80" rows="10" class="box" name="outputs" id="editbox"><?php echo $outputs; ?></textarea>
<p class="subheadsmall">Strategies</p>
<p class="subheadsmall">Client</p>
<select name="client">
<option value="empty">Select a Client...</option>
<?php
$result2 = mysql_query("SELECT name FROM clients");
if (!$result2) {
die("Database query failed: " . mysql_error());
}
while($row = mysql_fetch_array($result2)) {
$clientlist = $row['name'];
$clientname = htmlspecialchars($row['name']);
if ($_POST['client'] == $clientlist)
{
echo '<option value="' . $clientlist . '" selected="selected" >' . $clientname . '</option>' . '\n';
}
else{
echo '<option value="' . $clientlist . '" >' . $clientname . '</option>' . '\n';
}
}
?>
</select>
<p class="subheadsmall">Core Classification</p>
<?php
switch ($niche) {
case "brand":
echo '<input type="radio" name="niche" value="brand" checked="checked" />Brand';
echo '<input type="radio" name="niche" value="marketing" />Marketing';
echo '<input type="radio" name="niche" value="communication" />Communication';
break;
case "marketing":
echo '<input type="radio" name="niche" value="brand" />Brand';
echo '<input type="radio" name="niche" value="marketing" checked="checked" />Marketing';
echo '<input type="radio" name="niche" value="communication" />Communication';
break;
case "communication":
echo '<input type="radio" name="niche" value="brand" />Brand';
echo '<input type="radio" name="niche" value="marketing" />Marketing';
echo '<input type="radio" name="niche" value="communication" checked="checked" />Communication';
break;
default;
echo '<input type="radio" name="niche" value="brand" />Brand';
echo '<input type="radio" name="niche" value="marketing" />Marketing';
echo '<input type="radio" name="niche" value="communication" />Communication';
break;
}
?>
<p class="subheadsmall">Add New Strategy</p>
<textarea cols="40" rows="1" class="box" name="strategies" id="editbox"><?php echo $strategies; ?></textarea>
<p class="subheadsmall">Media</p>
<textarea cols="80" rows="10" class="box" name="media" id="editbox"><?php echo $media; ?></textarea>
<p class="subheadsmall">Thumbnail image</p>
<textarea cols="80" rows="3" class="box" name="thumbmedia" id="editbox"><?php echo $thumbmedia; ?></textarea>
<p class="subheadsmall">Additional Field</p>
<p class="subheadsmall">Additional Field Title</p>
<textarea cols="40" rows="1" class="box" name="newfieldtitle" id="editbox"><?php echo $newfieldtitle; ?></textarea>
<p class="subheadsmall">Additional Field Content</p>
<textarea cols="40" rows="3" class="box" name="newfieldcontent" id="editbox"><?php echo $newfieldcontent; ?></textarea>
<input name="update1" type="submit" class="box" id="editbutton" value="Update Article">
</form>回答 3
Stack Overflow用户
发布于 2009-06-30 07:58:19
关于安全性的一个附注:
为了互联网和你所有的用户,请不要使用mysql_query。请使用PDO http://php.net/pdo。它会自动转义您的变量,因此您不会有SQL漏洞。
如果您必须使用mysql_query (对于遗留代码),那么在查询字符串中使用每个变量之前,请确保通过http://php.net/mysql_real_escape_string运行它。
Stack Overflow用户
发布于 2009-06-30 08:55:15
我认为您只是将错误的内容赋给了错误的变量,这里可能会发生这种情况:
list($id, $pagetitle, $title, ...) = mysql_fetch_array($result, MYSQL_NUM);您依赖于数据库字段的顺序与您的代码的顺序完全相同。不是很可靠,维护起来也很可怕。
为什么要从一开始就麻烦地把它们从数组复制到单独的变量中呢?只要保持它们的原样,直到您需要它们:
<?php $row = mysql_fetch_assoc($result); ?>
...
<textarea name="date"><?php echo $row['date']; ?></textarea>Stack Overflow用户
发布于 2009-06-30 08:16:14
使用SELECT * FROM
- WHERE id = '".$_GET'id'."'";
- 如果我发出如下请求怎么办: domain.tld/page.ext?id=SELECT * FROM sql
我已经重写了我看到的一堆问题,试一试。
<?php
if(isset($_GET['id']))
{
$query = "SELECT * FROM studies WHERE id = " . mysql_real_escape_string($_GET['id']);
$result = mysql_query($query) or die('Error : ' . mysql_error());
list($id, $pagetitle, $title, $date, $copy, $outputs, $strategies, $client, $niche, $media, $thumbmedia, $newfieldtitle, $newfieldcontent) = mysql_fetch_array($result, MYSQL_NUM);
}
if(isset($_POST['update1']))
{
$id = $_POST['id'];
$pagetitle = $_POST['pagetitle'];
$title = $_POST['title'];
$date = $_POST['date'];
$copy = $_POST['copy'];
$outputs = $_POST['outputs'];
$strategies = $_POST['strategies'];
$client = $_POST['client'];
$niche = $_POST['niche'];
$media = $_POST['media'];
$thumbmedia = $_POST['thumbmedia'];
$newfieldtitle = $_POST['newfieldtitle'];
$newfieldcontent = $_POST['newfieldcontent'];
// update the article in the database
$query = "UPDATE studies
SET pagetitle = '" . mysql_real_escape_string($pagetitle) . "', title = '" . mysql_real_escape_string($title) . "', date = '" . mysql_real_escape_string($date) . "', copy = '" . mysql_real_escape_string($copy) . "', outputs = '" . mysql_real_escape_string($outputs) . "', strategies = '" . mysql_real_escape_string($strategies) . "', client = '" . mysql_real_escape_string($client) . "', niche = '" . mysql_real_escape_string($niche) . "', media = '" . mysql_real_escape_string($media) . "', thumbmedia = '" . mysql_real_escape_string($thumbmedia) . "', newfieldtitle = '" . mysql_real_escape_string($newfieldtitle) . "', newfieldcontent = '" . mysql_real_escape_string($newfieldcontent) . "' ".
"WHERE id = '" . mysql_real_escape_string($id) . "'";
mysql_query($query) or die('Error : ' . mysql_error());
// then remove the cached file
$cacheDir = dirname(__FILE__) . '/cache/';
$cacheFile = $cacheDir . '_' . $_GET['id'] . '.html';
@unlink($cacheFile);
// and remove the index.html too because the file list
// is changed
@unlink($cacheDir . 'index.html');
echo "<b>Article '$title' updated</b>";
}
?>
<div class="container">
<form method="post">
<input type="hidden" name="id" value="<?php echo $id; ?>">
<p class="subheadsmall">Browser Title</p>
<textarea cols="40" rows="1" class="box" name="pagetitle" id="editbox"><?php echo $pagetitle; ?></textarea>
<p class="subheadsmall">Story Title</p>
<textarea cols="40" rows="1" class="box" name="title" id="editbox"><?php echo $title; ?></textarea>
<p class="subheadsmall">Date</p>
<textarea cols="40" rows="1" class="box" name="date" id="editbox"><?php echo $date; ?></textarea>
<p class="subheadsmall">Story</p>
<textarea cols="80" rows="10" class="box" name="copy" id="editbox"><?php echo $copy; ?></textarea>
<p class="subheadsmall">Outputs</p>
<textarea cols="80" rows="10" class="box" name="outputs" id="editbox"><?php echo $outputs; ?></textarea>
<p class="subheadsmall">Strategies</p>
<p class="subheadsmall">Client</p>
<select name="client">
<option value="empty">Select a Client...</option>
<?php
$result2 = mysql_query("SELECT name FROM clients") or die("Database query failed: " . mysql_error());
while($row = mysql_fetch_assoc($result2)) {
$clientlist = $row['name'];
$clientname = htmlspecialchars($row['name']);
if ($_POST['client'] == $clientlist)
{
echo '<option value="' . $clientlist . '" selected="selected" >' . $clientname . '</option>' . '\n';
}
else{
echo '<option value="' . $clientlist . '" >' . $clientname . '</option>' . '\n';
}
}
?>
</select>
<p class="subheadsmall">Core Classification</p>
<?php
switch ($niche) {
case "brand":
echo '<input type="radio" name="niche" value="brand" checked="checked" />Brand';
echo '<input type="radio" name="niche" value="marketing" />Marketing';
echo '<input type="radio" name="niche" value="communication" />Communication';
break;
case "marketing":
echo '<input type="radio" name="niche" value="brand" />Brand';
echo '<input type="radio" name="niche" value="marketing" checked="checked" />Marketing';
echo '<input type="radio" name="niche" value="communication" />Communication';
break;
case "communication":
echo '<input type="radio" name="niche" value="brand" />Brand';
echo '<input type="radio" name="niche" value="marketing" />Marketing';
echo '<input type="radio" name="niche" value="communication" checked="checked" />Communication';
break;
default;
echo '<input type="radio" name="niche" value="brand" />Brand';
echo '<input type="radio" name="niche" value="marketing" />Marketing';
echo '<input type="radio" name="niche" value="communication" />Communication';
break;
}
?>
<p class="subheadsmall">Add New Strategy</p>
<textarea cols="40" rows="1" class="box" name="strategies" id="editbox"><?php echo $strategies; ?></textarea>
<p class="subheadsmall">Media</p>
<textarea cols="80" rows="10" class="box" name="media" id="editbox"><?php echo $media; ?></textarea>
<p class="subheadsmall">Thumbnail image</p>
<textarea cols="80" rows="3" class="box" name="thumbmedia" id="editbox"><?php echo $thumbmedia; ?></textarea>
<p class="subheadsmall">Additional Field</p>
<p class="subheadsmall">Additional Field Title</p>
<textarea cols="40" rows="1" class="box" name="newfieldtitle" id="editbox"><?php echo $newfieldtitle; ?></textarea>
<p class="subheadsmall">Additional Field Content</p>
<textarea cols="40" rows="3" class="box" name="newfieldcontent" id="editbox"><?php echo $newfieldcontent; ?></textarea>
<input name="update1" type="submit" class="box" id="editbutton" value="Update Article">
</form>编辑:我对你的代码做了更多的修改,而且我认为你的问题源于下面这行:
while($row = mysql_fetch_array($result2)) {我想你在找mysql_fetch_assoc()数组。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/1062321
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号