1. 首页
  2. 问答
  3. PHP变量不正确地传递给MySQL

PHP变量不正确地传递给MySQL

2009-06-30 102 views
0

我之前问过这个问题,但不是很好!基本上,我有一个CMS的编辑页面,在该行的某处(从元素开始),这些字段显示在应该显示的位置旁边的框中。任何想法为什么?PHP变量不正确地传递给MySQL

<?php 

if(isset($_GET['id'])) 
{ 
    $query = "SELECT * ". 
      "FROM studies ". 
      "WHERE id = '".$_GET['id']."'"; 

    $result = mysql_query($query) or die('Error : ' . mysql_error()); 
     list($id, $pagetitle, $title, $date, $copy, $outputs, $strategies, $client, $niche, $media, $thumbmedia, $newfieldtitle, $newfieldcontent) = mysql_fetch_array($result, MYSQL_NUM); 



} 

if(isset($_POST['update1'])) 
{ 
    $id = $_POST['id']; 
    $pagetitle = $_POST['pagetitle']; 
    $title = $_POST['title']; 
    $date = $_POST['date']; 
    $copy = $_POST['copy']; 
    $outputs = $_POST['outputs']; 
    $strategies = $_POST['strategies']; 
    $client = $_POST['client']; 
    $niche = $_POST['niche']; 
    $media = $_POST['media']; 
    $thumbmedia = $_POST['thumbmedia']; 
    $newfieldtitle = $_POST['newfieldtitle']; 
    $newfieldcontent = $_POST['newfieldcontent']; 

    if(!get_magic_quotes_gpc()) 
    { 
     $pagetitle = addslashes($pagetitle); 
     $title = addslashes($title); 
     $date = addslashes($date); 
     $copy = addslashes($copy); 
     $outputs = addslashes($outputs); 
     $strategies = addslashes($strategies); 
     $client = addslashes($client); 
     $niche = addslashes($niche); 
     $media = addslashes($media); 
     $thumbmedia = addslashes($thumbmedia); 
     $newfieldtitle = addslashes($newfieldtitle); 
     $newfieldcontent = addslashes($newfieldcontent); 

    } 

    // update the article in the database 
    $query = "UPDATE studies 
      SET pagetitle = '$pagetitle', title = '$title', date = '$date', copy = '$copy', outputs = '$outputs', strategies = '$strategies', client = '$client', niche = '$niche', media = '$media', thumbmedia = '$thumbmedia', newfieldtitle = '$newfieldtitle', newfieldcontent = '$newfieldcontent' ". 
     "WHERE id = '$id'"; 
    mysql_query($query) or die('Error : ' . mysql_error()); 

    // then remove the cached file 
    $cacheDir = dirname(__FILE__) . '/cache/'; 

    $cacheFile = $cacheDir . '_' . $_GET['id'] . '.html'; 

    @unlink($cacheFile); 

    // and remove the index.html too because the file list 
    // is changed 
    @unlink($cacheDir . 'index.html'); 

    echo "<b>Article '$title' updated</b>"; 

    // now we will display $title & content 
    // so strip out any slashes 
     $pagetitle = stripslashes($pagetitle); 
     $title = stripslashes($title); 
     $date = stripslashes($date); 
     $copy = stripslashes($copy); 
     $outputs = stripslashes($outputs); 
     $strategies = stripslashes($strategies); 
     $client = stripslashes($client); 
     $niche = stripslashes($niche); 
     $media = stripslashes($media); 
     $thumbmedia = stripslashes($thumbmedia); 
     $newfieldtitle = stripslashes($newfieldtitle); 
     $newfieldcontent = stripslashes($newfieldcontent); 

} 


?> 


<div class="container"> 
<form method="post"> 
<input type="hidden" name="id" value="<?php echo $id; ?>"> 

<p class="subheadsmall">Browser Title</p> 
<textarea cols="40" rows="1" class="box" name="pagetitle" id="editbox"><?php echo $pagetitle; ?></textarea> 


<p class="subheadsmall">Story Title</p> 
<textarea cols="40" rows="1" class="box" name="title" id="editbox"><?php echo $title; ?></textarea> 

<p class="subheadsmall">Date</p> 
<textarea cols="40" rows="1" class="box" name="date" id="editbox"><?php echo $date; ?></textarea> 

<p class="subheadsmall">Story</p> 
<textarea cols="80" rows="10" class="box" name="copy" id="editbox"><?php echo $copy; ?></textarea> 

<p class="subheadsmall">Outputs</p> 
<textarea cols="80" rows="10" class="box" name="outputs" id="editbox"><?php echo $outputs; ?></textarea> 

<p class="subheadsmall">Strategies</p> 

<p class="subheadsmall">Client</p> 
<select name="client"> 
    <option value="empty">Select a Client...</option> 
<?php 
      $result2 = mysql_query("SELECT name FROM clients"); 
       if (!$result2) { 
        die("Database query failed: " . mysql_error()); 
       } 


while($row = mysql_fetch_array($result2)) { 
    $clientlist = $row['name']; 
    $clientname = htmlspecialchars($row['name']); 

    if ($_POST['client'] == $clientlist) 
    { 

    echo '<option value="' . $clientlist . '" selected="selected" >' . $clientname . '</option>' . '\n'; 
    } 
    else{ 
    echo '<option value="' . $clientlist . '" >' . $clientname . '</option>' . '\n'; 
} 
} 


?> 
</select> 

<p class="subheadsmall">Core Classification</p> 

<?php 

switch ($niche) { 
    case "brand": 
     echo '<input type="radio" name="niche" value="brand" checked="checked" />Brand'; 
     echo '<input type="radio" name="niche" value="marketing" />Marketing'; 
     echo '<input type="radio" name="niche" value="communication" />Communication'; 
     break; 
    case "marketing": 
     echo '<input type="radio" name="niche" value="brand" />Brand'; 
     echo '<input type="radio" name="niche" value="marketing" checked="checked" />Marketing'; 
     echo '<input type="radio" name="niche" value="communication" />Communication'; 
     break; 
    case "communication": 
     echo '<input type="radio" name="niche" value="brand" />Brand'; 
     echo '<input type="radio" name="niche" value="marketing" />Marketing'; 
     echo '<input type="radio" name="niche" value="communication" checked="checked" />Communication'; 
     break; 
    default; 
     echo '<input type="radio" name="niche" value="brand" />Brand'; 
     echo '<input type="radio" name="niche" value="marketing" />Marketing'; 
     echo '<input type="radio" name="niche" value="communication" />Communication'; 
    break; 
} 

?> 

<p class="subheadsmall">Add New Strategy</p> 
<textarea cols="40" rows="1" class="box" name="strategies" id="editbox"><?php echo $strategies; ?></textarea> 

<p class="subheadsmall">Media</p> 
<textarea cols="80" rows="10" class="box" name="media" id="editbox"><?php echo $media; ?></textarea> 

<p class="subheadsmall">Thumbnail image</p> 
<textarea cols="80" rows="3" class="box" name="thumbmedia" id="editbox"><?php echo $thumbmedia; ?></textarea> 

<p class="subheadsmall">Additional Field</p> 

<p class="subheadsmall">Additional Field Title</p> 
<textarea cols="40" rows="1" class="box" name="newfieldtitle" id="editbox"><?php echo $newfieldtitle; ?></textarea> 
<p class="subheadsmall">Additional Field Content</p> 
<textarea cols="40" rows="3" class="box" name="newfieldcontent" id="editbox"><?php echo $newfieldcontent; ?></textarea> 



<input name="update1" type="submit" class="box" id="editbutton" value="Update Article"> 

</form>

来源

2009-06-30 user96828

+0

请问你可以重新填写你的问题吗? – Graviton 2009-06-30 07:56:26

+0

什么行?哪个元素? – karim79 2009-06-30 08:11:07

回答

3

一个侧面说明有关安全:

请,为互联网的缘故,所有用户,不使用的mysql_query。请使用PDO http://php.net/pdo。它会自动转义你的变量,所以你没有SQL漏洞。

如果您必须使用mysql_query(对于遗留代码),请确保在使用查询字符串之前通过http://php.net/mysql_real_escape_string运行每个变量。

来源

2009-06-30 07:58:19

0
  • 删除和addslashes和魔术引号废话与mysql_real_escape_string()
  • 您正在离开自己愿意与SELECT * SQL注入FROM研究WHERE ID =替换它 ' “$ _ GET [ '身份证'。”' “
    • 如果我是什么样的要求?使用domain.tld/page.ext ID = SELECT * FROM用户

我已经重写了一堆,我看到给问题这是一个尝试。

<?php 

if(isset($_GET['id'])) 
{ 
    $query = "SELECT * FROM studies WHERE id = " . mysql_real_escape_string($_GET['id']); 
    $result = mysql_query($query) or die('Error : ' . mysql_error()); 
     list($id, $pagetitle, $title, $date, $copy, $outputs, $strategies, $client, $niche, $media, $thumbmedia, $newfieldtitle, $newfieldcontent) = mysql_fetch_array($result, MYSQL_NUM); 
} 

if(isset($_POST['update1'])) 
{ 
    $id = $_POST['id']; 
    $pagetitle = $_POST['pagetitle']; 
    $title = $_POST['title']; 
    $date = $_POST['date']; 
    $copy = $_POST['copy']; 
    $outputs = $_POST['outputs']; 
    $strategies = $_POST['strategies']; 
    $client = $_POST['client']; 
    $niche = $_POST['niche']; 
    $media = $_POST['media']; 
    $thumbmedia = $_POST['thumbmedia']; 
    $newfieldtitle = $_POST['newfieldtitle']; 
    $newfieldcontent = $_POST['newfieldcontent']; 

    // update the article in the database 
    $query = "UPDATE studies 
      SET pagetitle = '" . mysql_real_escape_string($pagetitle) . "', title = '" . mysql_real_escape_string($title) . "', date = '" . mysql_real_escape_string($date) . "', copy = '" . mysql_real_escape_string($copy) . "', outputs = '" . mysql_real_escape_string($outputs) . "', strategies = '" . mysql_real_escape_string($strategies) . "', client = '" . mysql_real_escape_string($client) . "', niche = '" . mysql_real_escape_string($niche) . "', media = '" . mysql_real_escape_string($media) . "', thumbmedia = '" . mysql_real_escape_string($thumbmedia) . "', newfieldtitle = '" . mysql_real_escape_string($newfieldtitle) . "', newfieldcontent = '" . mysql_real_escape_string($newfieldcontent) . "' ". 
     "WHERE id = '" . mysql_real_escape_string($id) . "'"; 
    mysql_query($query) or die('Error : ' . mysql_error()); 

    // then remove the cached file 
    $cacheDir = dirname(__FILE__) . '/cache/'; 

    $cacheFile = $cacheDir . '_' . $_GET['id'] . '.html'; 

    @unlink($cacheFile); 

    // and remove the index.html too because the file list 
    // is changed 
    @unlink($cacheDir . 'index.html'); 

    echo "<b>Article '$title' updated</b>"; 

} 


?> 


<div class="container"> 
<form method="post"> 
<input type="hidden" name="id" value="<?php echo $id; ?>"> 

<p class="subheadsmall">Browser Title</p> 
<textarea cols="40" rows="1" class="box" name="pagetitle" id="editbox"><?php echo $pagetitle; ?></textarea> 


<p class="subheadsmall">Story Title</p> 
<textarea cols="40" rows="1" class="box" name="title" id="editbox"><?php echo $title; ?></textarea> 

<p class="subheadsmall">Date</p> 
<textarea cols="40" rows="1" class="box" name="date" id="editbox"><?php echo $date; ?></textarea> 

<p class="subheadsmall">Story</p> 
<textarea cols="80" rows="10" class="box" name="copy" id="editbox"><?php echo $copy; ?></textarea> 

<p class="subheadsmall">Outputs</p> 
<textarea cols="80" rows="10" class="box" name="outputs" id="editbox"><?php echo $outputs; ?></textarea> 

<p class="subheadsmall">Strategies</p> 

<p class="subheadsmall">Client</p> 
<select name="client"> 
    <option value="empty">Select a Client...</option> 
<?php 
       $result2 = mysql_query("SELECT name FROM clients") or die("Database query failed: " . mysql_error());  

while($row = mysql_fetch_assoc($result2)) { 
    $clientlist = $row['name']; 
    $clientname = htmlspecialchars($row['name']); 

    if ($_POST['client'] == $clientlist) 
    { 

    echo '<option value="' . $clientlist . '" selected="selected" >' . $clientname . '</option>' . '\n'; 
    } 
    else{ 
    echo '<option value="' . $clientlist . '" >' . $clientname . '</option>' . '\n'; 
} 
} 


?> 
</select> 

<p class="subheadsmall">Core Classification</p> 

<?php 

switch ($niche) { 
    case "brand": 
     echo '<input type="radio" name="niche" value="brand" checked="checked" />Brand'; 
     echo '<input type="radio" name="niche" value="marketing" />Marketing'; 
     echo '<input type="radio" name="niche" value="communication" />Communication'; 
     break; 
    case "marketing": 
     echo '<input type="radio" name="niche" value="brand" />Brand'; 
     echo '<input type="radio" name="niche" value="marketing" checked="checked" />Marketing'; 
     echo '<input type="radio" name="niche" value="communication" />Communication'; 
     break; 
    case "communication": 
     echo '<input type="radio" name="niche" value="brand" />Brand'; 
     echo '<input type="radio" name="niche" value="marketing" />Marketing'; 
     echo '<input type="radio" name="niche" value="communication" checked="checked" />Communication'; 
     break; 
    default; 
     echo '<input type="radio" name="niche" value="brand" />Brand'; 
     echo '<input type="radio" name="niche" value="marketing" />Marketing'; 
     echo '<input type="radio" name="niche" value="communication" />Communication'; 
    break; 
} 

?> 

<p class="subheadsmall">Add New Strategy</p> 
<textarea cols="40" rows="1" class="box" name="strategies" id="editbox"><?php echo $strategies; ?></textarea> 

<p class="subheadsmall">Media</p> 
<textarea cols="80" rows="10" class="box" name="media" id="editbox"><?php echo $media; ?></textarea> 

<p class="subheadsmall">Thumbnail image</p> 
<textarea cols="80" rows="3" class="box" name="thumbmedia" id="editbox"><?php echo $thumbmedia; ?></textarea> 

<p class="subheadsmall">Additional Field</p> 

<p class="subheadsmall">Additional Field Title</p> 
<textarea cols="40" rows="1" class="box" name="newfieldtitle" id="editbox"><?php echo $newfieldtitle; ?></textarea> 
<p class="subheadsmall">Additional Field Content</p> 
<textarea cols="40" rows="3" class="box" name="newfieldcontent" id="editbox"><?php echo $newfieldcontent; ?></textarea> 



<input name="update1" type="submit" class="box" id="editbutton" value="Update Article"> 

</form>

编辑:我已经做了一些改变你的代码,也是我觉得从这个线你的问题源于:

while($row = mysql_fetch_array($result2)) {

我觉得你找mysql_fetch_assoc()阵列。

来源

2009-06-30 08:16:13 UnkwnTech

2

我想你只是分配错误的内容到了错误的变量,据称发生在这里:

list($id, $pagetitle, $title, ...) = mysql_fetch_array($result, MYSQL_NUM);

你依靠数据库字段的准确顺序代码是暂时不非常可靠和恐怖的维护。

为什么要经历将它们从数组中复制到单独变量中的麻烦?只要保留它们,直到你需要它们:

<?php $row = mysql_fetch_assoc($result); ?> 
... 
<textarea name="date"><?php echo $row['date']; ?></textarea>

来源

2009-06-30 08:55:14 deceze

相关问题

 相关问题