PHP删除事件ID
我已经制作了一个事件日历,但是现在当用户删除一个事件时,我面临一个问题 截图:PHP删除事件ID,php,mysql,Php,Mysql,我已经制作了一个事件日历,但是现在当用户删除一个事件时,我面临一个问题 截图: 日期 尝试将其相关的事件id放入如下表单中 <form method="POST" action="<?php $_SERVER['PHP_SELF']; ?>"> <input type="hidden" name="event_id" id="event_id" value="<?php echo $events['id'];?>"> <inp
日期
尝试将其相关的事件id
放入如下表单中
<form method="POST" action="<?php $_SERVER['PHP_SELF']; ?>">
<input type="hidden" name="event_id" id="event_id" value="<?php echo $events['id'];?>">
<input type="submit" name="delete" value="Delete"><br >
<input type="submit" name="edit" value="Edit"><br >
</form>
无论何时提交表单,都会传递其事件id,并且需要将post变量传递给delete查询
此外,您需要对id进行转义,以防止在查询时使用mysql\u real\u escape\u string
进行sql注入
$delet_query = mysql_query("DELETE FROM kalender_contents
WHERE `id` = ".mysql_real_escape_string($_POST['event_id']));
创建一个值为event id的隐藏字段
<h2>Date <?php echo "$day"."/"."$month"."/"."$year"."<br>"; ?></h2>
<?php
// event weer gegeven
while ($events = mysql_fetch_array($resultEvents)){
echo "<strong>Event ID:</strong> ".$events['id']."<br>";
echo "Added: ".$events['added']."<br>";
echo "Title: ".$events['titel']."<br>";
echo "Detail: ".$events['content']."<br>";
?>
<form method="POST" action="<?php $_SERVER['PHP_SELF']; ?>">
<input type="hidden" name="event_id" value="<?php echo $events['id'];?>">
<input type="submit" name="delete" value="Delete"><br >
<input type="submit" name="edit" value="Edit"><br >
</form>
<?php
if(isset($_POST['delete'])){
$user = $_POST['delete'];
$delet_query = mysql_query("DELETE FROM kalender_contents WHERE `id` = '$events'") or die(mysql_error());
if($delet_query) {
echo "event deleted";
echo $events;
}
}
}
}
}
?>
日期
使用$events['id'],也把你的if(isset($\u POST['delete']){放在上面不可避免地会有人提到这一点,所以它也可能是我。不要使用mysql.*
函数-改用mysqli或pdo。(这并不能回答问题,你不应该使用它们)这段代码容易受到SQL注入的攻击。不要忘记清理$\u POST['event_id']
value。您可以将其解析为整数或在值周围添加引号,并使用addslashes
或mysql\u real\u escape\u string
对其进行转义。谢谢@GuilhermeSehn但它是隐藏字段,因此无法进行SQL注入。无论如何,感谢您的建议。我已将其添加到我的ans@Gautam3164即使是隐藏的,也是非常危险的使用简单的DOM检查器很容易修改其值!当然,在这种情况下,有一种方法可以通过浏览器开发人员工具更改其值来轻松进行SQL注入。永远不要相信客户端输入。@Gautam3164您当然需要引号!或者转义字符串并将其视为字符串(包括使用引号)或者将其转换为整数。
$delet_query = mysql_query("DELETE FROM kalender_contents
WHERE `id` = ".mysql_real_escape_string($_POST['event_id']));
<h2>Date <?php echo "$day"."/"."$month"."/"."$year"."<br>"; ?></h2>
<?php
// event weer gegeven
while ($events = mysql_fetch_array($resultEvents)){
echo "<strong>Event ID:</strong> ".$events['id']."<br>";
echo "Added: ".$events['added']."<br>";
echo "Title: ".$events['titel']."<br>";
echo "Detail: ".$events['content']."<br>";
?>
<form method="POST" action="<?php $_SERVER['PHP_SELF']; ?>">
<input type="hidden" name="event_id" value="<?php echo $events['id'];?>">
<input type="submit" name="delete" value="Delete"><br >
<input type="submit" name="edit" value="Edit"><br >
</form>
<?php
if(isset($_POST['delete'])){
$user = $_POST['delete'];
$delet_query = mysql_query("DELETE FROM kalender_contents WHERE `id` = '$events'") or die(mysql_error());
if($delet_query) {
echo "event deleted";
echo $events;
}
}
}
}
}
?>