Php mycode上的BUG我花了几个小时找不到问题所在
您好,请查看此代码, 我正在使用此代码更新当前项目, $current_project_id使用“我正在获取要编辑的当前项目” 我已经检查了数据以发布变量,我在执行echo语句时得到了它。 当我使用对象将其传递给类函数时,可能会出现一些问题 另外:如果您在我的代码中发现一些安全问题,将不胜感激:) 用户端:Php mycode上的BUG我花了几个小时找不到问题所在,php,sql,Php,Sql,您好,请查看此代码, 我正在使用此代码更新当前项目, $current_project_id使用“我正在获取要编辑的当前项目” 我已经检查了数据以发布变量,我在执行echo语句时得到了它。 当我使用对象将其传递给类函数时,可能会出现一些问题 另外:如果您在我的代码中发现一些安全问题,将不胜感激:) 用户端: <?php $current_project_id = (int)$_GET["pid"]; //Getting current project to Update from
<?php
$current_project_id = (int)$_GET["pid"]; //Getting current project to Update from URL parameter.
$currentproject = $touchObj->get_projects_by_id($current_project_id); // Using project id to update, we are taking all project data.
?>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
if(isset($_POST['project_name']) && isset($_POST['project_location'] )) {
include('inc/handleUpload.php'); // Image uplaod class
$up->config('20000000','jpg,gif,png,pdf,txt,doc,docx,xls,xlsx,zip,rar');
$up->upload('project_file','xxxxxxxxxxxxxxxxxxxxxxxxx/'); //Server file location for upload folder.
$project_investor_id = implode(",",$_POST["project_investor_id"]); // Our table field store data as comma seperated separated
$project_name = mysql_real_escape_string($_POST['project_name']);
$project_location = mysql_real_escape_string($_POST['project_location']);
$project_phase = mysql_real_escape_string($_POST['project_phase']);
$project_capital = mysql_real_escape_string($_POST['project_capital']);
$project_total = mysql_real_escape_string($_POST['project_total']);
$project_notes = mysql_real_escape_string($_POST['project_notes']);
$file = $up->fileInfo['fname'];
$touchObj->update_project(
$current_project_id,
$project_investor_id,
$project_name,
$project_location,
$$project_phase,
$project_capital,
$project_total,
$project_notes,
$file
);
}
else
{
echo '<div class="alert alert-info"><h6>Please fill datas...</h6></div>';
}
}
?>
public function update_project($project_id, $project_investor_id, $project_name, $project_location, $project_phase, $project_capital, $project_total, $project_notes, $file){
$result = mysql_query("UPDATE project_table SET
project_investor_id = $project_investor_id,
project_name = $project_name,
project_location = $project_location,
project_phase = $project_phase,
project_capital = $project_capital,
project_total = $project_total,
project_notes = $project_notes,
project_file = $file
WHERE project_id =$project_id");
if($result) {
echo '<div class="alert alert-success"><h6>Project updates... Do not refresh window...</h6></div>';
}
else {
echo '<div class="alert alert-error"><b>Some error while updating the project. Please try again...</b></div>';
}
}
公共功能更新项目($project\u id、$project\u investor\u id、$project\u name、$project\u location、$project\u phase、$project\u capital、$project\u total、$project\u notes、$file){
$result=mysql\u查询(“更新项目\u表集
project\u investor\u id=$project\u investor\u id,
project\u name=$project\u name,
项目位置=$项目位置,
项目阶段=$项目阶段,
project_capital=$project_capital,
项目总数=$项目总数,
项目注释=$项目注释,
项目文件=$file
其中project_id=$project_id”);
如果($结果){
回显“项目更新…不刷新窗口…”;
}
否则{
回显“更新项目时出现错误。请重试…”;
}
}
非常感谢您抽出宝贵的时间我非常确定基于字符的字段将需要用
'project_notes = '$project_notes',
project_notes = $project_notes,
您应该研究术语“SQL注入”,看看为什么将用户输入的值硬塞进查询中是个坏主意。他们所要做的就是以某种方式进入
”,工资=工资*1.5,项目注释=实际项目注释$project\u notes参数化查询更安全。您需要为数据类型为varchar或text的字段的值添加撇号。。例如;project_name=$project_name应该是project_name='$project_name',是的,它可以工作。。。。我只是错过了这些:((什么…代码呢?有什么安全问题吗?SQL注入?mysql\u real\u escape\u字符串对于SQL注入来说足够了。只要确保你有一个活动的DB连接,它就可以工作。你说的活动DB连接是什么意思?我在我的主类的构造函数中有一个数据库连接。这只是必需的吗?是的,很好。通过活动DB连接连接我的意思是,你应该连接到数据库,以便能够使用mysql\u real\u escape\u string();如果你没有它,那么它对你不起作用,相反,它会给出一个错误。我在这里是新手;)您好,我正在使用它向数据库输入数据?只有管理员可以使用这些区域?有问题吗?@Banna360,在不知道您的设置的全部范围的情况下,我不能发表评论,只能说这是应该签出的内容。即使管理员也可以攻击您:-)