Php QL注入和其他攻击 while ($b_row =mysql_fetch_array ($jobresult) ) { $job_id = stripslashes($b_row[job_id]); $status = stripslashes($

QL注入和其他攻击

    while ($b_row =mysql_fetch_array ($jobresult) ) {
$job_id = stripslashes($b_row[job_id]);
$status = stripslashes($b_row[status]);
$order_no = stripslashes($b_row[order_no]);
$cust = stripslashes($b_row[cust]);
$region = stripslashes($b_row[region]);
$type = stripslashes($b_row[type]);
$qty = stripslashes($b_row[qty]);
$job_name = stripslashes($b_row[job_name]);
$job_add = stripslashes($b_row[job_add]);
$job_add2 = stripslashes($b_row[job_add2]);
$job_city = stripslashes($b_row[job_city]);
$job_state = stripslashes($b_row[job_state]);
$job_zip = stripslashes($b_row[job_zip]);
$job_contact = stripslashes($b_row[job_contact]);
$job_phone1 = stripslashes($b_row[job_phone1]);
$job_phone2 = stripslashes($b_row[job_phone2]);
$sch_dte = $b_row[sch_dte];
$cust_no = $b_row[cust_no];
$tech_id = $b_row[tech_id];
    $tech_id2 = $b_row[tech_id2];

$sch_time = strftime("%I:%M %p",$sch_dte);
$sch_dte = strftime("%m/%d/%y",$sch_dte);

if ($order_no == "") { $order_no = " "; }
if ($cust_no == "") { $cust_no = " "; }
if ($qty == "") { $qty = " "; }
if ($job_name == "") { $job_name = " "; }
if ($job_contact == "") { $job_contact = " "; }

$gettype = mysql_query("SELECT * FROM service_types WHERE ((type_id ='$type'));",$link);
while ($d_row =mysql_fetch_array ($gettype) ) {
$service_type = stripslashes($d_row[service_type]);
}

$getstatus = mysql_query("SELECT * FROM status WHERE ((status_id ='$status'));",$link);
while ($e_row =mysql_fetch_array ($getstatus) ) {
$stat_rep = stripslashes($e_row[short_status]);
}

/*$gettech = mysql_query("SELECT * FROM tech WHERE ((tech_id ='$tech_id'));",$link);
while ($e_row =mysql_fetch_array ($gettech) ) {
$tech_fname = stripslashes($e_row[tech_fname]);
$tech_lname = stripslashes($e_row[tech_lname]);
$tech_name = "$tech_fname $tech_lname";
}*/


$comresult = mysql_query("SELECT * FROM jobs_comments WHERE ((job_id ='$job_id'));",$link);
$chk_com = mysql_num_rows($comresult);

if ($chk_com != "0") { $com_yes = "Y"; } else { $com_yes = "N"; }

echo "<tr align=\"center\" ";
if ($bgchk == "1") {
echo "bgcolor=\"#FFFFFF\"> ";
$bgcolor = "#FFFFFF";
$bgchk = "0"; }
else {
echo "bgcolor=\"#E8E8E8\"> ";
$bgcolor = "#E8E8E8";
$bgchk = "1"; }


if ($chk_job == "") {  echo "<td colspan=\"$pdf_colums\">No Jobs currently listed</td>"; }

else {

if ($grp_edit == "1" AND $action != "pdf") {
echo "<td><input name=\"mu[$rw_count]\" type=\"checkbox\" id=\"mu[$rw_count]\" value=\"$job_id\" /></td>"; }
echo "<td>$sch_dte <br>$sch_time</td>";
//echo "<td>$tech_name $tech_name2</td>";

    $techteam = array($tech_id2);
    $sql = 'SELECT tech_fname, tech_lname FROM tech WHERE tech_id IN (' . implode(',', $techteam) . ')';
    $result = mysql_query($sql);
    while($row = mysql_fetch_array($result)) {
    $tech_fname = stripslashes($row[tech_fname]);
$tech_lname = stripslashes($row[tech_lname]);
    echo "<td>$row[tech_fname] $row[tech_lname],<br></td>";
    }

echo "<td>$order_no</td>";
echo "<td>$cust</td>";
echo "<td>$region</td>";
echo "<td>$service_type</td>";
echo "<td>$qty</td>";
echo "<td>$cust_no</td>";
echo "<td>";
echo "$job_name<br>$job_add ";
if ($job_add2 != "") { echo "<br>$job_add2 "; }
echo "<br>$job_city $job_state $job_zip";
echo "</td>";
echo "<td>";
echo "$job_contact<br>$job_phone1";
if ($job_phone2 != "") { echo "<br />$job_phone2"; }
echo "</td>";
echo "<td>";
echo "<a href=\"admin.php?viewjob=$job_id\"><img src=\"images/edit_all.gif\" width=\"16\" height=\"16\" border=\"0\"></a>";
echo "</td>";
}

echo '<td>';
$counter = 0;
while($row = mysql_fetch_array($result)) {
    $tech_fname = stripslashes($row[tech_fname]);
    $tech_lname = stripslashes($row[tech_lname]);
    echo "$tech_fname $tech_lname";
    if($counter != 0) echo ",<br>";
    $counter++;
}
echo '</td>';