Php 可以在WHERE子句中使用$\u POST吗
在这个问题上没有真正直接的答案,所以我想我应该试一试Php 可以在WHERE子句中使用$\u POST吗,php,mysql,variables,methods,Php,Mysql,Variables,Methods,在这个问题上没有真正直接的答案,所以我想我应该试一试 $myid = $_POST['id']; //Select the post from the database according to the id. $query = mysql_query("SELECT * FROM repairs WHERE id = " .$myid . " AND name = '' AND email = '' AND address1 = '' AND postcode = '';
$myid = $_POST['id'];
//Select the post from the database according to the id.
$query = mysql_query("SELECT * FROM repairs WHERE id = " .$myid . " AND name = '' AND email = '' AND address1 = '' AND postcode = '';") or die(header('Location: 404.php'));
上面的代码应该将变量$myid设置为id的发布内容,然后在SQL WHERE子句中使用该变量根据提交的id从数据库中获取数据。忘记了潜在的SQL注入(稍后我将修复它们)为什么这不起作用
好的,下面是我测试的完整代码:
<?php
//This includes the variables, adjusted within the 'config.php file' and the functions from the 'functions.php' - the config variables are adjusted prior to anything else.
require('configs/config.php');
require('configs/functions.php');
//Check to see if the form has been submited, if it has we continue with the script.
if(isset($_POST['confirmation']) and $_POST['confirmation']=='true')
{
//Slashes are removed, depending on configuration.
if(get_magic_quotes_gpc())
{
$_POST['model'] = stripslashes($_POST['model']);
$_POST['problem'] = stripslashes($_POST['problem']);
$_POST['info'] = stripslashes($_POST['info']);
}
//Create the future ID of the post - obviously this will create and give the id of the post, it is generated in numerical order.
$maxid = mysql_fetch_array(mysql_query('select max(id) as id from repairs'));
$id = intval($maxid['id'])+1;
//Here the variables are protected using PHP and the input fields are also limited, where applicable.
$model = mysql_escape_string(substr($_POST['model'],0,9));
$problem = mysql_escape_string(substr($_POST['problem'],0,255));
$info = mysql_escape_string(substr($_POST['info'],0,6000));
//The post information is submitted into the database, the admin is then forwarded to the page for the new post. Else a warning is displayed and the admin is forwarded back to the new post page.
if(mysql_query("insert into repairs (id, model, problem, info) values ('$_POST[id]', '$_POST[model]', '$_POST[version]', '$_POST[info]')"))
{
?>
<?php
$myid = $_POST['id'];
//Select the post from the database according to the id.
$query = mysql_query("SELECT * FROM repairs WHERE id=" .$myid . " AND name = '' AND email = '' AND address1 = '' AND postcode = '';") or die(header('Location: 404.php'));
//This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
if( mysql_num_rows($query) < 1 )
{
header('Location: 404.php');
exit;
}
//Assign variable names to each column in the database.
while($row = mysql_fetch_array($query))
{
$model = $row['model'];
$problem = $row['problem'];
}
//Select the post from the database according to the id.
$query2 = mysql_query('SELECT * FROM devices WHERE version = "'.$model.'" AND issue = "'.$problem.'";') or die(header('Location: 404.php'));
//This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
if( mysql_num_rows($query2) < 1 )
{
header('Location: 404.php');
exit;
}
//Assign variable names to each column in the database.
while($row2 = mysql_fetch_array($query2))
{
$price = $row2['price'];
$device = $row2['device'];
$image = $row2['image'];
}
?>
<?php echo $id; ?>
<?php echo $model; ?>
<?php echo $problem; ?>
<?php echo $price; ?>
<?php echo $device; ?>
<?php echo $image; ?>
<?
}
else
{
echo '<meta http-equiv="refresh" content="2; URL=iphone.php"><div id="confirms" style="text-align:center;">Oops! An error occurred while submitting the post! Try again…</div></br>';
}
}
?>
检查$myid的值和整个动态创建的SQL字符串,以确保它包含您认为它包含的内容
您的问题可能是由于对可能包含空值的列使用空字符串比较造成的。请尝试对所有空字符串使用name IS NULL
,依此类推
$myid
为空的唯一原因是它不是由浏览器发送的。确保表单操作设置为POST。您可以使用以下内容验证$\u POST
中是否存在值:
print_r($_POST);
并且,重复您的查询,以确保它是您期望的。尝试通过PHPMyAdmin或MySQL Workbench手动运行它。表中的id是什么数据类型?你可能需要用单引号括起来
$query = msql_query("SELECT * FROM repairs WHERE id = '$myid' AND...")
编辑:也不需要使用双引号字符串连接。使用$something=mysql\u real\u escape\u string($POST['something'])代码>
不仅可以防止SQL注入,还可以防止由于输入数据而导致的语法错误,例如:
name = O'Reilly <<-- query will bomb with an error
memo = Chairman said: "welcome"
etc.
name=O'Reilly它确实。您一定有其他问题未发布。返回的错误是什么?-使用php.net/mysql_query中的示例代码来显示您的错误为什么在查询的末尾有一个分号?@IgnacioVazquez Abrams这是多余的只是想指出,“我以后再修复它”通常会导致一些无法修复的问题,而在SQL注入的情况下,这是不应该延迟的问题。