JQuery 似乎设置了一个额外的 $_POST 值

【问题标题】:JQuery seems to be setting an extra $_POST valueJQuery 似乎设置了一个额外的 $_POST 值
【发布时间】:2012-02-20 05:48:50
【问题描述】:

我正在开发一个 Wordpress 插件。有多个表单元素,出于某种原因,每次我单击一个表单上的提交按钮时,它都会告诉另一个表单提交。这很不方便,因为当我单击按钮保存新信息时,另一个表单会从数据库中删除第一行。

Javascript:

//This is the Javascript that controls the remove all form.
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>

<script type="text/javascript">
    $(document).ready(function(){
        $('tr.assoc_row').show();
        $('#settings-removed-msg').hide();
        $('#formdeleteassoc').submit(function(e){
            e.preventDefault(); //Works to prevent normal submission of the form.

            $.ajax ({
                type: 'POST',
                url: '',
                data: {remove_all: ''
                },
                success: function() {
                    $('#settings-removed-msg').fadeIn('fast'); //Working now
                    $('tr.assoc_row').fadeOut('fast'); //Working now
                    }
            });

        });
    });
</script>

HTML

<!-- This the the HTML and PHP that renders the options page in Wordpress. -->
<div class="wrap">
    <?php screen_icon('plugins'); ?>
    <h2>Tag to Category Associator</h2>
    <div id="settings-removed-msg" class="updated"><p>Associations were successfully removed.</p></div>
    <form action="<?php echo $_SERVER['PHP_SELF'].'?page=tag2cat-associator'; ?>" method="post">


    <?php
    settings_fields('cb_t2c_options');
    do_settings_sections('tag2cat-associator');
    ?>

    <input name="Submit" type="submit" value="Save Changes" />
    </form></div>

PHP

//These are the form elements.

//Show the buttons to remove all associations and remove a single association.
    echo '<table>';
    echo '<tr>';
        echo '<td></strong>Remove existing associations</strong></td>';
        echo "<td><form action='" . $_SERVER['PHP_SELF'] . "?page=tag2cat-associator' method='post'>";
        echo "<select name='remove_single' id='removeSingle' class='remove-single' >";
            foreach ($cb_t2c_show_associations as $tags) {
            echo "<option value = '".$tags->assoc_ID."'>".$tags->assoc_ID."</option>";
            }
        echo '</select>';
        echo "&nbsp;<input type = 'submit' name='submit-remove' value='Remove'></input>";
    echo '</form></td></tr>';
    echo '<tr>';
        echo '<td>Remove all (Will delete existing associations)</td>';
        echo "<td><form action='" . $_SERVER['PHP_SELF'] . "?page=tag2cat-associator' id='formdeleteassoc' method='post'>";
        echo "<input name='remove_all' id='removeAll' class='remove-all' type='submit'  value='Remove All'></input></form></td></tr>";
    echo '</table>';

//The if's alter the database if the right $_POST information occurs.
if ( isset( $_REQUEST['remove_all'] ) ){
        $wpdb->query("DELETE FROM ".$prefix."cb_tags2cats");
        }

    if ( isset( $_REQUEST['remove_single'] ) ) {
        $remove_assoc = $_REQUEST['remove_single'];
        $wpdb->query("DELETE FROM ".$prefix."cb_tags2cats WHERE assoc_ID = " . $remove_assoc);
        }

【问题讨论】:

  • 你有一个 SQL 注入漏洞。
  • 你能把问题说清楚点吗?
  • 每次单击 时,都会设置 $_REQUEST['remove_single'],并最终从表中删除一行。如果这是由于 SQL 注入漏洞造成的,我该如何修复它?谢谢。

标签: jquery forms post wordpress


【解决方案1】:

问题是由于在 Wordpress 中有 2 个 settings_fields 作为注册设置。基本结构是:

function cb_t2c_admin_init() {
register_setting('cb_t2c_options', 'cb_t2c_options' /*'cv_t2c_validate_options'*/);

    //Define sections and settings
    add_settings_section(
        //This defined the settings section.
        );

    add_settings_field(
        //This defined the first setting, with a call to a function.
        );

    add_settings_field(
        //This defined the unwanted setting.
    );

}

我想用 Wordpress 完成的是在表单之外有一个部分,它会在一个简单的 HTML 表格中向用户显示当前选择的选项。因此,我删除了第二个“add_settings_field”函数,将其回调函数的内容放在绘制选项页面的函数的末尾。例如,

//Draw the options page
function cb_t2c_plugin_options_page () {
    $cb_t2c_remove_all_url = plugin_dir_url( _FILE_ ) . 'remove_all.php';
?>

    <div class="wrap">
    <?php screen_icon('plugins'); ?>
    <h2>Title</h2>
    <div id="new-assoc-msg" class="updated"><p>Data was successfully added.</p></div>
    <form id="formsavesettings" name="save_settings" action="<?php echo $_SERVER['PHP_SELF'].'?page=the_options_page'; ?>" method="post">

    <?php
    settings_fields('cb_t2c_options');
    do_settings_sections('section_name');
    ?>

    <input name="Submit" type="submit" value="Save Changes" />
    </form></div>
    <?php

// Here is where I added the PHP code to show my table full of already selected values.
// This is accomplished with 1 settings section and 1 settings field.
// By previously putting the code in a settings field, I was telling Wordpress to pass along the values to the form.
};

这还没有解决 SQL 注入漏洞,但它确实解释了为什么将意外值传递给表单。

【讨论】:

    猜你喜欢
    • 2012-01-12
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2011-08-13
    • 1970-01-01
    • 2019-10-22
    • 2019-10-22
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode