【问题标题】:Can you use $_POST in a WHERE clause你能在 WHERE 子句中使用 $_POST
【发布时间】:2011-10-26 23:09:15
【问题描述】:

没有真正直接的答案,所以我想我会试一试。

$myid = $_POST['id'];

       //Select the post from the database according to the id.
   $query = mysql_query("SELECT * FROM repairs WHERE id = " .$myid . " AND name = '' AND email = '' AND address1 = '' AND postcode = '';") or die(header('Location: 404.php'));

上面的代码应该设置变量$myid作为id的发布内容,然后在SQL WHERE子句中使用该变量根据提交的id从数据库中获取数据。忘记潜在的 SQL 注入(我稍后会修复它们)为什么这不起作用?

好的,这是我测试的完整代码:

<?php

//This includes the variables, adjusted within the 'config.php file' and the functions from the 'functions.php' - the config variables are adjusted prior to anything else.
require('configs/config.php');
require('configs/functions.php');

//Check to see if the form has been submited, if it has we continue with the script.
if(isset($_POST['confirmation']) and $_POST['confirmation']=='true')
{
    //Slashes are removed, depending on configuration.
    if(get_magic_quotes_gpc())
    {
        $_POST['model'] = stripslashes($_POST['model']);
        $_POST['problem'] = stripslashes($_POST['problem']);
        $_POST['info'] = stripslashes($_POST['info']);
    }
    //Create the future ID of the post - obviously this will create and give the id of the post, it is generated in numerical order.
    $maxid = mysql_fetch_array(mysql_query('select max(id) as id from repairs'));
    $id = intval($maxid['id'])+1;

    //Here the variables are protected using PHP and the input fields are also limited, where applicable.
    $model = mysql_escape_string(substr($_POST['model'],0,9));
    $problem = mysql_escape_string(substr($_POST['problem'],0,255));
    $info = mysql_escape_string(substr($_POST['info'],0,6000));

    //The post information is submitted into the database, the admin is then forwarded to the page for the new post. Else a warning is displayed and the admin is forwarded back to the new post page. 
    if(mysql_query("insert into repairs (id, model, problem, info) values ('$_POST[id]', '$_POST[model]', '$_POST[version]', '$_POST[info]')"))
    {

?>

<?php

$myid = $_POST['id'];

       //Select the post from the database according to the id.
   $query = mysql_query("SELECT * FROM repairs WHERE id=" .$myid . " AND name = '' AND email = '' AND address1 = '' AND postcode = '';") or die(header('Location: 404.php'));

       //This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
   if( mysql_num_rows($query) < 1 )
{
 header('Location: 404.php');
 exit;
}

   //Assign variable names to each column in the database.
   while($row = mysql_fetch_array($query))
   {
       $model = $row['model'];
       $problem = $row['problem'];
   }

           //Select the post from the database according to the id.
   $query2 = mysql_query('SELECT * FROM devices WHERE version = "'.$model.'" AND issue = "'.$problem.'";') or die(header('Location: 404.php'));

       //This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
   if( mysql_num_rows($query2) < 1 )
{
 header('Location: 404.php');
 exit;
}

   //Assign variable names to each column in the database.
   while($row2 = mysql_fetch_array($query2))
   {
       $price = $row2['price'];
       $device = $row2['device'];
       $image = $row2['image'];
   }

?>  

<?php echo $id; ?>
<?php echo $model; ?>
<?php echo $problem; ?>
<?php echo $price; ?>
<?php echo $device; ?>
<?php echo $image; ?>

    <?  
    }
    else
    {
        echo '<meta http-equiv="refresh" content="2; URL=iphone.php"><div id="confirms" style="text-align:center;">Oops! An error occurred while submitting the post! Try again…</div></br>';
    }
}
?>

【问题讨论】:

  • 确实如此。 . .您一定有其他问题没有发布。
  • 返回的错误是什么? - 使用 php.net/mysql_query 中的示例代码来显示您的错误
  • 为什么你的查询结尾有分号?
  • @IgnacioVazquez-Abrams 这是多余的
  • 只是想指出,“我稍后会修复它”通常会导致某些问题永远无法修复,而在 SQL 注入的情况下,它永远不应该被延迟。

标签: php mysql variables methods


【解决方案1】:

您的表中的 id 是什么数据类型?您可能需要用单引号括起来。

$query = msql_query("SELECT * FROM repairs WHERE id = '$myid' AND...")

编辑:你也不需要使用双引号字符串的连接。

【讨论】:

    【解决方案2】:
    1. 检查 $myid 的值和整个动态创建的 SQL 字符串,以确保它包含您认为包含的内容。

    2. 您的问题很可能是由于对可能包含 NULL 值的列使用空字符串比较引起的。对所有空字符串尝试name IS NULL 等等。

    【讨论】:

      【解决方案3】:

      $myid 为空的唯一原因是它不是由浏览器发送的。确保您的表单操作设置为 POST。您可以使用以下内容验证 $_POST 中是否存在值:

      print_r($_POST);
      

      并且,回显您的查询以确保它是您所期望的。尝试通过 PHPMyAdmin 或 MySQL Workbench 手动运行它。

      【讨论】:

        【解决方案4】:

        使用$something = mysql_real_escape_string($POST['something']);
        不仅可以防止 SQL 注入,还可以防止由于人们输入以下数据而导致的语法错误:

        name = O'Reilly    <<-- query will bomb with an error
        memo = Chairman said: "welcome"   
        etc.
        

        因此,为了拥有一个有效且有效的应用程序,它确实是必不可少的。
        "I'll fix it later" 的论点存在一些逻辑缺陷:

        • 稍后修复内容会比较慢,因为您需要重新访问旧代码,所以总体上会花费更多时间。
        • 由于上述功能错误,您将在测试中收到不需要的错误报告。
        • 我会稍后再做的事情往往永远不会发生。
        • 安全性不是可选的,它是必不可少的。
        • 如果您完成了项目并且必须由其他人接管,会发生什么情况,(s)他不会知道您未解决的问题。
        • 如果您做某事,请完成它,不要留下各种未解决的问题。
        • 如果我是你的老板并对该代码进行了代码审查,你会当场被解雇。

        【讨论】:

          猜你喜欢
          • 2016-03-30
          • 2018-02-10
          • 2016-03-24
          • 2010-09-17
          • 2021-05-05
          • 2017-01-15
          • 1970-01-01
          • 1970-01-01
          相关资源
          最近更新 更多