2

我有点卡住了,我可以手动更新数据库,但是通过 PHP 它不起作用。

数据库字段:

Column     Type          Collation          Attributes   Null  Default  Extra
id         int(10)                          UNSIGNED     No             auto_increment    
addedby    varchar(100)  latin1_swedish_ci               No            
location   text          latin1_swedish_ci               No            
details    text          latin1_swedish_ci               No            
deadline   text          latin1_swedish_ci               No            
datefixed  int(200)                                      No    0        
completed  int(11)                                       No    0

添加_jobs.php:

<?php

$pagetitle = "Add Job";

$checkrank = 3;

include ($_SERVER['DOCUMENT_ROOT'].'/header.inc.php');


$helpfaerie = mysql_fetch_array(mysql_query("SELECT * FROM helpfaerie WHERE page = 'reportbug'"));
$helpfaerie2 = mysql_fetch_array(mysql_query("SELECT * FROM members WHERE username = '$username'"));

if ($helpfaerie2[helpfaerie] == 1)
{
echo "<div id=\"helpfaerie\" style=\"overflow: auto; position:fixed; bottom:0; right:0; \"><table width=\"200\" border=\"0\" cellspacing=\"0\" cellpadding=\"4\" style=\"border-top: 1pt solid black;border-bottom: 1pt solid black;border-left: 1pt solid black;border-right: 1pt solid black; background-color:#ffffff;\">
  <tr>
    <td><center><img src=\"http://images.neopets.com/items/toy_faerie_psellia.gif\" border=\"0\"></center></td>
  </tr>
  <tr>
    <td><p>$helpfaerie[text]</p></td>
  </tr>
  <tr>
    <td style=\"text-align: right;\">[<a href=\"$baseurl/closehelp.pro.php\">x</a>]</td>
  </tr>
</table></div>";
}





ECHO <<<END






<center>
<FORM ACTION="add_jobs.pro.php" enctype="multipart/form-data" METHOD=POST>
<table width="366" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td colspan="2"><center>Add Job<p></center></td>
  </tr>
  <tr>
    <td width="118">Job Location (If any):</td>
    <td width="249"><textarea name="page"  cols="20" rows="1" value="" ></textarea></td>
  </tr>
  <tr>
    <td width="118">Details::</td>
    <td width="249"><textarea  name="wrong" cols="20" rows="10" value=""  ></textarea></td>
  </tr>

  <tr>
    <td width="118">Deadline::</td>
    <td width="249"><textarea name="line" cols="20" rows="1" value=""></textarea></td>
  </tr>
    <tr>
    <td>&nbsp;</td>
    <td>&nbsp;</td>
  </tr>
  <tr>
    <td colspan="2"><center><font size="-1"><i>
      <input type=submit name=Submit value="Add Jobs">
    </i></font></center></td>
  </tr>
</table></FORM>
<p>&nbsp;</p></center>









END;




include ($_SERVER['DOCUMENT_ROOT'].'/footer.inc.php');


?>

注意:dblink(链接到我的数据库,工作正常,)插件,基本上是为笑脸和语法。

基本上这是一个工作页面,我们用我们需要在网站周围做的工作进行更新。

add_jobs.pro.php:

<?php

$pagetitle = "Add Jobs";

$checkrank = 3;

include ($_SERVER['DOCUMENT_ROOT'].'/addon.php');

include ($_SERVER['DOCUMENT_ROOT'].'/dblink.php');

include ($_SERVER['DOCUMENT_ROOT'].'/security/stripusers.php');




$page = $_POST['page'];
$wrong = $_POST['wrong'];
$line = $_POST['line'];



$page = mysql_real_escape_string($page);
$page = stripslashes($page);
$page = stripusers($page);


$wrong = mysql_real_escape_string($wrong);
$wrong = stripslashes($wrong);
$wrong = stripusers($wrong);

$line = mysql_real_escape_string($line);
$line = stripslashes($line);
$line = stripusers($line);

if ((!$page) OR (!$wrong)  OR (!$line)) 

{

               die(header("Location: $baseurl/add_jobs.php?error=Please+do+not+leave+any+info+blank."));

}





else

{

        mysql_query("INSERT INTO assignments (addedby,location,details,deadline,datefixed) VALUES ('$username','$page','$wrong','$line','$timestamp','0')");

        header("Location: add_jobs.php?error=Thank+you.+Your+Job+has+been+submitted.");

}



?>

我刚刚进入另一个问题。

提交作业后,它们就会被列在此

<?php



$pagetitle = "Active Jobs";

$checkrank = 0;


include ($_SERVER['DOCUMENT_ROOT'].'/header.inc.php');


$view=$_GET['view'];

$num = mysql_num_rows(mysql_query("SELECT * FROM `assignments` WHERE 1"));



if ($num <= 0)
{
    echo "


<p><center>

There are no active jobs :D";
}



$sort = mysql_query("SELECT * FROM `assignments` WHERE 1");
while($sort2 = mysql_fetch_array($sort))


{





 if($sort2[id])


{

$tym = date("H:i",$sort2[date]);
$wcd = date("M j Y",$sort2[date]);  

echo("
<center>
<table width=\"607\" border=\"0\" cellspacing=\"0\" cellpadding=\"4\" style=\"border-top: 1pt solid black;border-bottom: 1pt solid black;border-left: 1pt solid black;border-right: 1pt solid black; \">
  <tr>
    <td width=\"139\" valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#5eaed4;\">Submitted By:</td>
    <td width=\"450\" valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[addedby]</td>
  </tr>
  <tr>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#8cc7e3;\">Date Submitted:</td>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\"> $wcd @ $tym NST</td>
  </tr>
  <tr>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#5eaed4;\">Job Location:</td>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[location] [<a href=\"$sort2[location]\">View</a>]</td>
  </tr>
  <tr>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#8cc7e3;\">Job Description:</td>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[details]</td>
  </tr>
  <tr>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#8cc7e3;\">Deadline:</td>
    <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[deadline]</td>
  </tr>
  <tr>
    <td valign=\"top\" style=\"border-right: 1pt solid black; background-color:#5eaed4;\">completed?:</td>
    <td valign=\"top\" style=\"background-color:#f4f4f4;\">Click When Completed [<a href=\"$baseurl/staff/submitted/completed_job.pro.php?id=$sort2[id]\">x</a>]</td>
  </tr>
</table>
<p>&nbsp;</p></center>



"); }







}




echo "<p></center>\n";

echo "</center>\n";


include ($_SERVER['DOCUMENT_ROOT'].'/footer.inc.php');


?>

然后您单击 X,然后将它们分类为已完成,然后将它们从页面上删除,但它没有这样做,它们只是保持列出,

但他们也在注册他们的固定,并显示在已完成的工作页面上。

完成_jobs.php

    <?php



    $pagetitle = "Active Jobs";

    $checkrank = 0;


    include ($_SERVER['DOCUMENT_ROOT'].'/header.inc.php');


    $view=$_GET['view'];

    $num = mysql_num_rows(mysql_query("SELECT id FROM assignments WHERE completed =1"));


    if ($num <= 0)
    {
        echo "


    <p><center>

    There are no complete Jobs at this time.";
    }




    $sort = mysql_query("SELECT * FROM assignments WHERE completed =1");
    while($sort2 = mysql_fetch_array($sort))


    {





     if($sort2[id])


    {

    $tym = date("H:i",$sort2[date]);
    $wcd = date("M j Y",$sort2[date]);  

    $ftym = date("H:i",$sort2[datefixed]);
    $fwcd = date("M j Y",$sort2[datefixed]);  

    echo("
    <center>
    <table width=\"607\" border=\"0\" cellspacing=\"0\" cellpadding=\"4\" style=\"border-top: 1pt solid black;border-bottom: 1pt solid black;border-left: 1pt solid black;border-right: 1pt solid black; \">
      <tr>
        <td width=\"139\" valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#5eaed4;\">Submitted By:</td>
        <td width=\"450\" valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[addedby]</td>
      </tr>
      <tr>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#8cc7e3;\">Date Submitted:</td>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\"> $wcd @ $tym NST</td>
      </tr>
      <tr>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#5eaed4;\">Job Location:</td>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[location] [<a href=\"$sort2[location]\">View</a>]</td>
      </tr>
      <tr>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#8cc7e3;\">Job Description:</td>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[details]</td>
      </tr>
      <tr>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;border-right: 1pt solid black; background-color:#8cc7e3;\">Deadline:</td>
        <td valign=\"top\" style=\"border-bottom: 1pt solid black;background-color:#f4f4f4;\">$sort2[deadline]</td>
      </tr>
      <tr>
        <td valign=\"top\" style=\"border-right: 1pt solid black; background-color:#5eaed4;\">Completed On:</td>
        <td valign=\"top\" style=\"background-color:#f4f4f4;\">$fwcd @ $ftym NST</td>
      </tr>
    </table>
    <p>&nbsp;</p></center>



    "); }







    }




    echo "<p></center>\n";

    echo "</center>\n";


    include ($_SERVER['DOCUMENT_ROOT'].'/footer.inc.php');


    ?>

and then completed_job.pro.php


<?php


$pagetitle = "Completed Jobs";

$checkrank = 30;
include ($_SERVER['DOCUMENT_ROOT'].'/addon.php');

include ($_SERVER['DOCUMENT_ROOT'].'/dblink.php');


$id=$_GET['id'];





mysql_query("UPDATE assignments SET completed = '1' WHERE id = '$id'");
mysql_query("UPDATE assignments SET datefixed = '$timestamp' WHERE id = '$id'");



        header("Location: completed_jobs.php?error=Job+has+been+updated+to+complete+:)");



?>
4

3 回答 3

3

stripslashes()打电话后不要打电话mysql_real_escape_string()事实上,除非magic_quotes_gpc()打开(不推荐),根本不要调用stripslashes()。通过在 之后调用它mysql_real_escape_string(),您可以撤消该函数提供的转义。

您在插入列列表中指定了 5 列,但在VALUES()列表中提供了 6。从您的表格结构来看,我的猜测是您也打算包括在内completed

mysql_query("INSERT INTO assignments (addedby,location,details,deadline,datefixed) VALUES ('$username','$page','$wrong','$line','$timestamp','0')");
//-------------------------------------------------------------------------------------------^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

我们假设变量$username$timestamp已在包含的文件之一中定义并已正确转义。

一些错误检查会揭示查询错误的来源:

$result = mysql_query("INSERT INTO assignments (addedby,location,details,deadline,datefixed) VALUES ('$username','$page','$wrong','$line','$timestamp','0')");
if (!$result) {
  echo mysql_error();
}
于 2012-04-09T15:24:21.743 回答
2

你有错误吗?如果是这样,它是什么?

乍一看,您的插入查询似乎比列具有更多的值:

INSERT INTO assignments 
  (addedby,location,details,deadline,datefixed) 
  VALUES 
  ('$username','$page','$wrong','$line','$timestamp','0')

这肯定会引发错误。

顺便说一句,不推荐使用 mysql_ 系列函数。如果不是 PDO,您至少应该使用 mysqli_。

于 2012-04-09T15:24:30.107 回答
1

你有一些语法错误/陷阱:

$helpfaerie = mysql_fetch_array(mysql_query("SELECT * FROM helpfaerie WHERE page =  'reportbug'"));

您假设查询有效。这是不好的做法。即使 SQL 语句本身在语法上是完美的,它也可能由于许多其他原因而失败。在对查询结果进行任何操作之前,您应该始终检查查询是否成功。例如

$result = mysql_query(...);
if ($result === FALSE) {
    die(mysql_error());
}

应该是您在开发/测试时随处可见的最低限度。

if ($helpfaerie2[helpfaerie] == 1)
                 ^--       ^--

您忽略了在此处引用数组键。在这个特定的代码片段中,未引用的helpfaerie将被解析为defined()常量。但是,它可能没有被定义,所以 PHP 会“礼貌地”为你自动将它转换成一个字符串并抛出一个警告。

然后立即你有

{
echo "<div id=\"helpfaerie\" 

并输出大量多行 HTML。然而后来你使用了一个HEREDOC。为什么不在这里也使用一个呢?这样您就不必转义"echo 语句中的所有字符。

$page = mysql_real_escape_string($page);
$page = stripslashes($page);
$page = stripusers($page);

这没有任何意义。你正确地转义了 $page,然后你做了stripslashes,这基本上撤消了 mysql_real_escape_string() 调用。虽然不完全准确,但您可以将 m_r_e_s() 视为 的高级版本addslashes(),因此您基本上是在转义,然后再次取消转义,从而使您容易受到 SQL 注入的攻击。

我不知道是什么stripusers(),但无论如何,操作顺序应该是

$page = stripusers($page);
$page = mysql_real_escape_string($page);

m_r_e_s() 应该始终是在查询字符串中使用该位数据之前执行的最后一个操作。如果您在转义完成后对转义字符串执行任何操作,则您可能会撤消转义和/或引入另一种注入攻击潜入的方式。

于 2012-04-09T15:37:58.627 回答