php - 我是 PHP+MySql 的新手，正在尝试编写一个简单的脚本来从数据库中删除用户，但我并没有摆脱错误

Question

这是我删除用户的全部代码：

 <?php
  $page_title = 'Delete a User';
  include ('includes/header.html');
   echo '<h1>Delete a User</h1>';

   if ( (isset($_GET['id'])) && (is_numeric($_GET['id'])) ) { // From view_users.php
     $id = $_GET['id'];
     } elseif ( (isset($_POST['id'])) && (is_numeric($_POST['id'])) ) { // sbmsn
 $id = $_POST['id'];
     } else { // No valid ID, kill the script.
echo '<p class="error">This page has been accessed in error.</p>';
include ('includes/footer.html'); 
exit();

    }

  require_once ('../connect.php');

  if($_SERVER['REQUEST_METHOD'] == 'POST') {
if($_POST['sure'] == 'Yes') {
    $q="DELETE FROM user WHERE user_id= $id ";
    $r= @mysqli_query ($dbc, $q);
    if(mysqli_affected_rows($dbc) == 1) {
        echo '<p>The user has been deleted</p>';
    }
    else {
        echo '<p class="error">Sorry! the user could not be deleted.</p>';
        echo '<p>' . mysqli_error($dbc) . '<br/>Query: '.$q. '</p>';
    }
}
else {
    echo '<p>The user has not been deleted.</p>';
}
   }
    else {
$q="SELECT first_name FROM user WHERE user_id=$id";
$r= @mysqli_query($dbc,$q);

if(mysqli_num_rows($r) == 1) {
    $row = mysqli_fetch_array($r,MYSQLI_NUM);

    echo "<h3>Name: $row[0]</h3> Are you sure you want to delete this user?";
    echo '<form action="delete_user.php" method="post">
      <p> <input type="radio" name="sure" value="Yes" />Yes</p>
      <p> <input type="radio" name="sure" value="No" checked="checked" />No</p>
       <input type="submit" name="submit" value="submit" />
      <input type="hidden" name="id" value=" '.$id.' "/>

    </form>';
}
else {
    echo '<p class="error">ERROR Sorry!</p>';
}
  }

   mysqli_close($dbc);

  include ('includes/footer.html');
 ?>

但每次我得到错误

This page has been accessed in error

这些$id东西正在使用同一种脚本来编辑用户的信息。

Answer 1

这个问题与SQL无关。问题位于此代码中：

if ( (isset($_GET['id'])) && (is_numeric($_GET['id'])) ) { // From view_users.php
    $id = $_GET['id'];
} elseif ( (isset($_POST['id'])) && (is_numeric($_POST['id'])) ) { // sbmsn
    $id = $_POST['id'];
} else { // No valid ID, kill the script.
    echo '<p class="error">This page has been accessed in error.</p>';
    include ('includes/footer.html'); 
    exit();
}

因此，这意味着以下情况属实：

1. $_GET['id']不是数字或未设置
2. $_POST['id']不是数字或未设置

检查发送到此页面的内容。

要调试，首先print_r($_GET); print_r($_POST);在页面顶部插入并查看输出。如果$_GET和$_POST为空，则不会向该页面发送任何内容。如果它们有值，它们可能不是数字。从这里开始根据需要进行修复。

Answer 2

<?php

//Access From view_users.php?id=1;
//Access via form input with name "id" submitted via get or post methods
//You might want to do an integer casting (int)$_REQUEST['id']; //Not very necessary

  $page_title = 'Delete a User';
  include ('includes/header.html');
   echo '<h1>Delete a User</h1>';

   if ( (isset($_REQUEST['id'])) && (is_numeric(trim($_REQUEST['id']))) ) { // From view_users.php
     $id = mysqli_real_escape_string($dbc, trim($_REQUEST['id'])); //Be paranoid about security
     } else { // No valid ID, kill the script.
echo '<p class="error">This page has been accessed in error.</p>';
include ('includes/footer.html'); 
exit();

    }

Answer 3

我认为问题是 is_numeric($_GET['id']) 或 is_numeric($_POST['id'])。您发布一个字符串，它会将字符串检测为字符串而不是数字。