0

我是 php 新手并试图添加一个删除按钮以从列表中删除一个对象(作业),我希望删除按钮出现在每个单独的对象(作业)旁边,一旦单击此作业就会从数据库中删除桌子。下面是我的edit_jobs.php(显示特定用户的所有作业)和delete_job.php(假设从表中删除该特定作业)的代码有人可以告诉我我做错了什么,

我的 edit_jobs 页面显示特定用户发布的表中的所有工作。

<?php
        include_once "connect_to_mysql.php";
        $id = $userid;
        $username = $_GET['username'];


        $result = mysql_query("SELECT * FROM jobs WHERE user_id ='$id'")
                or die(mysql_error());

        while ($row = mysql_fetch_array($result)) {
            echo '<a href="job.php?id=' . $row['job_id'] . '"> ' . $row['job'] . '</a><br />';
            echo 'category: ' . $row['category'] . '<br />';
            echo 'description: ' . $row['description'] . '<br />';
            echo '<a href="member.php?id=' . $row['userid'] . '">Clients profile</a><br />';
            echo '<br />';?>
        <a href="delete_job.php?job_id=<?php echo $row['job']; ?>"
                       onclick="return confirm('Are you sure you want to delete this book?');">
                       <img src="images/delete20.png" alt="Delete Book" />
                    </a>
        <?php } ?>

delete_job 页面

<?php
if ($_SERVER['REQUEST_METHOD'] == 'GET') {
if (!empty($_GET['job_id'])) {
    $jobId = $_GET['job_id'];

    require_once 'connect_to_mysql.php';

    $sql = "DELETE FROM jobs WHERE job_id = ?";

    $params = array($jobId);

    $stmt = $link->prepare($sql);
    $status = $stmt->execute($params);


    if ($status == true) {
        header("Location: edit_jobs.php");
    }
    else {
        $error_info = $stmt->errorInfo();
        $error_message = "failed to delete job: {$error_info[2]} - error code {$error_info[0]}";
        require 'error.php';
    }
}

else {
    $error_message = "book id not specified";
    require 'edit_jobs.php';
}
}
else {
}
?>
4

2 回答 2

0

我看到这段代码有很多问题。第一——我同意上述关于漏洞的观点。但是,这是一个简单的解决方法;只需将作业 ID 验证为整数,如果验证失败则不执行 SQL 代码。

第二 - 我认为 $param = array($jobId) 不正确。您根本没有将作业变量传递给 SQL 代码......它为执行语句提供了一个空值。我清理了你的代码,不能保证这会起作用,因为我看不到你的 SQL 语句,但这是一种更好的方法,应该可以正常工作......

# Include this before anything else...
require_once 'connect_to_mysql.php';

# Ditch the server GET validation check, waste of load time, store job ID in a variable off the bat
$jobId = $_GET['job_id'];

# Validate if the job is is numeric and not empty
if ((!empty($jobId)) || (is_numeric($jobId))
{   
    # Ditch the $sql variable for speed/memory, just include it in the prepare statement
    # Note the limit statement - it's good practice to limit deletion queries to only one row
    # if you are only deleting one row so additional data doesn't accidentally get deleted
    $stmt = $link->prepare("DELETE FROM jobs WHERE job_id = ? LIMIT 1");
    
    # This code prepares job ID as a parameterized query and tells the database to parse it as an int
    $stmt->bind_param('i', $jobId);
    
    # Execute and validate
    $status = $stmt->execute($params);

    if ($status == true) 
        header("Location: edit_jobs.php");
    else 
    {
        $error_info = $stmt->errorInfo();
        $error_message = "failed to delete job: {$error_info[2]} - error code {$error_info[0]}";
        require 'error.php';
    }
}
else 
{
    $error_message = "Booking ID is not valid";
    require 'edit_jobs.php';
}

# Make sure to close your database connection when finished...

于 2017-07-16T21:45:18.793 回答
-1

你试过这个吗?

$jobId = $link->real_escape_string($jobId);
$sql = "DELETE FROM jobs WHERE job_id = $jobId";
于 2013-05-12T22:55:03.477 回答