-2

我想首先说我是 PHP 的新手。下面的代码是由一个不再能够提供帮助的熟人编写的,我正在尝试用它进一步开发一些额外的东西。我遇到了一个我无法解决的问题。

爆炸数组用于将一系列命令分解为在 mysql 语句中用于操作数据库的部分。

我遇到的问题是某些命令似乎有效,而有些则无效。见下文:

if(isset ($_POST['commandline'])){
//handle cammand
$command = $_POST['commandline'];
$parts = explode(",",$command);
//print_r($parts);
//we know the first part is a command

//UPDATE NATURE CODE BY EVENT NUMBER  WORKS
//PART 1 IS THE EVENT ID PART 2 IS THE NEW CALL TYPE
else if(preg_match("/UTE/",$parts[0])){
    mysql_query("UPDATE runs SET calltype='{$parts[2]}' WHERE id='{$parts[1]}'");}

//UPDATE LOCATION EVENT NUMBER  WORKS
//PART 1 IS THE EVENT ID PART 2 IS THE NEW LOCATION
else if(preg_match("/ULE/",$parts[0])){
    mysql_query("UPDATE runs SET location='{$parts[2]}' WHERE id='{$parts[1]}'");}

//UPDATE DESCRIPTION EVENT NUMBER  WILL NOT WORK
//PART 1 IS THE EVENT ID PART 2 IS THE NEW DESCRIPTION
else if(preg_match("/UDE/",$parts[0])){
    mysql_query("UPDATE runs SET discrip='{$parts[2]}' WHERE id='{$parts[1]}'");}



else { header("Location: main.php?message=fail"); 
die;} 
}

正如您从我的评论中看到的那样,UTE 和 ULE 命令有效,但 UDE 命令无效。我觉得它与“UTE”和“UDE”部分有关,就好像我将“UDE”更改为“Q”这样的随机字母它会起作用。

任何人都知道发生了什么以及如何让“UDE”部分工作?任何帮助深表感谢。

4

1 回答 1

1

1) SQL Injection danger

2) /UDE has no special meaning, so that '/UDE/' will behave the same as '/ULE/' or '/ABC/'.

3) If you add an echo into above the deffective query, does it get shown?

else if(preg_match("/UDE/",$parts[0])){
echo 'Do you see that line here?';
mysql_query("UPDATE runs SET discrip='{$parts[2]}' WHERE id='{$parts[1]}'");}

4) What happens if you execute that query manually?

The last two points ara a general procedure to tell php and mysql errors apart.

Edit: If you print_r($parts) and it is an empty array, then $party[0] cannot match your regex. In that case you must track down, why the explode() fails. Shorten the part after ?commandline= to ?commandline=xxx,yyy ; Then change it to the bare minimum needed to reproduce the error.

Liekly reason:

does the part after ?commandline= in your url contain any of the characters "? & #" ? That would immediately end the parameter.

于 2013-05-18T22:00:51.877 回答