0

免责声明是的,数据尚未经过验证,是的,它不安全,但这是在本地机器上进行的测试,所以我不担心 SQL 注入

好的。所以我有一个用户填写的表格。我在该页面的开头开始一个会话。信息被发布到第二个页面,用户可以在其中验证数据,然后单击按钮提交。会话再次启动,数据被传递到与数据库建立连接的第三页。

<?php
session_start();
require_once("dbconnect.php");

include("header.php");
echo "This is for a Live Sale:  title is " . $_SESSION['title'] . "<p> type is " . $type = $_SESSION['typeofsale'] . "<p> fname is " . $_SESSION['fname'] . " <p>lname is " . $lname = $_SESSION['lname'] . "<p> email is " . $email = $_SESSION['email'] . "<p> address is " . $address = $_SESSION['address'] . " <p>zip is " . $_SESSION['zip'] . " <p>city is " . $_SESSION['city'] . "<p> county is " . $_SESSION['county'] . "<p> area is " . $_SESSION['area'] . "<p> state is " . $_SESSION['state'] . "<p> directions are " . $_SESSION['directions'] . "<p> date is " . $_SESSION['livedate'] . "<p> Time is " . $_SESSION['time']; 
    if (isset($_SESSION['livedate'])){
        $title = $_SESSION['title'];
        $typeofsale = $_SESSION['typeofsale'];
        $fname = $_SESSION['fname'];
        $lname = $_SESSION['lname'];
        $email = $_SESSION['email'];
        $address = $_SESSION['address'];
        $zip = $_SESSION['zip'];
        $city = $_SESSION['city'];
        $county = $_SESSION['county'];
        $area = $_SESSION['area'];
        $state = $_SESSION['state'];
        $directions = $_SESSION['directions'];
        $listitems = $_SESSION['listitems'];
        $date = $_SESSION['livedate'];
        $time = $_SESSION['time']; 

        fullListing($title, $typeofsale, $fname, $lname, $email, $address, $zip, $city, $county, $area, $state, $directions, $listitems, $date, $time);
    }

    if (isset($_POST['onlinedate'])){
    $title = $_SESSION['title'];
    $typeofsale = $_SESSION['typeofsale'];
    $fname = $_SESSION['fname'];
    $lname = $_SESSION['lname'];
    $email = $_SESSION['email'];
    $zip = $_SESSION['zip'];
    $city = $_SESSION['city'];
    $county = $_SESSION['county'];
    $area = $_SESSION['area'];
    $state = $_SESSION['state'];
    $listitems = $_SESSION['listitems'];
    $date = $_SESSION['livedate'];

    partialListing($title, $typeofsale, $fname, $lname, $email, $zip, $city, $county, $area, $state, $listitems, $date);
}




function fullListing($title, $typeofsale, $fname, $lname, $email, $address, $zip, $city, $county, $area, $state, $directions, $listitems, $date, $time){
global $dbc;

$insertRow = "INSERT INTO listings(title, typeofsale, fname, lname, email, address, zip, city, county, area, state, directions, listitems, date, time) VALUES ('$title', '$typeofsale', '$fname', '$lname', '$email', '$address', '$zip', '$city', '$county', '$area', '$state', '$directions', '$listitems', '$date', '$time')";
echo "<p>this is whats in insertRow variable " . $insertRow;
$result = $dbc->query($insertRow);
echo "<p>this is whats in insertRow variable " . $insertRow;
}


function partialListing($title, $typeofsale, $fname, $lname, $email, $zip, $city, $county, $area, $state, $listitems, $date){
global $dbc;

$insertRow = "INSERT INTO listings(title, typeofsale, fname, lname, email, zip, city, county, area, state, listitems, date) VALUES ('$title', '$typeofsale', '$fname', '$lname', '$email', '$zip', '$city', '$county', '$area', '$state', '$listitems', $date)";
$result = $dbc->query($insertRow);
echo "this is whats in insertRow variable " . $insertRow;
}

echo "<p><h1>Information Submitted.  Thank You!</h1>";
echo "<p>";
include('footer.php');

好的,所以我回应了这些变量,以确保它们都被转移来解决我的问题。他们在正确的变量中显示了所有正确的信息。

我正在测试页面上的 fullListing 选项。我在运行查询之前和之后回显了 $insertRow 的内容。该页面运行,它只显示第一个输出。这是变量 $insertRow 内容的结果。

INSERT INTO listings(title, typeofsale, fname, lname, email, address, zip, city, county, area, state, directions, listitems, date, time) VALUES ('This is the title', 'livesale', 'First', 'Name', 'blah@blah.com', '`123 Main St', '44355', 'City', 'crowwing', 'central', 'minnesota', 'GO down the road til you see the sign and then go somemore Big house on the right', 'Clothes baby items playstation games toys', '6/12/1965', '8:00AM')

当它尝试运行查询时,它给了我以下错误。

 Fatal error: Call to a member function query() on a non-object in C:\Program Files\wamp\www\AreaListingPage2\salesent.php on line 52

第 52 行是这一行:

$result = $dbc->query($insertRow);

我检查以确保数据库连接和模型中包含正确的信息,并且确实如此。他们有正确的密码和数据库。然后我检查以确保数据库中的表正确无误。我检查了这些字段的顺序是否正确并与数据库字段匹配,它们确实如此。

4

1 回答 1

0

您只需定义 aglobal $dbc;它是一个空变量并且不处理与数据库的任何连接,但您query()在其上调用函数。这行不通。

无论您使用什么驱动程序(mysqli、PDO 等),您都应该正确处理连接。

于 2013-07-29T20:02:56.677 回答