0

嗨,请参阅此代码,我正在使用此代码更新当前项目,$current_project_id 使用我正在编辑当前项目我已经检查了数据以发布变量,我在执行 echo 语句时得到它。当我使用该对象将其传递给我的类函数时,可能会出现一些问题。

另外:感谢您的帮助,如果您在我的代码中发现一些安全问题:)

用户端: 

<?php 
    $current_project_id = (int)$_GET["pid"]; //Getting current project to Update from URL parameter.

    $currentproject = $touchObj->get_projects_by_id($current_project_id); // Using  project id to update, we are taking all project data.
?>


<?php
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
if(isset($_POST['project_name']) && isset($_POST['project_location'] )) { 

    include('inc/handleUpload.php'); // Image uplaod class
    $up->config('20000000','jpg,gif,png,pdf,txt,doc,docx,xls,xlsx,zip,rar');
    $up->upload('project_file','xxxxxxxxxxxxxxxxxxxxxxxxx/'); //Server file location for upload folder.


    $project_investor_id = implode(",",$_POST["project_investor_id"]); // Our table field store data as comma seperated separated

    $project_name = mysql_real_escape_string($_POST['project_name']);

    $project_location = mysql_real_escape_string($_POST['project_location']);

    $project_phase = mysql_real_escape_string($_POST['project_phase']);

    $project_capital = mysql_real_escape_string($_POST['project_capital']);

    $project_total = mysql_real_escape_string($_POST['project_total']);

    $project_notes = mysql_real_escape_string($_POST['project_notes']);

    $file = $up->fileInfo['fname'];



    $touchObj->update_project(
        $current_project_id,
        $project_investor_id,
        $project_name, 
        $project_location,
        $$project_phase,
        $project_capital,
        $project_total,
        $project_notes,
        $file
        );
}
else 
{

    echo '<div class="alert alert-info"><h6>Please fill datas...</h6></div>';
}

}
?>

我这个特定类的功能:

 public function update_project($project_id, $project_investor_id, $project_name, $project_location, $project_phase, $project_capital, $project_total, $project_notes, $file){

    $result = mysql_query("UPDATE project_table SET 
    project_investor_id = $project_investor_id, 
    project_name = $project_name,    
    project_location = $project_location,
    project_phase = $project_phase,
    project_capital = $project_capital,
    project_total = $project_total,
    project_notes = $project_notes,
    project_file = $file
    WHERE project_id =$project_id");

    if($result) {
    echo '<div class="alert alert-success"><h6>Project updates... Do not refresh window...</h6></div>';
    }
    else {
    echo '<div class="alert alert-error"><b>Some error while updating the project. Please try again...</b></div>';
    }

}

结果: 更新项目时出现一些错误。请再试一次...

我无法使用此功能更新数据请重新审核并让我知道我错过了什么?有任何想法吗?

非常感谢您宝贵的时间

4

1 回答 1

1

我很确定基于字符的字段需要被'标记包围,例如:

project_notes = '$project_notes',

而不是:

project_notes = $project_notes,

而且您应该研究“SQL 注入”这个术语,以了解为什么将用户输入的值推送到您的查询中是一个坏主意。他们所要做的就是以某种方式输入类似

', salary = salary * 1.5, project_notes = 'actual project notes

进入$project_notes文本输入框(或您正在使用的任何内容),您将进入一些有趣的时间。

参数化查询更安全。

于 2013-09-11T09:30:40.467 回答