1

一段时间以来,我一直在尝试通过防止 sql 注入来保护我的网页。但是,现在我提交表单后,页面上根本没有显示任何内容。这是我的完整代码,因为我不知道我的错误发生在哪里。

   <?php
   require_once 'db_connect.php';
   ?>
   <head> 
   <title> Data </title>
   <link href = "ss2.css" type = "text/css" rel = "stylesheet" >
   </head>
  <body>
  <h1> Research Center </h1>
  <a href = "home.php"> Data Home Page </a>

  <ol class = 'instructions'>

  <li> Step 1: Please select your first year you want to gather data from. </li>
  <li> Step 2: Next, select a second year to create a time interval. </li>
  <li> Step 3: Then, select the time of year you want to retrieve data from. </li>
  <li> Step 4: Finally, specify a specific regional location. </li>

  </ol>


  <form action="unemployed2.php" method ="post">
  <input type="hidden" name="submitted" value="true" />

  <fieldset>
  <legend>
  Specify Date, Month, and County
  </legend>
  <p class = 'year'>
  <label for="year">
  Please Select years: From 
  </label>

  <select name= 'year'>
  <option value= ''> </option>
  <?php
  $query = "select distinct year from unemployed";

  $result = $conn->query($query);
  while($row = $result->fetch_object()) {
    echo "<option value='".$row->year."'>".$row->year."</option>";
   }
  ?>
  </select>
  </p>

  <p class = 'year'>
  <label for="year">
  To
  </label>

  <select name= 'year2'>
  <option value= ''> </option>
  <?php
  $query = "select distinct year from unemployed";

  $result = $conn->query($query);
  while($row = $result->fetch_object()) {
    echo "<option value='".$row->year."'>".$row->year."</option>";
   }
  ?>
  </select>
  </p>


  <p>
  <label for="month">
  Please select a month
  <label>

  <select name= 'month'>
  <option value= ''> </option>
  <?php
  $query = "select distinct month from unemployed";

  $result = $conn->query($query);
  while($row = $result->fetch_object()) {
    echo "<option value='".$row->month."'>".$row->month."</option>";
   }
  ?>
  <option value = "All Months"> All Months </option>
  </select>
  </p>

  <p>
  <label for="location">
  Please specify a location
  </label>

  <select name='location'>
  <option value= ''> </option>

  <option value = 'Fayette'> Fayette County (IN) </option>
  <option value = 'Henry'> Henry County (IN) </option>
  <option value = 'Randolph'> Randolph County (IN) </option>
  <option value = 'Rush'> Rush County (IN) </option>
  <option value = 'Union'> Union County (IN) </option>
 <option value = 'Wayne'> Wayne County (IN) </option>
 <option value = 'INCounties'> Local Indiana Counties </option>
 <option value = 'Indiana'> Indiana </option>
 <option value = 'Butler'> Butler County (OH) </option>
 <option value = 'Darke'> Darke County (OH) </option>
 <option value = 'Mercer'> Mercer County (OH) </option>
 <option value = 'Preble'> Preble County (OH) </option>
 <option value = 'OHCounties'> Local Ohio Counties </option>
 <option value = 'Ohio'> Ohio </option>
 <option value = 'US'> United States </option>

 </select>
 </p>


 <input type ="submit" />

 </fieldset>
 </form>

<?php

  if (isset($_POST['submitted'])) {


  $gYear = $_POST["year"];
  $gYear2 = $_POST["year2"];
 $gMonth = $_POST["month"];


 $array = array('loc1' => 'Fayette', 'loc2' => 'Henry', 'loc3' => 'Randolph', 
         'loc4' => 'Rush', 'loc5' => 'Union', 'loc6' => 'Wayne',
         'loc7' => 'INCounties','loc8' => 'Indiana', 'loc9' => 'Butler', 'loc10' => 'Darke',
         'loc11' => 'Mercer', 'loc12' => 'Preble', 'loc13' => 'OHCounties',
         'loc14' => 'Ohio', 'loc15' => 'US');

 if ($gYear > $gYear2) {

 die('ERROR: Your second year cant be a time period before the first year you selected');
 }

 else {

 if (array_key_exists($_POST["location"], $array)) {

 $column = $_POST["location"];
 }

 else {
 echo "ERROR";
 }



 $sql = "SELECT `$column`, `Year`, `Month` FROM unemployed WHERE year BETWEEN ? AND ? and month= ?";
 $query = $conn->prepare($sql);
 $query->bind_param('sss', $gyear, $gYear2, $gMonth);

 $query->execute(); 
 $result = $query->get_result();

 echo "<table>";
 echo "<tr><th>Year</th><th>Month</th><th>$column</th></tr>";

 while ($row = $result->fetch_object()){

 echo "<tr><td>";
 echo $row->$column;
 echo "</td><td>";
 echo $row->Year;
 echo "</td><td>";
 echo $row->Month;
 echo "</td></tr>";

 }

 $query->close();



 echo "</table>";

 }
 } // end of main if statement

 ?>

 </body>

如果我不得不猜测,我的错误就在这些代码行中,因为在我按下提交按钮后网页显示 ERROR:

$array = array('loc1' => 'Fayette', 'loc2' => 'Henry', 'loc3' => 'Randolph', 
             'loc4' => 'Rush', 'loc5' => 'Union', 'loc6' => 'Wayne',
             'loc7' => 'INCounties','loc8' => 'Indiana', 'loc9' => 'Butler', 'loc10' => 'Darke',
             'loc11' => 'Mercer', 'loc12' => 'Preble', 'loc13' => 'OHCounties',
             'loc14' => 'Ohio', 'loc15' => 'US');
else {

     if (array_key_exists($_POST["location"], $array)) {

     $column = $_POST["location"];
     }

     else {
     echo "ERROR";
     }

有谁知道我的错误是什么?任何帮助将不胜感激。

4

4 回答 4

0

我认为不起作用的一件事是您的第二个代码块中的这行代码:

if (array_key_exists($_POST["location"], $array)) {

这永远不会返回 true,因为您在 HTML 代码中选择输入中的值不是 $array 的键,而是值。所以 $_POST["location"] 将始终包含 $array 中的值,而不是键。所以array_key_exists总是会在该行代码中返回 false 。

这意味着 else 块将被执行,这将导致打印“错误”。

您是否打算使用in_array($_POST["location"], $array)( PHP Manual ) 代替,也许?

于 2013-09-17T15:28:08.880 回答
0

从您的代码ERROR打印在 else 检查中:array_key_exists($_POST["location"], $array)。检查您的数据库,确保没有空值,并且值与映射数组中的值完全相同$array,键区分大小写。

此外,您不需要elseafterdie()语句,因为程序已停止。你可以离开你的结构,如:

if (...) die();

//rest of code

还要尝试正确格式化,或者至少坚持一个可读的结构,例如:

function () {
    if () {
       ...
    } else {
       ...
    }

    return true;
}
于 2013-09-17T15:29:41.010 回答
0

您正在检查您的位置数组是否有匹配的键,但您的位置实际上是一个值。您还重复了两次您的位置。我建议在文件顶部创建一个 $locations 数组,使用它来填充您的选项标签,然后也将它用于您的验证测试。这将导致您的“array_key_exists”测试按照您的预期进行。

<?php

// top

$locations = array(
    'Fayette'       => 'Fayette Counter (IN)',
    'Henry'         => 'Henry County (IN)',
    'Randolph'      => 'Randolph County (IN)',
    'Rush'          => 'Rush County (IN)',
    'Union'         => 'Union County (IN)',
    'Wayne'         => 'Wayne County (IN)',
    'INCounties'    => 'Local Indiana Counties (IN)',
    'Indiana'       => 'Indiana',
    'Butler'        => 'Butler County (OH)',
    'Darke'         => 'Darke County (OH)',
    'Mercer'        => 'Mercer County (OH)',
    'Preble'        => 'Preble County (OH)',
    'OHCounties'    => 'Local Ohio Counties',
    'Ohio'          => 'Ohio',
    'US'            => 'United States'
);

?>

<!-- middle -->

<select name='location'>
    <option value= ""> </option>
    <?php

    foreach($locations as $k => $v){
        echo "<option value=\"{$k}\">{$v}</option>";
    }

    ?>
</select>

<?php

// bottom

if (array_key_exists($_POST["location"], $locations)){
    $column = $_POST["location"];
} else {
    echo "ERROR";
}

?>
于 2013-09-17T15:48:08.507 回答
0

添加错误报告(E_ALL);和 ini_set("display_errors",1); 在代码的顶部,并检查错误

于 2013-09-17T15:15:44.503 回答