0

我正在处理资产数据库问题。$id我从我那里收到$_GET["id"]; 然后查询数据库并显示结果。

如果我的 id 是像“93650”这样的整数,但如果它有像​​“wci1001”这样的其他字符,它会显示这个 MySQL 错误:

'where子句'中的未知列'text'

表中的所有字段都属于以下类型:VARCHAR(50)

我需要做什么才能使用此查询按包含其他字符的 id 进行搜索?

谢谢你。

<?php

<?php

/* 
*  ASSET DB FUNCTIONS SCRIPT
*
*/

# connect to database
function ConnectDB(){

    mysql_connect("localhost", "asset_db", "asset_db") or die(mysql_error());
    mysql_select_db("asset_db") or die(mysql_error());
}

# find asset type returns $type
function GetAssetType($id){

    $sql = "SELECT asset.type
    From asset
    WHERE asset.id = $id";
    $result = mysql_query($sql)
    or die(mysql_error());
    $row = mysql_fetch_assoc($result);
    $type = $row['type'];
    return $type;
}

# query server returns $result (sql query array)
function QueryServer($id){

    $sql = "
    SELECT asset.id
    ,asset.company
    ,asset.location
    ,asset.purchaseDate
    ,asset.purchaseOrder
    ,asset.value
    ,asset.type
    ,asset.notes
    ,server.manufacturer
    ,server.model
    ,server.serialNumber
    ,server.esc
    ,server.warranty
    ,server.user
    ,server.prevUser
    ,server.cpu
    ,server.memory
    ,server.hardDrive
    FROM asset
    LEFT JOIN server
        ON server.id = asset.id
    WHERE asset.id = $id
    ";
    $result = mysql_query($sql);
    return $result;
}



# get server data returns $serverArray
function GetServerData($result){

    while($row = mysql_fetch_assoc($result))
    {
        $id = $row['id'];
        $company = $row['company'];
        $location = $row['location'];
        $purchaseDate = $row['purchaseDate'];
        $purchaseOrder = $row['purchaseOrder'];
        $value = $row['value'];
        $type = $row['type'];
        $notes = $row['notes'];
        $manufacturer = $row['manufacturer'];
        $model = $row['model'];
        $serialNumber = $row['serialNumber'];
        $esc = $row['esc'];
        $warranty = $row['warranty'];
        $user = $row['user'];
        $prevUser = $row['prevUser'];
        $cpu = $row['cpu'];
        $memory = $row['memory'];
        $hardDrive = $row['hardDrive'];
        $serverArray = array($id, $company, $location, $purchaseDate, $purchaseOrder,
            $value, $type, $notes, $manufacturer, $model, $serialNumber, $esc, $warranty,
            $user, $prevUser, $cpu, $memory, $hardDrive);
    }
    return $serverArray;
}

# print server table
function PrintServerTable($serverArray){

    $id = $serverArray[0];
    $company = $serverArray[1];
    $location = $serverArray[2];
    $purchaseDate = $serverArray[3];
    $purchaseOrder = $serverArray[4];
    $value = $serverArray[5];
    $type = $serverArray[6];
    $notes = $serverArray[7];
    $manufacturer = $serverArray[8];
    $model = $serverArray[9];
    $serialNumber = $serverArray[10];
    $esc = $serverArray[11];
    $warranty = $serverArray[12];
    $user = $serverArray[13];
    $prevUser = $serverArray[14];
    $cpu = $serverArray[15];
    $memory = $serverArray[16];
    $hardDrive = $serverArray[17];

    echo "<table width=\"100%\" border=\"0\"><tr><td style=\"vertical-align:top\"><table width=\"100%\" border=\"0\"><tr><td colspan=\"2\"><h2>General Info</h2></td></tr><tr id=\"hightlight\"><td>Asset ID:</td><td>";
    echo $id;
    echo "</td></tr><tr><td>Company:</td><td>";
    echo $company;
    echo "</td></tr><tr id=\"hightlight\"><td>Location:</td><td>";
    echo $location;
    echo "</td></tr><tr><td>Purchase Date:</td><td>";
    echo $purchaseDate;
    echo "</td></tr><tr id=\"hightlight\"><td>Purchase Order #:</td><td>";
    echo $purchaseOrder;
    echo "</td></tr><tr><td>Value:</td><td>";
    echo $value;
    echo "</td></tr><tr id=\"hightlight\"><td>Type:</td><td>";
    echo $type;
    echo "</td></tr><tr><td>Notes:</td><td>";
    echo $notes;
    echo "</td></tr></table></td><td style=\"vertical-align:top\"><table width=\"100%\" border=\"0\"><tr><td colspan=\"2\"><h2>Server Info</h2></td></tr><tr id=\"hightlight\"><td>Manufacturer:</td><td>";
    echo $manufacturer;
    echo "</td></tr><tr><td>Model:</td><td>";
    echo $model;
    echo "</td></tr><tr id=\"hightlight\"><td>Serial Number:</td><td>";
    echo $serialNumber;
    echo "</td></tr><tr><td>ESC:</td><td>";
    echo $esc;
    echo "</td></tr><tr id=\"hightlight\"><td>Warranty:</td><td>";
    echo $warranty;
    echo "</td></tr><tr><td colspan=\"2\">&nbsp;</td></tr><tr><td colspan=\"2\"><h2>User Info</h2></td></tr><tr id=\"hightlight\"><td>User:</td><td>";
    echo $user;
    echo "</td></tr><tr><td>Previous User:</td><td>";
    echo $prevUser;
    echo "</td></tr></table></td><td style=\"vertical-align:top\"><table width=\"100%\" border=\"0\"><tr><td colspan=\"2\"><h2>Specs</h2></td></tr><tr id=\"hightlight\"><td>CPU:</td><td>";
    echo $cpu;
    echo "</td></tr><tr><td>Memory:</td><td>";
    echo $memory;
    echo "</td></tr><tr id=\"hightlight\"><td>Hard Drive:</td><td>";
    echo $hardDrive;
    echo "</td></tr><tr><td colspan=\"2\">&nbsp;</td></tr><tr><td colspan=\"2\">&nbsp;</td></tr><tr><td colspan=\"2\"><h2>Options</h2></td></tr><tr><td colspan=\"2\"><a href=\"#\">Edit Asset</a></td></tr><tr><td colspan=\"2\"><a href=\"#\">Delete Asset</a></td></tr></table></td></tr></table>";
}


?>

__

/* 
*  View Asset
*
*/

# include functions script
include "functions.php";

$id = $_GET["id"];
if (empty($id)):$id="000";
endif;
ConnectDB();
$type = GetAssetType($id);

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" type="text/css" href="style.css" />
<title>Wagman IT Asset</title>
</head>

<body>
    <div id="page">
                <div id="header">
                  <img src="images/logo.png" />
                </div>

                </div>

                <div id="content">
                    <div id="container">

                        <div id="main">
                        <div id="menu">
                            <ul>
                                <table width="100%" border="0">
                                <tr>
                                <td width="15%"></td>
                                <td width="30%%"><li><a href="index.php">Search Assets</a></li></td>
                                <td width="30%"><li><a href="addAsset.php">Add Asset</a></li></td>
                                <td width="25%"></td>
                                </tr>
                                </table>
                          </ul>
                        </div>
                        <div id="text">
                        <ul>
                        <li>
                        <h1>View Asset</h1>
                        </li>
                        </ul>
                        <?php
                        if (empty($type)):echo "<ul><li><h2>Asset ID does not match any database entries.</h2></li></ul>";
                        else:
                        switch ($type){
                        case "Server":
                        $result = QueryServer($id);
                        $ServerArray = GetServerData($result);
                        PrintServerTable($ServerArray);
                        break;
                        case "Desktop";

                        break;
                        case "Laptop";

                        break;
                        }
                        endif;
                        ?>


                        </div>

                        </div>
                </div>
                <div class="clear"></div>
                <div id="footer" align="center">
                    <p>&nbsp;</p>
                </div>
                </div>
                <div id="tagline">
                Wagman Construction - Bridging Generations since 1902
                </div>


</body>
</html>
4

3 回答 3

3

引用变量,如下所示:

WHERE asset.id = '$id'
于 2010-05-24T01:27:50.730 回答
2

您有一个 SQL 注入漏洞。

您需要使用参数化查询,使用PDO

您还需要对数据进行 HTML 编码,使用htmlspecialchars.

于 2010-05-24T01:30:24.640 回答
2

正如其他人所提到的,简单地用单引号引用是一个很大的安全风险。事先在数据上使用 mysql_real_escape_string,或者使用带有参数化语句的扩展,如 PDO 将自动被引用。

虽然在存储之前不需要清理(使用 htmlspecialchars)(如果您需要将其恢复到输入状态,我不建议这样做),但您应该在输出之前对其进行清理,以便不会解析 HTML/脚本标签。

于 2010-05-24T01:55:46.640 回答