需要一些帮助才能在数据库中提交值 - phpBB

发布于 2024-09-27 19:36:17 字数 1324 浏览 4 评论 0原文

好吧，伙计们，问这个问题很简单，但我自己在寻找答案时遇到了问题，我非常需要这个......

问题是：

我在（donate/index.php）中有以下函数

函数提交金额() { 全局 $db、$user、$auth、$template、$current_dir；全局 $config、$phpbb_root_path、$phpbb_admin_path、$phpEx；

    include ($phpbb_root_path . 'includes/functions_user.' . $phpEx);
    include ($phpbb_root_path . 'includes/functions_posting.' . $phpEx);
    include_once ($phpbb_root_path . 'donate/functions_donate.' . $phpEx);

    $submitted_amount = (isset($_POST['submitted_amount'])) ? true : false;

    $sql = 'UPDATE ' . DONATION_TABLE . "
            SET config_value = '" . $submitted_amount . "'
            WHERE config_name = 'submitted_amount'";

    $result = $db->sql_query($sql);

page_header

($user->lang['DONATE_EXPLAIN'], false);

提交的金额（）；

$模板->set_filenames(数组( '身体' => '捐赠/index_body.html') ）；

？>

现在文件： (styles/prosilver/template/donate/index_body.html)

它有以下行

<输入类型='文本'名称='提交量'id='提交量'值=''大小='25'tabindex='1'maxlength='9'类='inputbox_d'align='top'>

<表单操作='{U_DONATE_CONFIRM}'方法='发布'>

< input type='submit' class="button1" name='submit' value='{L_SUBMIT}'>

如果您需要更多说明，请告诉我。我向您展示了我的代码的 HTML 和 PHP 之间的所有可能的联系。数据库列在那里，那么我的问题是什么？

原文

Well guys, to ask the question is pretty simple, but myself, I'm having a problem on finding the answer, and I need this badly...

The question is:

I have the following function in (donate/index.php)

function submitted_amount()
{
global $db, $user, $auth, $template, $current_dir;
global $config, $phpbb_root_path, $phpbb_admin_path, $phpEx;

    include ($phpbb_root_path . 'includes/functions_user.' . $phpEx);
    include ($phpbb_root_path . 'includes/functions_posting.' . $phpEx);
    include_once ($phpbb_root_path . 'donate/functions_donate.' . $phpEx);

    $submitted_amount = (isset($_POST['submitted_amount'])) ? true : false;

    $sql = 'UPDATE ' . DONATION_TABLE . "
            SET config_value = '" . $submitted_amount . "'
            WHERE config_name = 'submitted_amount'";

    $result = $db->sql_query($sql);

}

page_header($user->lang['DONATE_EXPLAIN'], false);

submitted_amount();

$template->set_filenames(array(
'body' => 'donate/index_body.html')
);

Now the file: (styles/prosilver/template/donate/index_body.html)

It has the following line

< input type='text' name='submitted_amount' id='submitted_amount' value='' size="25" tabindex="1" maxlength='9' class='inputbox_d' align="top">

< form action='{U_DONATE_CONFIRM}' method='post'>

< input type='submit' class="button1" name='submit' value='{L_SUBMIT}'>

If you need more clarifications please tell me. I showed you all possible connections between the HTML and the PHP of my code. The database column is there, so what's my problem?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

涙—继续流 2024-10-04 19:36:17

首先：

$submitted_amount = (isset($_POST['submitted_amount'])) ? true : false;

这不应该是 subscribed_amount 的值吗？它只会是 true 或 false。

快速解决方法是将 true 更改为 $_POST['subscribed_amount']，但是除非您在某个位置添加一些变量检查，否则您将很容易受到 SQL 注入的影响。那里。

first off:

$submitted_amount = (isset($_POST['submitted_amount'])) ? true : false;

shouldn't this be the value of submitted_amount? it will only ever be true or false.

quick fix would be to change true to $_POST['submitted_amount'], however you'll be leaving yourself wide open to SQL injection unless you add some variable checking somewhere in there.

回复收藏 0 原文

~没有更多了~