当前位置: 文江博客话题详情

如何更正此 SQL 查询的 PHP 代码?

发布于 2024-10-05 19:48:38 字数 3163 浏览 3 评论 0原文

我已经搞乱这个有一段时间了,而且我已经快到了。只需要越过我撞过的这堵墙。

我有以下表格:

tracks (trackid, tracktitle, albumid, composerid)
albums (albumid, albumname)
composers (composerid, composername)

我可以通过 PhpMyAdmin SQL 选项卡插入新记录

INSERT INTO tracks (tracktitle, albumid, composerid) VALUES ('New Song', 1, 1);

,并且工作正常。

但我的 PHP 表单没有做同样的事情,我一定忽略了一些事情。 请有人检查一下我的 addtrack 页面的代码并告诉我出了什么问题?

 if (isset($_POST['tracktitle'])): 
 // A new track has been entered
 // using the form.

 $cid= $_POST['cid'];
 $tracktitle = $_POST['tracktitle'];
 $albs = $_POST['albs'];

 if ($cid == '') {
 exit('<p>You must choose an composer for this track. 
 Click "Back" and try again.</p>');
  }

  $sql = "INSERT INTO tracks SET
  tracks.tracktitle='$tracktitle'" ;
  if (@mysql_query($sql)) {
  echo '<p>New track added</p>';
  } else {
  exit('<p>Error adding new track' . mysql_error() . '</p>');
  }

  $trackid = mysql_insert_id();

  if (isset($_POST['albs'])) {
   $albs = $_POST['albs'];
   } else {
   $albs = array();
   }

  $numAlbs = 0;
  foreach ($albs as $albID) {
  $sql = "INSERT IGNORE INTO tracks (trackid, albumid, 
  composerid) VALUES " . 
"($trackid, $albs, $cid)";

if ($ok) {
  $numAlbs = $numAlbs + 1;
} else {
  echo "<p>Error inserting track into album $albID: " .
      mysql_error() . '</p>';
}
}
 ?>

<p>Track was added to <?php echo $numAlbs; ?> albums.</p>

 <p><a href="<?php echo $_SERVER['PHP_SELF']; ?>">Add another 
 track</a></p>
 <p><a href="tracks.php">Return to track search</a></p>

 <?php
 else: // Allow the user to enter a new track

 $composers = @mysql_query('SELECT composerid, composername 
 FROM composers');
  if (!$composers) {
 exit('<p>Unable to obtain composer list from the 
database.</p>');
 }

$albs = @mysql_query('SELECT albumid, albumname FROM albums');
 if (!$albs) {
 exit('<p>Unable to obtain album list from the 
 database.</p>');
 }
 ?>

 <form action="<?php echo $_SERVER['PHP_SELF']; ?>" 
 method="post">
 <p>Enter the new track:<br />
 <textarea name="tracktitle" rows="1" cols="20">
 </textarea></p>
 <p>Composer:
 <select name="cid" size="1">
  <option selected value="">Select One</option>
  <option value="">---------</option> 
  <?php
   while ($composer= mysql_fetch_array($composers)) {
    $cid = $composer['composerid'];
    $cname = htmlspecialchars($composer['composername']);
    echo "<option value='$cid'>$cname</option>\n";
     }
    ?>
    </select></p>
    <p>Place in albums:<br />
   <?php
   while ($alb = mysql_fetch_array($albs)) {
    $aid = $alb['albumid'];
    $aname = htmlspecialchars($alb['albumname']);
     echo "<label><input type='checkbox' name='albs[]'
    value='$aid' />$aname</label><br />\n";
    }
   ?>

一旦我解决了这个问题,我就可以继续扩展它并解决安全问题。这里有人建议我研究一下 PDO,这对我来说是新事物。 但一次一个障碍......

谢谢

原文

I've been messing with this for a while and I'm nearly there. Just need to get past this wall I've hit.

I have the following tables:

tracks (trackid, tracktitle, albumid, composerid)
albums (albumid, albumname)
composers (composerid, composername)

I can insert a new record via PhpMyAdmin SQL tab with

INSERT INTO tracks (tracktitle, albumid, composerid) VALUES ('New Song', 1, 1);

and it works fine.

My PHP form though isn't doing the same thing and I must have overlooked something.
Please can someone check out the code for my addtrack page and tell me what is wrong?

 if (isset($_POST['tracktitle'])): 
 // A new track has been entered
 // using the form.

 $cid= $_POST['cid'];
 $tracktitle = $_POST['tracktitle'];
 $albs = $_POST['albs'];

 if ($cid == '') {
 exit('<p>You must choose an composer for this track. 
 Click "Back" and try again.</p>');
  }

  $sql = "INSERT INTO tracks SET
  tracks.tracktitle='$tracktitle'" ;
  if (@mysql_query($sql)) {
  echo '<p>New track added</p>';
  } else {
  exit('<p>Error adding new track' . mysql_error() . '</p>');
  }

  $trackid = mysql_insert_id();

  if (isset($_POST['albs'])) {
   $albs = $_POST['albs'];
   } else {
   $albs = array();
   }

  $numAlbs = 0;
  foreach ($albs as $albID) {
  $sql = "INSERT IGNORE INTO tracks (trackid, albumid, 
  composerid) VALUES " . 
"($trackid, $albs, $cid)";

if ($ok) {
  $numAlbs = $numAlbs + 1;
} else {
  echo "<p>Error inserting track into album $albID: " .
      mysql_error() . '</p>';
}
}
 ?>

<p>Track was added to <?php echo $numAlbs; ?> albums.</p>

 <p><a href="<?php echo $_SERVER['PHP_SELF']; ?>">Add another 
 track</a></p>
 <p><a href="tracks.php">Return to track search</a></p>

 <?php
 else: // Allow the user to enter a new track

 $composers = @mysql_query('SELECT composerid, composername 
 FROM composers');
  if (!$composers) {
 exit('<p>Unable to obtain composer list from the 
database.</p>');
 }

$albs = @mysql_query('SELECT albumid, albumname FROM albums');
 if (!$albs) {
 exit('<p>Unable to obtain album list from the 
 database.</p>');
 }
 ?>

 <form action="<?php echo $_SERVER['PHP_SELF']; ?>" 
 method="post">
 <p>Enter the new track:<br />
 <textarea name="tracktitle" rows="1" cols="20">
 </textarea></p>
 <p>Composer:
 <select name="cid" size="1">
  <option selected value="">Select One</option>
  <option value="">---------</option> 
  <?php
   while ($composer= mysql_fetch_array($composers)) {
    $cid = $composer['composerid'];
    $cname = htmlspecialchars($composer['composername']);
    echo "<option value='$cid'>$cname</option>\n";
     }
    ?>
    </select></p>
    <p>Place in albums:<br />
   <?php
   while ($alb = mysql_fetch_array($albs)) {
    $aid = $alb['albumid'];
    $aname = htmlspecialchars($alb['albumname']);
     echo "<label><input type='checkbox' name='albs[]'
    value='$aid' />$aname</label><br />\n";
    }
   ?>

Once I have this sorted, I can move on to expanding it and also sorting out the security issues. Someone on here recommended I look into PDO's which are a new thing to me.
But one hurdle at a time....

Thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

救赎№ 2024-10-12 19:48:38

您的 INSERT 语法不正确。您正在尝试使用 UPDATE 语法进行 INSERT。

你正在尝试:

INSERT INTO table_name SET field_name = '$value', another_field_name = '$another_value'

但你应该这样做:

INSERT INTO table_name (
    field_name,
    another_field_name
)
VALUES (
    '$value',
    '$another_value'
)

另外,你真的应该使用addslahes(),如下所示:

INSERT INTO table_name (
    field_name,
    another_field_name
)
VALUES (
    '".addslashes($value)."',
    '".addslashes($another_value)."'
)

否则你的代码比煮土豆更容易被破解。 :)

编辑:Chad Birch(如下)建议使用参数化值,这无疑比addslashes() 更好。老实说,我不知道 PHP 已经有了这些。

Your INSERT syntax is incorrect. You are trying to INSERT using an UPDATE syntax.

You are trying:

INSERT INTO table_name SET field_name = '$value', another_field_name = '$another_value'

But you should be doing:

INSERT INTO table_name (
    field_name,
    another_field_name
)
VALUES (
    '$value',
    '$another_value'
)

Also, you really should be using addslahes(), like this:

INSERT INTO table_name (
    field_name,
    another_field_name
)
VALUES (
    '".addslashes($value)."',
    '".addslashes($another_value)."'
)

Otherwise your code is easier to hack than a boiled potato. :)

EDIT: Chad Birch (below) suggests rather using parameterized values, which admittedly is better than addslashes(). I honestly didn't know PHP had those already.

回复 原文
一梦浮鱼 2024-10-12 19:48:38

问题出在你的查询中。尝试使用 mysql_error 函数来获取有关您做错了什么的额外信息。

例如,您的 INSERT 语句格式错误。

你有:

$sql="INSERT INTO tracks SET tracks.tracktitle='$tracktitle'"

它应该是这样的:

$sql="INSERT INTO tracks (tracktitle) VALUES ('$tracktitle')";

The problems are in your queries. Try using mysql_error function to get extra information on what you are doing wrong.

As an example your INSERT statement is malformed.

You have:

$sql="INSERT INTO tracks SET tracks.tracktitle='$tracktitle'"

It should be something like:

$sql="INSERT INTO tracks (tracktitle) VALUES ('$tracktitle')";
回复 原文
违心° 2024-10-12 19:48:38

我之前的回答是错误的(已被删除)。我现在了解到您的插入语法确实有效。

但您没有做的是转义您在查询中输入的值。如果 $tracktitle 包含任何无效字符(例如单引号),则可能会破坏您的查询。

您应该在构建插入查询之前添加此行:

$tracktitle = mysql_real_escape_string($tracktitle);

您当前的代码非常危险。如果我要插入一首歌曲,在歌曲名称中我会输入 YourF...ed,哦顺便说一下'; drop database YourDataBaseName; 你应该尝试想象会发生什么......

这就是所谓的 SQL 注入。由于您没有正确转义该值,其他人可以通过将其插入 html 表单字段来关闭该语句并开始一个新语句。

我不知道这是否是您的查询现在无法工作的原因(只有在您输入无效字符时才会中断),但目前这是一个严重的问题。

要找出确切的错误,您应该在 mysql_query() 返回 false 时显示 mysql_error() 的结果。这可能比我们在这里做出的任何随机猜测更能帮助您。

My previous answer was wrong (and is deleted). I've learned now that your Insert syntax is indeed valid.

But what you don't do, is escape the value you put in the query. If $tracktitle contains any invalid characters, like a single quote, it could break your query.

You should add this line before building your insert query:

$tracktitle = mysql_real_escape_string($tracktitle);

You current code is very dangarous. If I was to insert a song, and in the song name I would type YourF...ed, oh by the way'; drop database YourDataBaseName; you should try to imagine what happens..

This is known as SQL-injection. Because you don't correctly escape the value, someone else can close the statment en start a new statement by just inserting it into a html form field.

I don't know if this is the reason that your query doesn't work right now (it only breaks if you type an invalid character), but it is a serious problem at the moment.

To find out your exact error, you should display the results of mysql_error() when mysql_query() returns false. This will probably help you more than any random guesses we can make here.

回复 原文
~没有更多了~

关于作者

那片花海

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

留蓝

文章 0 评论 0

18790681156

文章 0 评论 0

zach7772

文章 0 评论 0

Wini

文章 0 评论 0

ayeshaaroy

文章 0 评论 0

初雪

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文