有人可以帮我理解为什么这个 MySQL 更新代码不能正常工作 php 5
这是代码。它似乎在 PHP 5 中存在问题。它在 PHP 4.4.9 中运行良好。
if($_REQUEST['action']== "Update"){
$curDate = date("Y-m-d");
$image =$_FILES['vImage']["name"];
$uploadedfile = $_FILES['vImage']['tmp_name'];
$sql="UPDATE businessad
SET iBUserID= '$_REQUEST[iBUserID]',
iCategoryID= '$_REQUEST[iBCategoryID]',
vAdTitle= '$_REQUEST[vAdTitle]',
tAdText= '$_REQUEST[tAdText]',
vAdImage= '$vAdImage',
vAdURL= '$_REQUEST[vAdURL]',
dStartDate= '$_REQUEST[dStartDate]',
dEndDate= '$_REQUEST[dEndDate]',
vAddress1= '$_REQUEST[vAddress1]',
vAddress2= '$_REQUEST[vAddress2]',
vCity= '$_REQUEST[vCity]',
vState= '$_REQUEST[vState]',
vZipCode= '$_REQUEST[vZipCode]',
vPhone= '$_REQUEST[vPhone]',
vEmail= '$_REQUEST[vEmail]',
eStatus='$_REQUEST[eStatus]'
WHERE iBusAdID='".$_REQUEST['iBusAdID']."'";
$db_sql=$obj->sql_query($sql);
if($db_sql)
{
$msg=MSG_UPDATE;
header("Location:businessadview.php?var_msg=$msg");
exit;
}
else
{
$msg=MSG_UPDATE_ERROR;
header("Location:businessadview.php?var_msg=$msg");
exit;
该代码不会更新到 MySQL 表,我不知道为什么。
上面的代码之前是一个看起来像这样的表单,
<form name="frmadd" method="post" action="businessadadd_a.php" enctype="multipart/form-data">
<input type="hidden" name="action" value="<?=$action;?>">
<input type="hidden" name="iBusAdID" value=<?=$iBusAdID;?>>
我检查我的服务器错误日志并发现了这一点。它提到了 globals.php 中的一些错误,这是 include 调用的一部分。我也会包含包含代码。
这是包含代码
<?php
@session_start();
@ob_start();
include_once("./lib/db_config.php");
include_once("./lib/myclass.php");
include_once("./lib/globals.php");
if(!isset($obj)){
$obj = new myclass($SERVER,$DBASE,$USERNAME,$PASSWORD);
}
include_once("./lib/generalsettings.php");
include_once("./function/general.php");
include_once("./lib/messages.php");
getGeneralVar();
?>
这是服务器错误日志有问题的 globals.php 代码
<?php
$glob=array("SERVER");
if(isset($GPC_vars))
{ foreach($GPC_vars as $var)
{ foreach(array("GET","POST","COOKIE") as $avar)
if(isset($GLOBALS["HTTP_".$avar."_VARS"][$var]))
{ $$var=$GLOBALS["HTTP_".$avar."_VARS"][$var];
}
}
}
else
{ $glob=array_merge(array("GET","POST","COOKIE"),$glob);
}
foreach($glob as $avar)
{ $arr=$GLOBALS["HTTP_".$avar."_VARS"];
foreach($arr as $var => $res)
$$var=$res;
}
foreach ($HTTP_POST_FILES as $name => $value) {
$$name = $value["tmp_name"];
foreach($value as $k=>$v) {
$varname_ = $name."_".$k;
$$varname_ = $v;
}
}
reset($HTTP_POST_FILES);
?>
这是错误日志的内容
[Mon Mar 14 13:08:55 2011] [error] [client -] 文件不存在: /public_html/favicon.ico
[Mon Mar 14 13:08:54 2011] [error] [client -] PHP 警告:reset() [function.reset]: 传递的变量不是 /public_html/lib 中的数组或对象/globals.php 第 30 行,引荐来源:xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update
[Mon Mar 14 13:08:54 2011] [error] [client -] PHP 警告:无效参数为 .../public_html/lib/globals.php 第 23 行中的 foreach() 提供,参考:xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update
[Mon Mar 14 13:08:54 2011 ] [错误] [客户端 -] PHP 警告:第 19 行 .../public_html/lib/globals.php 中的 foreach() 提供的参数无效,引用地址:xxx.com/admin/businessadadd.php?iBusAdID=4& action=更新
[Mon Mar 14 13:08:54 2011] [error] [client -] PHP 警告:在第 19 行 .../public_html/lib/globals.php 中为 foreach() 提供的参数无效,引荐来源:xxx .com/admin/businessadadd.php?iBusAdID=4&action=Update
[Mon Mar 14 13:08:54 2011] [error] [client -] PHP 警告:为 .../public_html 中的 foreach() 提供的参数无效/lib/globals.php 第 19 行,引荐来源:xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update
[Mon Mar 14 13:08:54 2011] [error] [client -] PHP 警告:第 19 行 .../public_html/lib/globals.php 中的 foreach() 提供的参数无效,引荐来源:xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update
Here is the code. It seems to be having an issue in PHP 5. It works well in PHP 4.4.9.
if($_REQUEST['action']== "Update"){
$curDate = date("Y-m-d");
$image =$_FILES['vImage']["name"];
$uploadedfile = $_FILES['vImage']['tmp_name'];
$sql="UPDATE businessad
SET iBUserID= '$_REQUEST[iBUserID]',
iCategoryID= '$_REQUEST[iBCategoryID]',
vAdTitle= '$_REQUEST[vAdTitle]',
tAdText= '$_REQUEST[tAdText]',
vAdImage= '$vAdImage',
vAdURL= '$_REQUEST[vAdURL]',
dStartDate= '$_REQUEST[dStartDate]',
dEndDate= '$_REQUEST[dEndDate]',
vAddress1= '$_REQUEST[vAddress1]',
vAddress2= '$_REQUEST[vAddress2]',
vCity= '$_REQUEST[vCity]',
vState= '$_REQUEST[vState]',
vZipCode= '$_REQUEST[vZipCode]',
vPhone= '$_REQUEST[vPhone]',
vEmail= '$_REQUEST[vEmail]',
eStatus='$_REQUEST[eStatus]'
WHERE iBusAdID='".$_REQUEST['iBusAdID']."'";
$db_sql=$obj->sql_query($sql);
if($db_sql)
{
$msg=MSG_UPDATE;
header("Location:businessadview.php?var_msg=$msg");
exit;
}
else
{
$msg=MSG_UPDATE_ERROR;
header("Location:businessadview.php?var_msg=$msg");
exit;
That code doesn't update to the MySQL table, and I'm not sure why.
What precedes the above code is a form that looks like this
<form name="frmadd" method="post" action="businessadadd_a.php" enctype="multipart/form-data">
<input type="hidden" name="action" value="<?=$action;?>">
<input type="hidden" name="iBusAdID" value=<?=$iBusAdID;?>>
I check my server error logs and found out this. It mentions some errors in the globals.php, which is a part of the include call up. I'll include the include code too.
Here is the include code
<?php
@session_start();
@ob_start();
include_once("./lib/db_config.php");
include_once("./lib/myclass.php");
include_once("./lib/globals.php");
if(!isset($obj)){
$obj = new myclass($SERVER,$DBASE,$USERNAME,$PASSWORD);
}
include_once("./lib/generalsettings.php");
include_once("./function/general.php");
include_once("./lib/messages.php");
getGeneralVar();
?>
Here is the globals.php code that the server error logs have an issue with
<?php
$glob=array("SERVER");
if(isset($GPC_vars))
{ foreach($GPC_vars as $var)
{ foreach(array("GET","POST","COOKIE") as $avar)
if(isset($GLOBALS["HTTP_".$avar."_VARS"][$var]))
{ $var=$GLOBALS["HTTP_".$avar."_VARS"][$var];
}
}
}
else
{ $glob=array_merge(array("GET","POST","COOKIE"),$glob);
}
foreach($glob as $avar)
{ $arr=$GLOBALS["HTTP_".$avar."_VARS"];
foreach($arr as $var => $res)
$var=$res;
}
foreach ($HTTP_POST_FILES as $name => $value) {
$name = $value["tmp_name"];
foreach($value as $k=>$v) {
$varname_ = $name."_".$k;
$varname_ = $v;
}
}
reset($HTTP_POST_FILES);
?>
Here is what the error logs say
[Mon Mar 14 13:08:55 2011] [error] [client -] File does not exist: /public_html/favicon.ico
[Mon Mar 14 13:08:54 2011] [error] [client -] PHP Warning: reset() [function.reset]: Passed variable is not an array or object in /public_html/lib/globals.php on line 30, referer: xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update
[Mon Mar 14 13:08:54 2011] [error] [client -] PHP Warning: Invalid argument supplied for foreach() in .../public_html/lib/globals.php on line 23, referer: xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update
[Mon Mar 14 13:08:54 2011] [error] [client -] PHP Warning: Invalid argument supplied for foreach() in .../public_html/lib/globals.php on line 19, referer: xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update
[Mon Mar 14 13:08:54 2011] [error] [client -] PHP Warning: Invalid argument supplied for foreach() in .../public_html/lib/globals.php on line 19, referer: xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update
[Mon Mar 14 13:08:54 2011] [error] [client -] PHP Warning: Invalid argument supplied for foreach() in .../public_html/lib/globals.php on line 19, referer: xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update
[Mon Mar 14 13:08:54 2011] [error] [client -] PHP Warning: Invalid argument supplied for foreach() in .../public_html/lib/globals.php on line 19, referer: xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
因为它只是一个字符串。您执行查询吗?如果是这样,mysql_error 告诉你什么?
拜托,非常拜托,Google 进行 SQL 注入。这段代码非常容易受到攻击。
Because it's just a string. Do you execute the query? If so, what does mysql_error tell you?
And please, pretty please, Google for SQL injection. This code is very vulnerable.
您的陈述解释了其失败的原因:
1)您引用了用于生成查询的代码片段 - 但我们需要查看发送到数据库的查询和表的结构
2)我们还需要查看查询失败后返回的错误信息。
3)由于您使用的是$_REQUEST,我们还需要查看两个PHP安装的variables_order设置,以确定如何填充$_REQUEST
我希望一旦您找到这些问题的答案,解决方案就会显而易见。但同样值得注意的是,将用户提供的数据拼接到 SQL 查询中是一个非常糟糕的主意 - 您很容易受到 SQL 注入攻击。
The reason its failing is explained by your statement:
1) you've cited a fragment of the code used to generate the query - but we need to see the query which gets sent to the database and the structure of the table
2) we also need to see the error message that is returned after the query fails.
3) since you are using $_REQUEST, we also need to see your variables_order setting for both PHP installations to determine how $_REQUEST is populated
I expect once you find the answers to these the solution will be obvious. But it's also worth noting that splicing user supplied data into an SQL query is a very bad idea - you're wide open to SQL injection attacks.
您可以尝试在查询末尾使用您正在执行的串联。它可能会将
$_REQUEST['SOMETHING']视为字符串。You might try to use the concatenation you are doing at the end within the query. It might be look at the
$_REQUEST['SOMETHING']as a string.当您说您的代码在 PHP4 中工作但在 PHP5 中停止工作时,很容易认为这是由于缺少 magic_quotes 造成的。该功能在 PHP5 的默认配置中已被禁用。由于缺少转义,您的 SQL 查询现在变得无效。
在脚本的开头(但在 mysql_connect 之后)添加以下内容:
这是解决方法,但如果它在数据库连接后始终立即执行,那么至少是安全的。如果必须的话,对 $_GET 和 $_POST 执行相同的操作。 (正确的方法是迁移到 PDO 和参数化 SQL,或者至少在连接 SQL 查询的任何地方应用 mysql_real_escape_string 函数。)
When you say your code works in PHP4 but stops working in PHP5, then it's easy to assume this is due to lack of magic_quotes. This feature has been disabled in the default configurations of PHP5. And your SQL query now became invalid due to lack of escaping.
At the start of your script (but after the mysql_connect) add following:
It's workaround-ish, but at least safe if it is always executed right after the database connection. Do the same for $_GET and $_POST if you must. (The correct approach would be to migrate to PDO and parameterized SQL, or at least apply the mysql_real_escape_string function wherever you concatenate SQL queries.)