将 $HTTP_GET_VARS 替换为 $_GET,但不起作用
我有以下代码,该代码对我不起作用。我曾经使用 $HTTP_GET_VARS 而不是 $_GET,但后来更新到 PHP 5,现在一切都坏了。对我在这里做错了什么有什么想法吗?
<?php
$_GET['SubCat'];
$_GET['Location'];
$db = mysql_connect("localhost", "xxxx", "xxxx");
mysql_select_db("outdoors",$db);
if ($Location) {
$result = mysql_query("SELECT ID, Longitude, URL, SiteName, Description FROM hunting WHERE SubCategory = '$SubCat' AND Location = '$Location' AND Status <> 'HIDDEN' ORDER BY SiteName",$db);
} else {
$result = mysql_query("SELECT ID, Longitude, URL, SiteName, Description FROM hunting WHERE SubCategory = '$SubCat' AND Status <> 'HIDDEN' ORDER BY SiteName",$db);
<More unrelated stuff after this>
该变量将通过如下链接传递:
hunting.php?SubCat=Hunting+Locations
I have the following code, which is not working for me. I used to have $HTTP_GET_VARS instead of $_GET, but then updated to PHP 5, and now things are broken. Any thoughts on what I'm doing wrong here?
<?php
$_GET['SubCat'];
$_GET['Location'];
$db = mysql_connect("localhost", "xxxx", "xxxx");
mysql_select_db("outdoors",$db);
if ($Location) {
$result = mysql_query("SELECT ID, Longitude, URL, SiteName, Description FROM hunting WHERE SubCategory = '$SubCat' AND Location = '$Location' AND Status <> 'HIDDEN' ORDER BY SiteName",$db);
} else {
$result = mysql_query("SELECT ID, Longitude, URL, SiteName, Description FROM hunting WHERE SubCategory = '$SubCat' AND Status <> 'HIDDEN' ORDER BY SiteName",$db);
<More unrelated stuff after this>
The variable will be passed through a link like this :
hunting.php?SubCat=Hunting+Locations
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
对于你的第一个问题:
你必须将它存储在像这样的任何变量中
或直接引用它。
对于你的第二个问题:
使用全局搜索功能来覆盖您的整个目录。您可以在任何流行的编辑器中找到它。搜索
$_GET['SubCat'];并将其替换为$SubCat = $_GET['SubCat'];。只要确保它是一个唯一的名称即可。附注:
您不使用任何类型检查或输入转义,而是直接将其放入 sql 语句中。这是非常危险的。请在传递之前使用 PDO 或至少使用转义函数以避免 SQL 注入攻击
For your first question:
You must store it in any variable such like this
Or refer to it directly.
For your second question:
Use a global search function to cover your entire directory. You find it in any of the popular editors. The search for
$_GET['SubCat'];and replace it by$SubCat = $_GET['SubCat'];. Just make sure it is an unique name.On a side note:
You donot use any type checking or input escaping and directly put it in your sql statement. IT IS VERY DANGEROUS. Please use PDO or at least an escaping function before you pass it to avoid SQL injection attacks