0
我收到此错误消息:注意:未定义的偏移量:1在C:\ xampp \ htdocs \ evantechbd \ secure \ content \ right_cat_pr.php上在线18。我想从表中获取news_id和cat_name。php爆炸函数错误
下面是HTML表单:
<?php
include "db.php";
$sql = mysql_query("SELECT * FROM news_cat");
?>
<form action="right_cat_pr.php" method="post" name="right_cat">
<table width="400" border="0" cellspacing="5" cellpadding="5">
<tr>
<td>News Category Name</td>
<td>
<select name="cat_name">
<?php
while($row = mysql_fetch_assoc($sql))
{
$new_id = $row['news_id'];
$cat_name = $row['cat_name'];
?>
<option "<?php echo $row['news_id'] . '|' . $row['cat_name'] ?>"><?php echo
$row['cat_name']; ?></option>
<?php
}
?>
</select>
</td>
</tr>
<tr>
<td> </td>
<td><input type="submit" value="Submit" name="submit"></td>
</tr>
</table>
</form>
这里是进程页:
<?php
include "db.php";
$row = explode('|', $_POST['cat_name']);
$news_id = $row[0]; // cat_id
$cat_name = $row[1];
$query = mysql_query("INSERT INTO right_cat VALUES ('','$news_id','$cat_name')");
if($query)
{
echo "Successfully Inserted your News Category<br/>";
}
else
{
echo "Something is wrong to Upload";
}
?>
期权价值不相关的问题,但是你有一个SQL注入漏洞。 'INSERT INTO right_cat VALUES('','$ news_id','$ cat_name')',如果$ news_id是'ffff')会发生什么情况? DROP * FROM *; - '? – Seventoes
@Seventoes +1对拒绝引用Little Bobby Tables的冲动的评论:) ...对于问题...错误消息意味着您引用了第18行中不存在的数组键。如果你不能100%确定数组键是否存在,你应该在引用它之前检查它是否与'empty'或'isset'一致。 – rdlowrey
谢谢@Seventoes。那么,我应该怎么做,以防止SQL注入? –