如果语句在mysql/php脚本中被忽略了？

//connect to server if(isset($_POST['submit'])) { $id=$_POST['id']; $lastname=$_POST['lastname']; $firstname=$_POST['firstname']; $color=$_POST['color']; $number=$_POST['number']; //need id to be filled and need at least one other content type to change if(empty($id) || empty($lastname) and empty($firstname) and empty($color) and empty($number)) { echo "<font color='red'>Invalid Submission. You did not enter an ID or did not input an additional form element. </font><br/>"; } else // if all the fields are filled (not empty) { $sqlConditions = array(); if(isset($_POST['lastname'])){ $lastName = filter_var($_POST['lastname'], FILTER_SANITIZE_STRING); $sqlConditions[] = 'lastname = ' . $lastName; } else { $lastName = ''; } if(isset($_POST['firstname'])){ $firstName = filter_var($_POST['firstname'], FILTER_SANITIZE_STRING); $sqlConditions[] = 'firstname = ' . $firstName; } else { $firstName = ''; } if(isset($_POST['color'])){ $color = filter_var($_POST['color'], FILTER_SANITIZE_STRING); $sqlConditions[] = 'color = ' . $color; } else { $color = ''; } if(isset($_POST['number'])){ $number = filter_var($_POST['number'], FILTER_SANITIZE_STRING); $sqlConditions[] = 'number = ' . $number; } else { $number= ''; } print $sqlConditions; $query = 'UPDATE students SET ' . join (' , ', $sqlConditions); print $query; insert data to database //$query = mysql_query("UPDATE students SET lastname = '$lastname', firstname = '$firstname', color = '$color', number = '$number' //WHERE id = '$id'"); //if (!query) //{ //die('Error: ' . mysql_error()); //} // Close connection to the database mysql_close($con); } }

isset是不够的;添加!empty检查为好，如：

if(isset($_POST['lastname']) && !empty($_POST['lastname'])

编辑
此外，为了在你的代码的注释是你想要什么更好的反射，你if说法或许应该是：

//need id to be filled and need at least one other content type to change 
if(empty($id) && (empty($lastname) || empty($firstname) || empty($color) || empty($number))

这里有一些改进^*和修订有关您点评一下你的代码加上引号的字符串：

<?php 

//connect to server 

if(isset($_POST['submit'])) 
{ 

$id=$_POST['id']; 
$lastname=$_POST['lastname']; 
$firstname=$_POST['firstname']; 
$color=$_POST['color']; 
$number=$_POST['number']; 

    //need id to be filled and need at least one other content type to change 
    if(empty($id) && (empty($lastname) || empty($firstname) || empty($color) || empty($number)) 
    { 
     echo "<font color='red'>Invalid Submission. You did not enter an ID or did not input an additional form element. </font><br/>"; 
    } 
    else // if all the fields are filled (not empty) 
    { 
     $sqlConditions = array(); 

     if(isset($lastname) && !empty($lastname)){ 
      $lastName = filter_var($lastname, FILTER_SANITIZE_STRING); 
      $sqlConditions[] = "lastname = '" . $lastname . "'"; 
     } 
     else 
     { 
      $lastName = ''; 
     } 

     if(isset($firstname)) 
     { 
      $firstName = filter_var($firstname, FILTER_SANITIZE_STRING); 
      $sqlConditions[] = "firstname = '" . $firstname . "'"; 
     } 
     else 
     { 
      $firstName = ''; 
     } 

     if(isset($color) && !empty($color)) 
     { 
      $color = filter_var($color, FILTER_SANITIZE_STRING); 
      $sqlConditions[] = "color = '" . $color . "'"; 
     } 
     else 
     { 
      $color = ''; 
     } 

     if(isset($number)) 
     { 
      $number = filter_var($number, FILTER_SANITIZE_STRING); 
      $sqlConditions[] = "number = '" . $number . "'"; 
     } 
     else 
     { 
      $number= ''; 
     } 
     print $sqlConditions; 

     $query = 'UPDATE students SET ' . join (' , ', $sqlConditions); 
     print $query; 

     //insert data to database  
     //$query = mysql_query("UPDATE students SET lastname = '$lastname', firstname = '$firstname', color = '$color', number = '$number' 
     //WHERE id = '$id'"); 
     //if (!query) 
     //{ 
     //die('Error: ' . mysql_error()); 
     //} 

     // Close connection to the database 
     mysql_close($con); 
    } 
}

^*_{既然你已经确定你的所有$_POST项目变量，就没有必要继续下去回收集。}

来源

2011-11-22 21:43:41 stealthyninja

+1但是，你实际上可以使用'if（！empty（$ _ POST ['lastname']））''作为'empty'来自动禁止未设置变量的任何警告。 – webbiedave

谢谢。你碰巧知道我可以如何为每个被追加的项目添加引号。我需要更新学生SET lastname ='nothinguserputin'代替更新学生SET lastname = whateveruserputin –

'$ sqlConditions [] =“lastname ='”。 $ lastName。 “'”;'或者更好：'$ sqlConditions [] =“lastname ='”。 mysql_real_escape_string（$ lastName）。 “'”;' – webbiedave

在else片段中，您只是检查变量是否已设置，但已设置变量但可能为空。

Isset（）检查变量的值是否包含False，0或空字符串，但不是NULL。

Empty（）函数检查变量是否具有空值空字符串，0，NULL或False。

例子：

<?php 
$var = 0; 

if (empty($var)) { 
    echo 'it is empty since it has value 0 '; 
} 
if (isset($var)) { 
echo '$var is set though it is empty'; 
} 
?>

来源

2011-11-22 21:53:38 user847988

我建议你使用这个编码做法：

$lastName = mysql_real_escape_string($lastName); 
$sqlConditions[] = "lastname = '$lastName'";

能够解决您的问题，即使变量是空的......，让多一点保护您的代码SQL注入攻击（非常值得推荐!!!）

来源

2011-11-22 21:55:08

不，这是不适当的建议。避免'addslashes'。总是使用数据库提供的转义机制（在她的具体情况下，'mysql_real_escape_string'，但她真的应该使用具有参数化查询的PDO）。 – webbiedave

@webbiedave好的，好点。但这个用户似乎需要一个快速的帮助。否则，我们可以鼓励她使用框架（例如） –

@NomikOS - 在框架上达成一致，但首先我们必须学会走路然后跑步。我认为，在选择一些可能会掩盖实际PHP的东西之前，了解“为什么”的第一手资料至关重要。 – stealthyninja

如果语句在mysql/php脚本中被忽略了？

回答

相关问题