[英]NO SQL INJECTION ERROR
当我提交此表单时,此错误出现NO SQL INJECTION
。 这种形式的作用是相同的文件..我试图做很多解决方案,但没有任何效果! 如何解决该错误? 数据库上没有任何更改。
这是PHP代码
<?php
include '../inc/config.php';
include 'dbc.php';
page_protect();
if(!checkAdmin()) {
header("Location: login.php");
exit();
}
$ads_id = (isset($_GET['id']) ? $_GET['id'] : NULL);
if (!is_numeric($ads_id)) { die ('No SQL INJECTION') ;};
if ($ads_id) {
$img_ads_info = $mysqli->query("SELECT * FROM `ads_image` WHERE `id` = '$ads_id'");
$row = $img_ads_info->fetch_object();
$section_id = $row->user_id;
$ads2 = $mysqli->query("SELECT users.company_name FROM ads_image,users where
ads_image.user_id = users.id AND ads_image.user_id='$section_id'");
$row2 = $ads2->fetch_object();
?>
<div class="panel panel-default ">
<div class="panel-heading" id="accordion"><span class="glyphicon
glyphicon-comment"></span><?php echo $row->description; ?></div>
<div class="panel-body">
<form role="form" action="manage_images_ads.php" method="POST">
<div class="form-group">
<input type="hidden" name="id" value="<?php echo $row->id;
?>" />
<label>اسم المؤسسة المعلنة</label>
<input required name="company_name" class="form-
control" type="text" maxlength="255" value="<?php echo $row2->company_name; ?>"/>
</div>
<div class="form-group">
<label>عنوان الإعلان</label>
<input required name="title" class="form-control"
type="text" maxlength="255" value="<?php echo $row->title; ?>"/>
</div>
<div class="form-group">
<label>صورة الإعلان</label>
<img src="upload/<?php echo $row->up; ?>" />
</div>
<div class="form-group">
<label>عدد المشاهدات</label>
<input required name="views" class="form-control"
type="text" maxlength="255" value="<?php echo $row->views; ?>"/>
</div>
<div class="form-group">
<label>رابط الإعلان</label>
<input required name="ad_link" class="form-control"
type="text" maxlength="255" value="<?php echo $row->ad_link; ?>"/>
</div>
<button style="float:left" type="submit"
value="submit" class="btn btn-success btn-md" id="btn-chat">Send</button>
</div>
</form>
<?php
if(isset($_POST['submit'])) {
$title = $mysqli->real_escape_string($_POST['title']);
$ad_link = $mysqli->real_escape_string($_POST['ad_link']);
$views = $mysqli->real_escape_string($_POST['views']);
if ($mysqli->connect_error) {
die("Connection failed: " . $mysqli->connect_error);
}
$sql = "UPDATE ads_image SET `title`='$title',`ad_link`='$ad_link',`views`='$views'
WHERE `id`='$ads_id'";
if ($mysqli->query($sql) === TRUE) {
echo "Record updated successfully";
} else {
echo "Error updating record: " . $mysqli->error;
}
$mysqli->close();
}
}
?>
原因是当php在$ _GET超级数组中查找id时,您的表单具有'method =“ POST”'。 只是改变
$ads_id = (isset($_GET['id']) ? $_GET['id'] : NULL);
至
$ads_id = (isset($_POST['id']) ? $_POST['id'] : NULL);
并且应该可以正常工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.