SQL UPDATE选择带有多个PHP数组
[英]SQL UPDATE select w/ multiple to a PHP array
问题描述
我知道这段代码中的SQL注入问题。 但是,我只专注于尝试获取更新MySQL服务器的表单。 我有两个选择框。 我可以在两者之间来回传送设备。 但是,当我去更新它不起作用。 请帮我!
此处为表格:
$connection = mysql_connect('#', '#', '#');
mysql_select_db('#');
$techequipment = "SELECT serial, type_id FROM tbl_assets WHERE user_id = {$_GET ['TechID']} AND date_installed IS NULL AND date_returned IS NULL AND metro_date_returned IS NULL ORDER BY type_id, serial";
$techresult = mysql_query($techequipment);
$jobequipment = "SELECT serial, type_id FROM tbl_assets WHERE account_number = {$_GET ['JobNum']} ORDER BY type_id, serial";
$jobresult = mysql_query($jobequipment);
$link = array($_GET ['JobNum'])
?>
<title>Assign Equipment</title>
<table align="center">
<form action="assigned_equipment.php?<? echo http_build_query($link)?>" method="POST">
<tr>
<td><center><b><?php echo "Tech #"; echo $_GET ['TechID']; echo " Assigned Equipment"; ?></b></center></td>
<td></td>
<td><center><b><?php echo "Job #"; echo $_GET ['JobNum']; echo " Assigned Equipment"; ?></b></center></td>
</tr>
<tr>
<td>
<select name="tech[]" size=20 multiple id="list1" STYLE="width: 350px">
<?php $i=0; while($row = mysql_fetch_array($techresult)) { ?>
<option value="<?=$row["serial"];?>"> <?=$row["type_id"]." - ".$row["serial"];?></option>
<?php $i++; } ?> </select>
</td>
<td>
<center><input type="button" id="btnAdd" value="Transfer >>"/></center>
<center><input type="button" id="btnRemove" value="<< Transfer"/></center>
</td>
<td>
<select name="job[]" size=20 multiple id="list2" STYLE="width: 350px">
<?php $i=0; while($row = mysql_fetch_array($jobresult)) { ?>
<option value="<?=$row["serial"];?>"> <?=$row["type_id"]." - ".$row["serial"];?></option>
<?php $i++; } ?> </select>
</td>
</tr>
<tr>
<td colspan="2">
</td>
<td>
<center><input type="submit" value="SUBMIT"/></center>
</form>
</td>
</tr>
<tr>
<td colspan="3">
<center>Multi Select: Press & hold [CTRL] while clicking on the items.</center>
</td>
</tr>
<tr>
<td colspan="3">
<center><a href="jobs.php">EXIT</a></center>
</td>
</tr>
</table>
<script src="js/jquery-2.2.0.js" type="text/javascript"></script>
<script type="text/javascript">
$(document).ready(
function () {
//TAKE EQUIPMENT FROM TECH AND PUT IT IN JOB BOX
$('#btnAdd').click(
function (e) {
$('#list1 > option:selected').appendTo('#list2');
e.preventDefault();
});
//TAKE EQUIPMENT FROM JOB AND PUT IT IN TECH BOX
$('#btnRemove').click(
function (e) {
$('#list2 > option:selected').appendTo('#list1');
e.preventDefault();
});
});
</script>
这是我的assigned_equipment.php文件:
<?php
$connection = mysql_connect('#', '#', '#')
or die('Could not connect: ' .mysql_error());
mysql_select_db('#');
$equipmentquery="UPDATE tbl_assets SET date_installed = curdate(), account_number = {$_GET['0']} WHERE serial = $_POST['job']";
$techquery="UPDATE tbl_assets SET date_installed = curdate(), account_number = {$_GET ['0']} WHERE serial = $_POST['tech']";
?>
1 个解决方案
解决方案1
2 2016-02-12 20:59:45
好的,您是对的,似乎“ 0”是通过$ _GET或$ _POST提交的有效变量名。 因此,这不是问题。
但是您的问题是$_POST['job']是一个数组。
您尝试这样做:
$equipmentquery = ""
. "UPDATE tbl_assets "
. "SET date_installed = curdate(), "
. "account_number = {$_GET['0']} "
. "WHERE serial = $_POST['job']";
虽然$_POST['job']是一个数组,但您不能这样做!
请尝试以下操作:
$jobnum = (int)$_GET['0'];
$job_arr = $_POST['job'];
if(($jobnum > 0) && is_array($job_arr) && (count($job_arr) > 0)) {
$equipmentquery = ""
. "UPDATE tbl_assets "
. "SET date_installed = curdate(), "
. "account_number = ".$jobnum." "
. "WHERE "
. 'serial IN ("'.implode('","',$job_arr).'") ';
}
好的,这会发生什么?
我怀疑您的序列号包含作业数组中发布的值。 因此,您想更新序列号与数组中发布值匹配的每一行。
如果您的$ _POST: Array ( [job] => Array ( [0] => gi4416ncd876 [1] => GI4521NA3391 [2] => M40719GD6274 [3] => PAEH01734539 ) )以及您的$ _GET: Array ( [0] => 113852 ) ,将导致以下查询:
UPDATE tbl_assets
SET date_installed = curdate(),
account_number = 113852
WHERE serial IN ("gi4416ncd876","GI4521NA3391",
"M40719GD6274","PAEH01734539")
好的,现在您有了一个有效的查询。 不是时候执行它了!!!
因此,您需要:
$result = mysql_query ( $equipmentquery );
这是重要的一行,您不见了!
最后,您的代码可能如下所示:
<?php
$connection = mysql_connect('#', '#', '#')
or die('Could not connect: ' .mysql_error());
mysql_select_db('#');
$jobnum = (int)$_GET['0'];
$job_arr = $_POST['job'];
$tech_arr = $_POST['tech'];
if(($jobnum > 0) && is_array($job_arr) && (count($job_arr) > 0)) {
$equipmentquery = ""
. "UPDATE tbl_assets "
. "SET date_installed = curdate(), "
. "account_number = ".$jobnum." "
. "WHERE "
. 'serial IN ("'.implode('","',$job_arr).'") ';
$result1 = mysql_query ( $equipmentquery );
}
if(($jobnum > 0) && is_array($tech_arr) && (count($tech_arr) > 0)) {
$techquery = ""
. "UPDATE tbl_assets "
. "SET date_installed = curdate(), "
. "account_number = ".$jobnum." "
. "WHERE "
. 'serial IN ("'.implode('","',$job_arr).'") ';
$result2 = mysql_query ( $techquery );
}
当这种方法有效时,您应该直接切换到mysqli或pdo! mysql_函数已被弃用,并且在最新的php版本中不再存在! 您应该真正关心sql注入! 因此,请使用准备好的语句来清理您的输入数据!!! 有各种各样的教程在那里! 请勿在现场环境中使用此代码
如何将多个选择字段中的值存储到数组并在选项更改时更新数组?
[英]How to store values from multiple select fields to an array and update array on option change?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.