【发布时间】:2014-01-11 22:18:58
【问题描述】:
我正在制作一个食谱网站,为了处理搜索查询,我正在一个名为“search.php”的单独页面上处理 形式:
<form id="recipehome" form method="post" action="search.php">
<p>I want a
<Select name="dropoption">
<option value="empty">----</option>
<?php echo $cuisinetype;?>
</Select>
<Select name='meal'>
<option value="B">Breakfast</option>
<option value="l">Lunch</option>
<option value="D">Dinner</option>
</Select>
<input type="submit" id="submit" name="Feed Me" value="submit" />
</form>
我的搜索页面:
if(trim($_POST['submit']) =="submit"){
}else{
if (isset($_POST['dropoption']) && ($_POST['dropoption'] != '')){
if (isset($_POST['meal']) && ($_POST['meal'] != '')) {
$dropoption = clean_string($db_server, $_POST['dropoption']);
$meal = clean_string($db_server, $_POST['meal']);
$quer = "SELECT recipeid FROM `recipename` WHERE `cuisine_type` ='$dropoption' AND `b_l_d` ='$meal'LIMIT 0,1";
mysqli_select_db($db_server, $db_database);
$querya= mysqli_query($db_server, $quer);
if (!$querya) die("database access failed: " . mysqli_error($db_server));
while($row = mysqli_fetch_array($querya)){
$searchresult .=$row['recipeid'];
}
$searchresult = clean_string($db_server, $searchresult);
header("Location:results.php?recipeid=$searchresult");//
}//if(meal)//
}//if(cuisine)//
} //if(trim)//
}
查询然后在那里执行,然后我试图通过传递我得到的变量从那里重定向到另一个结果页面,结果我设法将它放入 url 但我现在将这个整数插入到我的数据库作为查询。这个页面叫做 results.php
if (!$db_server){
die("unable to Connect to MYSQL: " . mysqli_connect_error($db_server));
$db_status = "not connected";
$query = "SELECT * FROM `recipename` WHERE `recipeid`='$searchresult'";
mysqli_select_db($db_server, $db_database);
$result=mysqli_query($db_server, $query);
if (!$result) die("database access failed: " . mysqli_error($db_server));
while($row = mysqli_fetch_array($result)){
$recipename .="<h1>". "Why dont you have ".$row['mealname']."</h1>";
$ingredients .="<p>".$row['ingredients']."</p>";
$recipe .="<p>" .$row['recipe']."</p>";
$cookingtime .="<h4>" .$row['hours']." Hours".$row['minutes']." Minutes </h4>";
$mealpic .="<img src='http://ml11maj.icsnewmedia.net/Workshops/Week%207/".$row['imagepath']."'/>";
if(trim($_POST['Submit']) =="submit3"){
if ($comment != ''){
$userid = trim($_SESSION['userid']);
$comment = trim($_POST['comment']);
$userid = clean_string($db_server, $_SESSION['userid']);
$comment = clean_string($db_server, $_POST['comment']);
$query = "INSERT INTO Comments (comment,userid,recipeid) VALUES ('$comment','$userid','$receipeid')";
mysqli_query($db_server, $query) or
die("Insert failed: " . mysqli_error($db_server));
$message = "Thanks for your comment!";
}
}
}
}
【问题讨论】:
-
尝试使用参数绑定,您的代码会受到 mysql 注入的影响。 php.net/manual/en/mysqli-stmt.bind-param.php
-
这个设置似乎有缺陷,你应该重新设计你的代码。为什么将处理(本质上相同的操作)拆分到两个不同的文件并通过查询字符串显式发送状态变量?但正如下面所指出的,您似乎需要从请求中检索和清理 recipeid。
标签: php mysql database search header