显示不必要的错误消息

Question

我已经设置了一个表单来更新我的博客，直到今天早上它都运行良好。尽管它更新了主页，但当我单击更新按钮时，它仍然在编辑帖子页面上出现 Invalid Entry ID 错误。 非常感谢所有帮助。

 <html>

    <head>
    <title>Ultan's Blog | New Post</title>
    <link rel="stylesheet" href="css/editpost.css" type="text/css" />
    </head>

    <body>
    <div class="new-form">
    <div class="header">
</div>
<div class="form-bg">
<?php
mysql_connect ('localhost', 'root', 'root') ;
mysql_select_db ('tmlblog');

if (isset($_POST['update'])) {

    $id = htmlspecialchars(strip_tags($_POST['id']));
    $month = htmlspecialchars(strip_tags($_POST['month']));
    $date = htmlspecialchars(strip_tags($_POST['date']));
    $year = htmlspecialchars(strip_tags($_POST['year']));
    $time = htmlspecialchars(strip_tags($_POST['time']));
    $entry = $_POST['entry'];
    $title = htmlspecialchars(strip_tags($_POST['title']));
    if (isset($_POST['password'])) $password = htmlspecialchars(strip_tags($_POST['password']));
    else $password = "";

    $entry = nl2br($entry);

    if (!get_magic_quotes_gpc()) {
        $title = addslashes($title);
        $entry = addslashes($entry);
    }

    $timestamp = strtotime ($month . " " . $date . " " . $year . " " . $time);

    $result = mysql_query("UPDATE php_blog SET timestamp='$timestamp', title='$title', entry='$entry', password='$password' WHERE id='$id' LIMIT 1") or print ("Can't update entry.<br />" . mysql_error());

    header("Location: post.php?id=" . $id);

}

if (isset($_POST['delete'])) {
    $id = (int)$_POST['id'];
    $result = mysql_query("DELETE FROM php_blog WHERE id='$id'") or print ("Can't delete entry.<br />" . mysql_error());
    if ($result != false) {
        print "The entry has been successfully deleted from the database.";
        exit;
    }
}

if (!isset($_GET['id']) || empty($_GET['id']) || !is_numeric($_GET['id'])) {
    die("Invalid entry ID.");
}
else {
    $id = (int)$_GET['id'];
}

$result = mysql_query ("SELECT * FROM php_blog WHERE id='$id'") or print ("Can't select entry.<br />" . $sql . "<br />" . mysql_error());

while ($row = mysql_fetch_array($result)) {
    $old_timestamp = $row['timestamp'];
    $old_title = stripslashes($row['title']);
    $old_entry = stripslashes($row['entry']);
    $old_password = $row['password'];

    $old_title = str_replace('"','\'',$old_title);
    $old_entry = str_replace('<br />', '', $old_entry);

    $old_month = date("F",$old_timestamp);
    $old_date = date("d",$old_timestamp);
    $old_year = date("Y",$old_timestamp);
    $old_time = date("H:i",$old_timestamp);
}
?>

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

<p><input type="hidden" name="id" value="<?php echo $id; ?>" />

<strong><label for="month">Date (month, day, year):</label></strong> 

<select name="month" id="month">
<option value="<?php echo $old_month; ?>"><?php echo $old_month; ?></option>

<option value="January">January</option>
<option value="February">February</option>
<option value="March">March</option>
<option value="April">April</option>

<option value="May">May</option>
<option value="June">June</option>
<option value="July">July</option>
<option value="August">August</option>

<option value="September">September</option>
<option value="October">October</option>
<option value="November">November</option>
<option value="December">December</option>

</select>

<input type="text" name="date" id="date" size="2" value="<?php echo $old_date; ?>" />

<select name="year" id="year">
<option value="<?php echo $old_year; ?>"><?php echo $old_year; ?></option>
<option value="2004">2004</option>

<option value="2005">2005</option>
<option value="2006">2006</option>
<option value="2007">2007</option>
<option value="2008">2008</option>

<option value="2009">2009</option>
<option value="2010">2010</option>
</select>

<strong><label for="time">Time:</label></strong> <input type="text" name="time" id="time" size="5" value="<?php echo $old_time; ?>" /></p>

<p><strong><label for="title">Title:</label></strong> <input type="text" name="title" id="title" value="<?php echo $old_title; ?>" size="40" /> </p>

<p><strong><label for="password">Password protect?</label></strong> <input type="checkbox" name="password" id="password" value="1"<?php if($old_password == 1) echo " checked=\"checked\""; ?> /></p>

<p><textarea cols="80" rows="20" name="entry" id="entry"><?php echo $old_entry; ?></textarea></p>

<p><input type="submit" name="update" id="update" value="Update"></p>

</form>

<p><strong>Be absolutely sure that this is the post that you wish to remove from the blog!</strong><br />
</p>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">

<input type="hidden" name="id" id="id" value="<?php echo $id; ?>" />
<input type="submit" name="delete" id="delete" value="Delete" />

</form>
</div>
</div>
 </div>
 <div class="bottom"></div>  
</body>

</html>

Answer 1

据我所知，您使用$_GET['id'] 或$_POST['id'] 来标识条目ID。所以在设置$id 变量时必须检查这两个：

if (!isset($_REQUEST['id']) || !is_numeric($_REQUEST['id']))
    die("Invalid entry ID.");

或者，更有选择性：

if (isset($_GET['id']) && is_numeric($_GET['id']))
    $id = intval($_GET['id']);
else if (isset($_POST['id']) && is_numeric($_POST['id']))
    $id = intval($_POST['id']);
else
    die('Invalid entry ID.');

empty 检查对is_numeric 来说是多余的：空字符串不是数字。此外，empty 返回 true 和 0，我相信这不会停止您的系统，因为 0 可能是一个有效的 ID。

Answer 2

我认为这里的问题是 POST 和 GET

的混合

您的表单使用 POST 方法：

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

所以你需要改变：

if (!isset($_GET['id']) || empty($_GET['id']) || !is_numeric($_GET['id'])) {
    die("Invalid entry ID.");
}
else {
   $id = (int)$_GET['id'];
}

到：

    if (!isset($_POST['id']) || empty($_POST['id']) || !is_numeric($_POST['id'])) {
        die("Invalid entry ID.");
    }
   else {
    $id = (int)$_POST['id'];
   }