作者rm031023 (土拨鼠)
看板PHP
标题Re: [请益] 表单处理问题
时间Mon Jan 9 18:45:30 2012
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="
http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=big5" />
<title>无标题文件</title>
</head>
<body>
<form id="form1" name="form1" method="post" action="search2-3-2">
<br>
piletype
<select name="piletype">
<option value=""></option>
<option value="Drilled Shaft">Drilled Shaft</option>
<option value="Driven pile">Driven pile</option>
</select>
<br>
<br>
soiltype
<select name="soiltype" >
<option value=""></option>
<option value="Drained">Drained</option>
<option value="Undrained">Undrained</option>
</select>
</select>
<br>
<br>
LoadingType<select name="LoadingType" >
<option value=""></option>
<option value="Compression">Compression</option>
<option value="Uplift">Uplift</option>
</select>
<br>
<br>
capacity method<p>
<p>
<select name="select" >
<option value=""></option>
<option value="L1">L1</option>
<option value="0.2%B">0.2%B</option>
<option value="0.25%B">0.25%B</option>
<option value="0.3%B">0.3%B</option>
<option value="0.4%B">0.4%B</option>
<option value="0.5in">0.5in</option>
<option value="L2">L2</option>
<option value="4%B">4%B</option>
<option value="STC">STC</option>
<option value="Fuller and Hoy">Fuller and Hoy</option>
<option value="Terzaghi and Peck">Terzaghi and Peck</option>
<option value="DeBeer">DeBeer</option>
<option value="van der Veen">van der Veen</option>
<option value="Chin">Chin</option>
</select>
<p>
capacity< <input name="input" type="text" size="10" /> kN<p>
<br>
<br>
<input type="submit" value="送出" />
</label>
</form>
<?php
$host="localhost";
$user="root";
$pass="0000";
$database="drilled shaft database";
$select=$_POST["select"];
$input=$_POST["input"];
$piletype=$_POST["piletype"];
$LoadingType=$_POST["LoadingType"];
$soiltype=$_POST["soiltype"];
if($piletype!="" || $LoadingType!="" || $soiltype!="" || $input="" ||
$select="" )
{
$link=mysql_connect($host,$user,$pass);
if($link!=False)
{
$qstring="Select*
From shaft
Inner Join site ON site.idSite = shaft.site_idSite
Inner Join soil ON site.idSite = soil.site_idSite
Inner Join soil_has_shaft ON soil.idSoil = soil_has_shaft.soil_idSoil
AND
shaft.idShaft = soil_has_shaft.shaft_idShaft
Inner Join desparameter ON shaft.idShaft = desparameter.shaft_idShaft
Inner Join capacity ON capacity.shaft_idShaft = shaft.idShaft
where shaft.`piletype`='$piletype' AND shaft.`LoadingType`='$LoadingType'
AND soil.`soiltype`='$soiltype' AND capacity.`$select` < '$input'
ORDER BY shaft.`Depth, D (m)` ASC ";
$result=mysql_db_query($database,$qstring,$link);
$rows=mysql_num_rows($result);
if($rows>=0)
{
for($x=0;$x<=$rows-1;$x++)
{
$arrdata[$x]=mysql_fetch_field($result);
}
}
echo"查询结果:<br>";
echo"<table border=1>";
echo"<tr><td>Depth, D (m)</td>";
echo"<td>Dia, B (m)</td>";
echo"<td>Friction Angle-TC</td>";
echo"<td>Su(CIUC) (kN/m<sup>2</sup>)</td>";
echo"<td>alpha(CIUC)</td>";
echo"<td>Measured Beta</td>";
echo"<td>k/ko</td>";
echo"<td>$select (kN)</td></tr>";
while($arrdata[$x]=mysql_fetch_array($result)){
echo"<tr><td><div align=right>".$arrdata[$x]['Depth, D (m)']."</div></td>";
echo"<td><div align=right>".$arrdata[$x]['Dia, B (m)']."</div></td>";
echo"<td><div align=right>".$arrdata[$x]['Friction
Angle-TC']."</div></td>";
echo"<td><div align=right>".$arrdata[$x]['Su(CIUC)']."</div></td>";
echo"<td><div align=right>".$arrdata[$x]['alpha(CIUC)']."</div></td>";
echo"<td><div align=right>".$arrdata[$x]['Measured Beta']."</div></td>";
echo"<td><div align=right>".$arrdata[$x]['k/ko']."</div></td>";
echo"<td><div align=right>".$arrdata[$x]['$select']."</div></td></tr>";
}
echo"</table>";
}
}
其他栏位值都抓得到结果,就只有capacity的抓不到
--
※ 发信站: 批踢踢实业坊(ptt.cc)
◆ From: 140.135.120.167
1F:→ kerash:先给个提议... name 不要用那种input或类似的关键字 01/09 20:55
2F:→ kerash:命名要明确一点... 01/09 20:55
3F:→ kerash:然後请先 echo 你的 input , select 的值是否有抓到 01/09 20:57
4F:→ MOONRAKER:select叫做select…这就好像生一个小孩取名叫小孩一样:| 01/09 22:57
5F:→ rm031023:没注意到命名,这样真的好奇怪,我会改掉XD, 01/09 23:10
6F:→ rm031023:如果是echo input和select的话可以被echo出来 01/09 23:13
7F:→ rm031023:但是资料库里面栏位的内容抓不到 01/09 23:14
8F:→ buganini:$arrdata[$x]['$select'] 01/10 03:51
9F:→ buganini:另外你这个写法有sql_injection的问题 01/10 03:57
10F:→ kerash:你 echo $sql 然後把该指令贴到 phpadmin 的sql跑跑看 01/10 09:11
11F:→ rm031023:$arrdata[$x]['$select']我这一行写错吗? 01/10 10:19
12F:→ rm031023:sql_injection意思是资料库会被攻击?那要怎麽写才好呢 01/10 10:20
13F:→ rm031023:我用phpadmin 的sql跑的出结果,sql语法是对的 01/10 10:21
14F:→ rm031023:我用出来了,$arrdata[$x][$select]这样子就可以了, 01/10 11:34
15F:→ rm031023:谢谢大家的帮忙~感激不尽>< 01/10 11:35
16F:→ kerash:一般如果会让使用者输入资料的表单,内容都会先过滤 01/10 12:38
17F:→ kerash:就是先提出後,用各种 filter 把可疑内容滤掉 01/10 12:38
18F:→ kerash:你的是 $select = $_POST["select"] 而已,只要内容加一些 01/10 12:39
19F:→ kerash:资料库语法,就可能会造成很多错误 01/10 12:39
20F:→ rm031023:不太懂什麽意思,用filter把内容过滤掉? 01/11 09:54
21F:→ kerash:就类似用 preg_replace 把 <,&,%,@,' .. 等特殊文字处理掉 01/11 12:06
22F:→ kerash:或简单一点就是单纯用 htmlspecialchar, htmlentities 01/11 12:07
23F:→ kerash:看要过滤的程度跟内容自己决定 01/11 12:07
24F:→ chenstin:本文87行的 $input="" || $select="" 感觉有少写「!」 01/12 01:06
25F:→ rm031023:恩恩 意思是把栏位弄乾净一点吧,谢谢你,我会试试看! 01/12 09:51
26F:→ rm031023:真的没写到!谢谢 01/12 09:53