作者rm031023 (土撥鼠)
看板PHP
標題Re: [請益] 表單處理問題
時間Mon Jan 9 18:45:30 2012
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="
http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=big5" />
<title>無標題文件</title>
</head>
<body>
<form id="form1" name="form1" method="post" action="search2-3-2">
<br>
piletype
<select name="piletype">
<option value=""></option>
<option value="Drilled Shaft">Drilled Shaft</option>
<option value="Driven pile">Driven pile</option>
</select>
<br>
<br>
soiltype
<select name="soiltype" >
<option value=""></option>
<option value="Drained">Drained</option>
<option value="Undrained">Undrained</option>
</select>
</select>
<br>
<br>
LoadingType<select name="LoadingType" >
<option value=""></option>
<option value="Compression">Compression</option>
<option value="Uplift">Uplift</option>
</select>
<br>
<br>
capacity method<p>
<p>
<select name="select" >
<option value=""></option>
<option value="L1">L1</option>
<option value="0.2%B">0.2%B</option>
<option value="0.25%B">0.25%B</option>
<option value="0.3%B">0.3%B</option>
<option value="0.4%B">0.4%B</option>
<option value="0.5in">0.5in</option>
<option value="L2">L2</option>
<option value="4%B">4%B</option>
<option value="STC">STC</option>
<option value="Fuller and Hoy">Fuller and Hoy</option>
<option value="Terzaghi and Peck">Terzaghi and Peck</option>
<option value="DeBeer">DeBeer</option>
<option value="van der Veen">van der Veen</option>
<option value="Chin">Chin</option>
</select>
<p>
capacity< <input name="input" type="text" size="10" /> kN<p>
<br>
<br>
<input type="submit" value="送出" />
</label>
</form>
<?php
$host="localhost";
$user="root";
$pass="0000";
$database="drilled shaft database";
$select=$_POST["select"];
$input=$_POST["input"];
$piletype=$_POST["piletype"];
$LoadingType=$_POST["LoadingType"];
$soiltype=$_POST["soiltype"];
if($piletype!="" || $LoadingType!="" || $soiltype!="" || $input="" ||
$select="" )
{
$link=mysql_connect($host,$user,$pass);
if($link!=False)
{
$qstring="Select*
From shaft
Inner Join site ON site.idSite = shaft.site_idSite
Inner Join soil ON site.idSite = soil.site_idSite
Inner Join soil_has_shaft ON soil.idSoil = soil_has_shaft.soil_idSoil
AND
shaft.idShaft = soil_has_shaft.shaft_idShaft
Inner Join desparameter ON shaft.idShaft = desparameter.shaft_idShaft
Inner Join capacity ON capacity.shaft_idShaft = shaft.idShaft
where shaft.`piletype`='$piletype' AND shaft.`LoadingType`='$LoadingType'
AND soil.`soiltype`='$soiltype' AND capacity.`$select` < '$input'
ORDER BY shaft.`Depth, D (m)` ASC ";
$result=mysql_db_query($database,$qstring,$link);
$rows=mysql_num_rows($result);
if($rows>=0)
{
for($x=0;$x<=$rows-1;$x++)
{
$arrdata[$x]=mysql_fetch_field($result);
}
}
echo"查詢結果:<br>";
echo"<table border=1>";
echo"<tr><td>Depth, D (m)</td>";
echo"<td>Dia, B (m)</td>";
echo"<td>Friction Angle-TC</td>";
echo"<td>Su(CIUC) (kN/m<sup>2</sup>)</td>";
echo"<td>alpha(CIUC)</td>";
echo"<td>Measured Beta</td>";
echo"<td>k/ko</td>";
echo"<td>$select (kN)</td></tr>";
while($arrdata[$x]=mysql_fetch_array($result)){
echo"<tr><td><div align=right>".$arrdata[$x]['Depth, D (m)']."</div></td>";
echo"<td><div align=right>".$arrdata[$x]['Dia, B (m)']."</div></td>";
echo"<td><div align=right>".$arrdata[$x]['Friction
Angle-TC']."</div></td>";
echo"<td><div align=right>".$arrdata[$x]['Su(CIUC)']."</div></td>";
echo"<td><div align=right>".$arrdata[$x]['alpha(CIUC)']."</div></td>";
echo"<td><div align=right>".$arrdata[$x]['Measured Beta']."</div></td>";
echo"<td><div align=right>".$arrdata[$x]['k/ko']."</div></td>";
echo"<td><div align=right>".$arrdata[$x]['$select']."</div></td></tr>";
}
echo"</table>";
}
}
其他欄位值都抓得到結果,就只有capacity的抓不到
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 140.135.120.167
1F:→ kerash:先給個提議... name 不要用那種input或類似的關鍵字 01/09 20:55
2F:→ kerash:命名要明確一點... 01/09 20:55
3F:→ kerash:然後請先 echo 你的 input , select 的值是否有抓到 01/09 20:57
4F:→ MOONRAKER:select叫做select…這就好像生一個小孩取名叫小孩一樣:| 01/09 22:57
5F:→ rm031023:沒注意到命名,這樣真的好奇怪,我會改掉XD, 01/09 23:10
6F:→ rm031023:如果是echo input和select的話可以被echo出來 01/09 23:13
7F:→ rm031023:但是資料庫裡面欄位的內容抓不到 01/09 23:14
8F:→ buganini:$arrdata[$x]['$select'] 01/10 03:51
9F:→ buganini:另外你這個寫法有sql_injection的問題 01/10 03:57
10F:→ kerash:你 echo $sql 然後把該指令貼到 phpadmin 的sql跑跑看 01/10 09:11
11F:→ rm031023:$arrdata[$x]['$select']我這一行寫錯嗎? 01/10 10:19
12F:→ rm031023:sql_injection意思是資料庫會被攻擊?那要怎麼寫才好呢 01/10 10:20
13F:→ rm031023:我用phpadmin 的sql跑的出結果,sql語法是對的 01/10 10:21
14F:→ rm031023:我用出來了,$arrdata[$x][$select]這樣子就可以了, 01/10 11:34
15F:→ rm031023:謝謝大家的幫忙~感激不盡>< 01/10 11:35
16F:→ kerash:一般如果會讓使用者輸入資料的表單,內容都會先過濾 01/10 12:38
17F:→ kerash:就是先提出後,用各種 filter 把可疑內容濾掉 01/10 12:38
18F:→ kerash:你的是 $select = $_POST["select"] 而已,只要內容加一些 01/10 12:39
19F:→ kerash:資料庫語法,就可能會造成很多錯誤 01/10 12:39
20F:→ rm031023:不太懂什麼意思,用filter把內容過濾掉? 01/11 09:54
21F:→ kerash:就類似用 preg_replace 把 <,&,%,@,' .. 等特殊文字處理掉 01/11 12:06
22F:→ kerash:或簡單一點就是單純用 htmlspecialchar, htmlentities 01/11 12:07
23F:→ kerash:看要過濾的程度跟內容自己決定 01/11 12:07
24F:→ chenstin:本文87行的 $input="" || $select="" 感覺有少寫「!」 01/12 01:06
25F:→ rm031023:恩恩 意思是把欄位弄乾淨一點吧,謝謝你,我會試試看! 01/12 09:51
26F:→ rm031023:真的沒寫到!謝謝 01/12 09:53