有人能帮助我理解为什么这个MySQL更新代码不能使用php 5吗?

时间:2021-11-07 23:07:24

Here is the code. It seems to be having an issue in PHP 5. It works well in PHP 4.4.9.

这是代码。它似乎在PHP 5中有问题。它在PHP 4.4.9中运行良好。

if($_REQUEST['action']== "Update"){ 

    $curDate = date("Y-m-d");
    $image =$_FILES['vImage']["name"];
    $uploadedfile = $_FILES['vImage']['tmp_name'];


$sql="UPDATE businessad 
        SET iBUserID= '$_REQUEST[iBUserID]', 
            iCategoryID= '$_REQUEST[iBCategoryID]', 
            vAdTitle= '$_REQUEST[vAdTitle]', 
            tAdText= '$_REQUEST[tAdText]',
            vAdImage= '$vAdImage', 
            vAdURL= '$_REQUEST[vAdURL]', 
            dStartDate= '$_REQUEST[dStartDate]',
            dEndDate= '$_REQUEST[dEndDate]', 
            vAddress1= '$_REQUEST[vAddress1]', 
            vAddress2= '$_REQUEST[vAddress2]',
            vCity= '$_REQUEST[vCity]',
            vState= '$_REQUEST[vState]', 
            vZipCode= '$_REQUEST[vZipCode]', 
            vPhone= '$_REQUEST[vPhone]', 
            vEmail= '$_REQUEST[vEmail]', 
            eStatus='$_REQUEST[eStatus]' 

        WHERE iBusAdID='".$_REQUEST['iBusAdID']."'";

$db_sql=$obj->sql_query($sql);

if($db_sql)
{   
    $msg=MSG_UPDATE;
    header("Location:businessadview.php?var_msg=$msg");
    exit;
}
else
{
    $msg=MSG_UPDATE_ERROR;
    header("Location:businessadview.php?var_msg=$msg");
    exit;

That code doesn't update to the MySQL table, and I'm not sure why.

该代码不会更新到MySQL表,我也不知道为什么。

What precedes the above code is a form that looks like this

上面的代码是这样的一个表单!

<form name="frmadd" method="post" action="businessadadd_a.php" enctype="multipart/form-data">
<input type="hidden" name="action" value="<?=$action;?>">
<input type="hidden" name="iBusAdID" value=<?=$iBusAdID;?>>

I check my server error logs and found out this. It mentions some errors in the globals.php, which is a part of the include call up. I'll include the include code too.

我检查了我的服务器错误日志,发现了这个。它提到了全局中的一些错误。php是include调用的一部分。我还将包括包含代码。

Here is the include code

这里是包含代码。

<?php

@session_start();

@ob_start();

include_once("./lib/db_config.php");

include_once("./lib/myclass.php");

include_once("./lib/globals.php");

    if(!isset($obj)){

    $obj = new myclass($SERVER,$DBASE,$USERNAME,$PASSWORD);

     }

include_once("./lib/generalsettings.php");

include_once("./function/general.php");

include_once("./lib/messages.php");

getGeneralVar();

?>

Here is the globals.php code that the server error logs have an issue with

这是全局变量。服务器错误日志的php代码有一个问题。

  <?php

     $glob=array("SERVER");

if(isset($GPC_vars))
{ foreach($GPC_vars as $var)
   { foreach(array("GET","POST","COOKIE") as $avar)
       if(isset($GLOBALS["HTTP_".$avar."_VARS"][$var]))
         { $$var=$GLOBALS["HTTP_".$avar."_VARS"][$var];
         }
   }               
}
else
{ $glob=array_merge(array("GET","POST","COOKIE"),$glob);
}

foreach($glob as $avar)
{ $arr=$GLOBALS["HTTP_".$avar."_VARS"];
  foreach($arr as $var => $res)
       $$var=$res;
}

foreach ($HTTP_POST_FILES as $name => $value) {
    $$name = $value["tmp_name"];
    foreach($value as $k=>$v) {
        $varname_ = $name."_".$k;
        $$varname_ = $v;
    }
}
reset($HTTP_POST_FILES);
?>

Here is what the error logs say

这里是错误日志说的。

[Mon Mar 14 13:08:55 2011] [error] [client -] File does not exist: /public_html/favicon.ico

[错误][客户-]文件不存在:/public_html/favicon.ico。

[Mon Mar 14 13:08:54 2011] [error] [client -] PHP Warning: reset() [function.reset]: Passed variable is not an array or object in /public_html/lib/globals.php on line 30, referer: xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update

[错误][客户端-]PHP警告:reset()[功能。:传递变量不是一个数组或对象在/public_html/lib/全局变量中。在第30行,referer: xxx.com/admin/businessadad .php? ibusadid= 4& action更新。

[Mon Mar 14 13:08:54 2011] [error] [client -] PHP Warning: Invalid argument supplied for foreach() in .../public_html/lib/globals.php on line 23, referer: xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update

[客户端-]PHP警告:在…/public_html/lib/globals中提供foreach()的无效参数。第23行上的php, referer: xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update。

[Mon Mar 14 13:08:54 2011] [error] [client -] PHP Warning: Invalid argument supplied for foreach() in .../public_html/lib/globals.php on line 19, referer: xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update

[客户端-]PHP警告:在…/public_html/lib/globals中提供foreach()的无效参数。第19行上的php, referer: xxx.com/admin/businessadadd.php? ibusadid= 4& action更新。

[Mon Mar 14 13:08:54 2011] [error] [client -] PHP Warning: Invalid argument supplied for foreach() in .../public_html/lib/globals.php on line 19, referer: xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update

[客户端-]PHP警告:在…/public_html/lib/globals中提供foreach()的无效参数。第19行上的php, referer: xxx.com/admin/businessadadd.php? ibusadid= 4& action更新。

[Mon Mar 14 13:08:54 2011] [error] [client -] PHP Warning: Invalid argument supplied for foreach() in .../public_html/lib/globals.php on line 19, referer: xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update

[客户端-]PHP警告:在…/public_html/lib/globals中提供foreach()的无效参数。第19行上的php, referer: xxx.com/admin/businessadadd.php? ibusadid= 4& action更新。

[Mon Mar 14 13:08:54 2011] [error] [client -] PHP Warning: Invalid argument supplied for foreach() in .../public_html/lib/globals.php on line 19, referer: xxx.com/admin/businessadadd.php?iBusAdID=4&action=Update

[客户端-]PHP警告:在…/public_html/lib/globals中提供foreach()的无效参数。第19行上的php, referer: xxx.com/admin/businessadadd.php? ibusadid= 4& action更新。

4 个解决方案

#1


0  

You might try to use the concatenation you are doing at the end within the query. It might be look at the $_REQUEST['SOMETHING'] as a string.

您可能会尝试使用在查询中结束时所做的连接。可以将$_REQUEST['SOMETHING']看作字符串。

$sql = "UPDATE businessad 
           SET iBUserID = '".$_REQUEST['iBUserID']."',
               iCategoryID = '".$_REQUEST['iBCategoryID']."',    
               vAdTitle = '".$_REQUEST['vAdTitle']."', 
               tAdText = '".$_REQUEST['tAdText']."',
               vAdImage = '$vAdImage', 
               vAdURL = '".$_REQUEST['vAdURL']."', 
               dStartDate = '".$_REQUEST['dStartDate']."',
               dEndDate = '".$_REQUEST['dEndDate']."', 
               vAddress1 = '".$_REQUEST['vAddress1']."', 
               vAddress2 = '".$_REQUEST['vAddress2']."',
               vCity = '".$_REQUEST['vCity']."',
               vState = '".$_REQUEST['vState']."', 
               vZipCode = '".$_REQUEST['vZipCode']."', 
               vPhone = '".$_REQUEST['vPhone']."', 
               vEmail= '".$_REQUEST['vEmail']."', 
               eStatus = '".$_REQUEST['eStatus']."'    
         WHERE iBusAdID = '".$_REQUEST['iBusAdID']."'";

#2


2  

Because it's just a string. Do you execute the query? If so, what does mysql_error tell you?

因为它只是一个字符串。您执行查询吗?如果是这样,mysql_error告诉您什么?

And please, pretty please, Google for SQL injection. This code is very vulnerable.

请,很高兴,谷歌的SQL注入。这段代码非常脆弱。

#3


2  

The reason its failing is explained by your statement:

你的陈述解释了它失败的原因:

and I'm not sure why

我不知道为什么。

1) you've cited a fragment of the code used to generate the query - but we need to see the query which gets sent to the database and the structure of the table

1)您引用了用于生成查询的代码片段,但我们需要查看发送到数据库的查询和表的结构。

2) we also need to see the error message that is returned after the query fails.

2)我们还需要看到查询失败后返回的错误消息。

3) since you are using $_REQUEST, we also need to see your variables_order setting for both PHP installations to determine how $_REQUEST is populated

3)既然您使用$_REQUEST,我们还需要查看两个PHP安装的variables_order设置,以确定如何填充$_REQUEST。

I expect once you find the answers to these the solution will be obvious. But it's also worth noting that splicing user supplied data into an SQL query is a very bad idea - you're wide open to SQL injection attacks.

我希望一旦你找到这些答案,答案将是显而易见的。但是值得注意的是,将用户提供的数据插入到SQL查询中是一个非常糟糕的想法——您完全可以接受SQL注入攻击。

#4


0  

When you say your code works in PHP4 but stops working in PHP5, then it's easy to assume this is due to lack of magic_quotes. This feature has been disabled in the default configurations of PHP5. And your SQL query now became invalid due to lack of escaping.

当您说您的代码在PHP4中工作但在PHP5中停止工作时,很容易假定这是由于缺少magic_quotes。这个特性在PHP5的默认配置中已被禁用。您的SQL查询由于缺少转义而变得无效。

At the start of your script (but after the mysql_connect) add following:

在脚本开始时(但在mysql_connect之后)添加以下内容:

$_REQUEST = array_map("mysql_real_escape_string", $_REQUEST);

It's workaround-ish, but at least safe if it is always executed right after the database connection. Do the same for $_GET and $_POST if you must. (The correct approach would be to migrate to PDO and parameterized SQL, or at least apply the mysql_real_escape_string function wherever you concatenate SQL queries.)

它是工作的,但至少是安全的,如果它总是在数据库连接之后执行。如果必须的话,也可以使用$_GET和$_POST。(正确的方法是迁移到PDO和参数化SQL,或者至少在连接SQL查询的地方应用mysql_real_escape_string函数。)

#1


0  

You might try to use the concatenation you are doing at the end within the query. It might be look at the $_REQUEST['SOMETHING'] as a string.

您可能会尝试使用在查询中结束时所做的连接。可以将$_REQUEST['SOMETHING']看作字符串。

$sql = "UPDATE businessad 
           SET iBUserID = '".$_REQUEST['iBUserID']."',
               iCategoryID = '".$_REQUEST['iBCategoryID']."',    
               vAdTitle = '".$_REQUEST['vAdTitle']."', 
               tAdText = '".$_REQUEST['tAdText']."',
               vAdImage = '$vAdImage', 
               vAdURL = '".$_REQUEST['vAdURL']."', 
               dStartDate = '".$_REQUEST['dStartDate']."',
               dEndDate = '".$_REQUEST['dEndDate']."', 
               vAddress1 = '".$_REQUEST['vAddress1']."', 
               vAddress2 = '".$_REQUEST['vAddress2']."',
               vCity = '".$_REQUEST['vCity']."',
               vState = '".$_REQUEST['vState']."', 
               vZipCode = '".$_REQUEST['vZipCode']."', 
               vPhone = '".$_REQUEST['vPhone']."', 
               vEmail= '".$_REQUEST['vEmail']."', 
               eStatus = '".$_REQUEST['eStatus']."'    
         WHERE iBusAdID = '".$_REQUEST['iBusAdID']."'";

#2


2  

Because it's just a string. Do you execute the query? If so, what does mysql_error tell you?

因为它只是一个字符串。您执行查询吗?如果是这样,mysql_error告诉您什么?

And please, pretty please, Google for SQL injection. This code is very vulnerable.

请,很高兴,谷歌的SQL注入。这段代码非常脆弱。

#3


2  

The reason its failing is explained by your statement:

你的陈述解释了它失败的原因:

and I'm not sure why

我不知道为什么。

1) you've cited a fragment of the code used to generate the query - but we need to see the query which gets sent to the database and the structure of the table

1)您引用了用于生成查询的代码片段,但我们需要查看发送到数据库的查询和表的结构。

2) we also need to see the error message that is returned after the query fails.

2)我们还需要看到查询失败后返回的错误消息。

3) since you are using $_REQUEST, we also need to see your variables_order setting for both PHP installations to determine how $_REQUEST is populated

3)既然您使用$_REQUEST,我们还需要查看两个PHP安装的variables_order设置,以确定如何填充$_REQUEST。

I expect once you find the answers to these the solution will be obvious. But it's also worth noting that splicing user supplied data into an SQL query is a very bad idea - you're wide open to SQL injection attacks.

我希望一旦你找到这些答案,答案将是显而易见的。但是值得注意的是,将用户提供的数据插入到SQL查询中是一个非常糟糕的想法——您完全可以接受SQL注入攻击。

#4


0  

When you say your code works in PHP4 but stops working in PHP5, then it's easy to assume this is due to lack of magic_quotes. This feature has been disabled in the default configurations of PHP5. And your SQL query now became invalid due to lack of escaping.

当您说您的代码在PHP4中工作但在PHP5中停止工作时,很容易假定这是由于缺少magic_quotes。这个特性在PHP5的默认配置中已被禁用。您的SQL查询由于缺少转义而变得无效。

At the start of your script (but after the mysql_connect) add following:

在脚本开始时(但在mysql_connect之后)添加以下内容:

$_REQUEST = array_map("mysql_real_escape_string", $_REQUEST);

It's workaround-ish, but at least safe if it is always executed right after the database connection. Do the same for $_GET and $_POST if you must. (The correct approach would be to migrate to PDO and parameterized SQL, or at least apply the mysql_real_escape_string function wherever you concatenate SQL queries.)

它是工作的,但至少是安全的,如果它总是在数据库连接之后执行。如果必须的话,也可以使用$_GET和$_POST。(正确的方法是迁移到PDO和参数化SQL,或者至少在连接SQL查询的地方应用mysql_real_escape_string函数。)