2012-12-07 100 views
1

我有2個PHP頁面:editpost.php只是生成一個表單來編輯用戶評論。 addcomment.php,在這種情況下應該更新該帖子的mysql。它只是測試以查看是否設置了$ _GET ['edit']和適當的變量。由於某種原因,它永遠不會是真的。我在safari中查看editpost.php的「查看源代碼」,看起來很好。

editpost.php:

<?php 
require_once('checklogin.php'); 
//require_once('text_encode.php'); 
//die("Made it past require once"); 
if(isset($_SESSION['user'])&&isset($_GET['id'])) 
{ 
    //die("made it past if statement"); 
    $con = mysql_connect('localhost','REDACTED','REDACTED'); 
    mysql_select_db('dancks_db',$con); 
    $q = mysql_query(sprintf("SELECT userID FROM UserTable WHERE nick='%s'",$_SESSION['user']),$con) or die(mysql_error()); 
    if(mysql_num_rows($q)!=1) 
    { 
     //die("1"); 
     redir(); 
    } 
    else 
    { 
     $match = array(); $match2=array(); 
     preg_match("/[0-9]{1,5}/",$_GET['id'],$match); 
     //preg_match("/[0-1]{1,1}/",$GET['type'],$match2); 
     if(implode($match)!=$_GET['id']) 
     { 
      die("2"); 
      redir(); 
     } 
     //if($_GET['id']==0) 
     else 
     { 
      $q2 = mysql_query(sprintf("SELECT * FROM Comments WHERE CommentID='%s'",$_GET['id']),$con) or die(mysql_query()); 
      if(mysql_num_rows($q2)==1) 
      { 
       $vars = mysql_fetch_assoc($q2); 
       echo "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"> 
       <html xmlns=\"http://www.w3.org/1999/xhtml\"> 
       <head> 
       <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" /> 
       <title>Edit Post</title> 
       </head> 
       <body>"; 
       echo "<form method=\"post\" action=\"addcomment.php?type=1,edit=1\"> 
       <p>Rating:"; 
     //die("rating: ".$q2['rating']); 
     for($i=1;$i<6;$i++) 
     { 
      echo "<label>".$i."</label><input type=\"radio\" name=\"rating\" value=\"".$i."\" ";if($vars['rating']==$i){echo "checked=\"checked\"";}echo " id=\"star".$i."\" />\n"; 
     } 
     echo"</p> 
       <p>Title:<input type=\"text\" name=\"title\" value=\"".$vars['title']."\" /></p> 
       <p>Comment:<textarea rows=\"5\" cols=\"80\" name=\"review\" >".$vars['review']."</textarea></p> 
       <input type=\"hidden\" name=\"commentid\" value=\"".$_GET['id']."\" /> 
       <input type=\"hidden\" name=\"subject\" value=\"".$vars['subject']."\" /> 
       <input type=\"submit\" value=\"submit review\" /> 
       </form> 
       </body> 
       </html>"; 
      } 
      else 
      { 
       die("No comment found: get: ".$_GET['id']); 
      } 
     } 
     mysql_free_result($q); 
    } 
} 
else 
{ 
    die("3"); 
    redir(); 
} 
?> 

addcomment.php:

<?php require_once('checklogin.php'); 
//die("type=".$_GET['type']." rating=".$_POST['rating']); 
require_once('text_encode.php'); 
require_once('validate.php'); 
if(safe_isset($_GET['type'])&&safe_isset($_SESSION['user'])) 
{ 
    if((safe_isset($_POST['rating']))&&(safe_isset($_POST['title']))&&(safe_isset($_POST['review']))&&($_GET['type']==1)) 
    { 
     $match = array(); $match2 = array(); 
     preg_match("/[0-5]{1,1}/",$_POST['rating'],$match); 
     preg_match("/[0-1]{1,1}/",$_GET['type'],$match2); 
     if((implode($match)!=$_POST['rating'])&&(implode($match2)!=$_GET['type'])) 
     { 
      die("type=".$_GET['type']." implode=".implode($match)." rating=".$_POST['rating']." implode=".implode($match2)); 
      //die("Invalid input for rating or type"); 
      redir(); 
     } 
     else if($_POST['rating']=="" || $_GET['type']=="") 
     { 
      die("Rating or type reads empty string"); 
      redir(); 
     } 
     else if(safe_isset($_GET['edit'])) 
     { 
      $con = mysql_connect('localhost','REDACTED','REDACTED'); 
      mysql_select_db('dancks_db',$con); 
      $query=sprintf("UPDATE Comments SET rating='%s', title='%s', review='%s' WHERE CommentID='%s'", 
      mysql_real_escape_string($_POST['rating']), 
      mysql_real_escape_string($_POST['title']), 
      mysql_real_escape_string($_POST['review']), 
      mysql_real_escape_string($_POST['commentid'])); 
      $r = mysql_query($query,$con) or die(mysql_error()); 
      mysql_close($con); 
      die("Successful edit"); 
      header(sprintf("Location:http://example.com/redacted/redacted/seller.php?ID=%s",$_POST['subject'])); 
     } 
     else 
     { 
      if(contains($_SERVER['HTTP_REFERER'],"editpost.php")) 
      { 
       die("Wrong spot"); 
      } 
      $con = mysql_connect('localhost','REDACTED','REDACTED'); 
      mysql_select_db('dancks_db',$con); 
      $query=sprintf("INSERT INTO Comments(nick,type,subject,rating,title,review) VALUES ('%s','%s','%s','%s','%s','%s')", 
      mysql_real_escape_string($_SESSION['user']), 
      mysql_real_escape_string($_GET['type']), 
      mysql_real_escape_string($_POST['subject']), 
      mysql_real_escape_string($_POST['rating']), 
      mysql_real_escape_string($_POST['title']), 
      mysql_real_escape_string($_POST['review'])); 
      $r = mysql_query($query,$con) or die(mysql_error()); 
      mysql_close($con); 
      //die("successful insert"); 
      header(sprintf("Location:http://example.com/redacted/redacted/seller.php?ID=%s",$_POST['subject'])); 
     } 
    } 
    else 
    { 
     die("rating, title or review isnt set"); 
     redir(); 
    } 
} 
else 
{ 
    die("type isnt set or user isnt logged in"); 
    redir(); 
} 
?> 

相關的額外代碼:

function contains($text,$match) 
{ 
    return (preg_match("/".$match."/",$text)==1); 
} 
function safe_isset($text) 
{ 
    $good = false; 
    if(isset($text)) 
    { 
     if(strlen($text)>0) 
     { 
      $good = true; 
     } 
    } 
    return $good; 
} 

這可能是一件很容易的,我只是忽視。我很抱歉如果是這樣的話。我現在正在懷疑,所以我很容易錯過任何事情。或者,如果我應該簡單地重寫或重組這個想法,這是值得歡迎的。

+1

我編輯了您的網址和數據庫連接的詳細信息。請小心揭露這些東西 - 看起來您已經採取措施,至少可以防止SQL注入,但您不需要獲取您的數據庫證書的機器人。 –

+2

您會驚訝於人們發佈SQL注入漏洞的時間與他們的生產URL一致。 –

+0

@Michael Berkowski OMG謝謝。我通常和那些東西有關。大聲笑 –

回答

4

你說得對,它很簡單。你需要的&代替,

echo "<form method=\"post\" action=\"addcomment.php?type=1,edit=1\"> 
<p>Rating:"; 
// Should be: 
echo "<form method=\"post\" action=\"addcomment.php?type=1&edit=1\"> 
<p>Rating:"; 
// -----------------------------------------------------^^^^ 

你有它的方式,edit過去了,但它作爲type價值的部分已經結束了,所以PHP看到

$_POST['type'] == '1,edit=1' 

我還要注意,稍後您正在尋找$_GET['id'],但您已在查詢字符串中定義了ID。數組鍵是區分大小寫的,所以一定要使用正確的大小寫。

header(sprintf("Location:http://example.com/redacted/redacted/seller.php?ID=%s",$_POST['subject'])); 
//---------------------------------------------------------------------^^^^ upper case here.... 
// Access as $_GET['ID'], not $_GET['id'] 
1
"<form method=\"post\" action=\"addcomment.php?type=1,edit=1\"> 
       <p>Rating:"; 

USE & 

"<form method=\"post\" action=\"addcomment.php?type=1&edit=1\"> 
       <p>Rating:"; 
2
echo "<form method=\"post\" action=\"addcomment.php?type=1,edit=1\"> 

應該

echo "<form method=\"post\" action=\"addcomment.php?type=1&edit=1\">