du21064 2017-03-29 02:40
浏览 45
已采纳

PHP代码无法识别某些值

EDIT: Thank you all for the very quick answers! I have been at this for a while, trying to figure out why $id was being recognized and why the strings weren't. I feel a bit silly now seeing the obvious answer but I'm relieved to have it working.

I apologize if this has been answered before, I've looked for hours and could not find something similar to help me figure this out.

I am trying to update a row in my database of devices with new information. Problem is, the php file only recognizes $data->devID; and nothing else.

If I have something like $sql = "UPDATE devices SET devName = 'static test string', description = 'static test string' WHERE devID = $id"; the entry with the correct ID will update in my database table just fine.

If I try $sql = "UPDATE devices SET devName = $name, description = $desc WHERE devID = $id"; it does not work.

Where am I going wrong?

HTML:

<div data-ng-repeat="info in deviceInfo">
    <form class="deviceInfo">
        <h2>Device ID: {{info.devID}}</h2>
        <p>Device Name:</p>
        <input type="text" data-ng-model="info.devName">
        <p>Device Description:</p>
        <textarea data-ng-model="info.description"></textarea>
        <p>Device Available: {{info.isAvailable}}</p>
        <input type="submit" name="Update" value="Update" data-ng-click="updateInfo(info.devID, info.devName, info.description)">
    </form>
</div>

updateDeviceInfo.php:

<?php

$data = json_decode(file_get_contents("php://input"));

include('config.php');

$id = $data->devID; 
$name = $data->devName;
$desc = $data->description;

$sql = "UPDATE devices SET devName = $name, description = $desc WHERE devID = $id";

$qry = $conn->query($sql);

$data = $qry;

$sql = "SELECT * FROM devices";

$qry = $conn->query($sql);

$data = array();

if($qry->num_rows > 0){
    while($row = $qry->fetch_object()){
        $data[] = $row;
    }
}else {
    $data[] = null;
}

$conn->close();

echo json_encode($data);

controller.js:

$scope.updateInfo = function($paramID, $paramName, $paramDesc){

    console.log($paramID);
    console.log($paramName);
    console.log($paramDesc);

    $scope.dataOneTest = {
            devID: $paramID,
            devName: $paramName,
            description: $paramDesc

        };

    console.log($scope.dataOneTest.devID);

    $http.post('./js/updateDeviceInfo.php', {'devID': $paramID, 'devName': $paramName, 'description': $paramDesc})
        .success(function(data){
            $scope.results = data;
        })
        .error(function(err){
            $log.error(err);
        })
}
  • 写回答

3条回答 默认 最新

  • dongluo3331 2017-03-29 02:49
    关注

    tl;dr You are almost certainly performing SQL injection on yourself both by inserting variables directly into a query and by failing to use proper quotation marks around them.

    You need to use prepared statements, rather than concatenating variables directly into your query. If, for example, $data->devName contained something nefarious like NULL --, that would toast your entire table. And that's a very mild example of how badly things could go. Prepared statements would render that example (and pretty much all other examples) harmless.

    Short-Term Fix

    As a short-term fix, put quotation marks in the query and escape your data, like this:

    $id = your_database_escape_function($data->devID); 
$name = your_database_escape_function($data->devName);
$desc = your_database_escape_function($data->description);

$sql = "UPDATE devices SET devName = '$name', description = '$desc' WHERE devID = $id";

    substituting your database's corresponding escaping function for your_database_escape_function(). For example, use $conn->real_escape_string() if $conn is a MySQLi object. See the manual.

    The Real Fix

    Here's how you really do it correctly, and the solution you should implement ASAP. That is, do this before you go any further if at all possible. Use prepared statements.

    Read this entire Q&A and this cheat sheet from OWASP (no affiliation) for more information.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 关于#python#的问题:求帮写python代码
  • ¥20 MATLAB画图图形出现上下震荡的线条
  • ¥15 LiBeAs的带隙等于0.997eV,计算阴离子的N和P
  • ¥15 关于#windows#的问题:怎么用WIN 11系统的电脑 克隆WIN NT3.51-4.0系统的硬盘
  • ¥15 来真人,不要ai!matlab有关常微分方程的问题求解决,
  • ¥15 perl MISA分析p3_in脚本出错
  • ¥15 k8s部署jupyterlab,jupyterlab保存不了文件
  • ¥15 ubuntu虚拟机打包apk错误
  • ¥199 rust编程架构设计的方案 有偿
  • ¥15 回答4f系统的像差计算