「已注销」 2015-11-24 17:09
浏览 37

无法回显查询结果 - 查询显然是正确的? 非常简单的PHP

So I am attempting to create an HTML drop-down list. The list is fine--and it shows all of my desired options from a MySQL query of it's own; however my next step was to set the default value (which is the current landlord) for the tenant.

Now, I am able to successfully, but only with the landlords key (which is in a separate table). I have a second query that looks up the landlord's name based on the key, and I cannot even get it to echo out a response. I must assume the query is bad--but after looking at the same lines of code the entire morning, I believe I can confidently say it is not. I am hoping a second set of eyes will see something I do not.

Getting the current landlord for the tenant:

$sql = mysql_query("SELECT data_txt FROM field_data WHERE itemid = $uid AND fieldid = 16");
$row = mysql_fetch_array($sql);
$ll1 = $row[0];
$sql = mysql_query("SELECT info FROM landlords WHERE key = $ll1 LIMIT 1");
$row = mysql_fetch_array($sql);
$ll1_name = $row[0]

Setting the default value in the Dropdown-list:

I don't believe the problem lies here, since I cannot do anything as simple as echo the variable $ll1_name; but I feel it's worth including.

<td>

<?php echo "$ll1"; ?><br>

<?php echo "$ll1_name"; ?><br>

<select name=ll1>

<option value="<?php echo "$ll1"; ?>"> <?php echo "$ll1_name"; ?></option>
<?php
while ($curLandlord = mysql_fetch_array($landlordRows)){
?>
<option value="<?php echo "$curLandlord[0]"; ?>"> <?php echo "$curLandlord[1]"; ?></option>

<?php
}
?>


</select>
</td>

Also, I am well aware that this library is depreciated and my fields are not sanitized, etc. I am just making this as simple as possible, and then implementing that after I have a working model. The fewer variables, the better.

The following is an example of the table data:

Landlords

key, info, id (auto increment)

-*key*: ll1_07
-*info*: John Doe
-*id*: 77

field_data id, fieldid, data_txt, itemid

-*id*: 1234 (auto increment)
-*fieldid*: 18 (each fieldid corresponds to a field name in another table.  18 is landlord)
-*data_txt*: ll1_77
-*itemid*: 33 (tenants unique ID)
  • 写回答

2条回答 默认 最新

  • double820122 2015-11-24 17:16
    关注

    No, it's not "correct". You have an sql injection vulnerability. Just because your $ll1 value came out of the DB doesn't mean it's safe to REUSE in another query. You're doing the equivalent of

    SELECT info FROM landlords WHERE key = foo LIMIT 1
                                       ^^^---unknown/illegal field name

    instead of

    SELECT info FROM landlords WHERE key = 'foo' LIMIT 1
                                       ^^^^^--string literal

    If you had even BASIC error handling on your query calls, you'd have been informed of this:

    $sql = mysql_query("SELECT [..snip..]") or die(mysql_error());
                                       ^^^^^^^^^^^^^^^^^^^^^^

    Never EVER assume success on a query. Even if the sql is 100% syntactically correct, there's a near infinite number of reasons for it to STILL fail (biggest one: missing foreign key).

    评论

报告相同问题?

悬赏问题

  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?