PHP 왜 게시 후 변동 손실이 발생합니까?

Question

변수에 문제가 있습니다.

바로 내가 지금처럼 'GET'값을 저장하는 변수 설정 페이지가로드 같이 좋은

$currentItemID = htmlspecialchars($_GET["id"]); 

그게 전부.

다음 사용자가 값을 업데이트 할 수 있도록 $ currentItemID 값을 양식에로드합니다.

여전히 양호합니다.

하지만 사용자가 양식을 제출하면 바로 $ currentItemID 값이 손실됩니다.

이것은 ID = $ currentItemID 인 데이터베이스를 업데이트하려고 시도 할 때 ID가 손실되어 업데이트 할 항목을 알 수 없다는 것을 의미합니다. 심지어 낯선 사람은 SQL이 실제로 ID 값으로 실행된다는 사실입니다.

코드의 삭감 버전은 다음과 같습니다

<?php 
//set current item ID 
$currentItemID = htmlspecialchars($_GET["id"]); 
echo"at start = $currentItemID"; 

// Setup defaults. 
$error = 0; //input errors 
$up_error = 0; //title and description error counter - used to only show error message once. 
$clean = array(); 
$clean_name = ""; 
$clean_description = ""; 
$clean_price = ""; 
$clean_pic = ""; 
$clean_status = ""; 
$clean_quantity = ""; 

//if all input is valid then... 
if (isset($_POST['add'])) 
{ 
echo"inside post = $currentItemID"; 
    //clear error message 
    $errmsg = ''; 

    // validate 'name': must consist of alphanumeric characters only. 
    $_POST['name'] = isset($_POST['name']) ? $_POST['name'] : ''; 
    if(preg_match('/^[a-z\d\w\s+,._-]{1,20}$/i',$_POST['name'])) 
     {$clean_name = $_POST['name'];} 
    else 
     {$error++;$errmsg .= 'Invalid name. ';} 

    //validate 'description': must consist of alphabet characters, numbers white space character or , . _ and - 
    $_POST['description'] = isset($_POST['description']) ? $_POST['description'] : ''; 
    //thought i'ld add another ten characters to allow a bit more text. 
    if(preg_match('/^[a-z\d\w\s,.]{1,90}$/i',$_POST['description'])) 
     {$clean_description = $_POST['description'];} 
    else{$error++; $errmsg .= 'Invalid description. ';} 

    // validate 'price': must be number - with or without 2 decimal places. 
    $_POST['price'] = isset($_POST['price']) ? $_POST['price'] : ''; 
    if(preg_match('/^\d+(\.\d{2})?$/',$_POST['price'])) 
     {$clean_price = $_POST['price'];} 
    else 
     {$error++; $errmsg .= 'Invalid price. ';} 

    // validate 'pic': must consist of alphanumeric characters only. 
    //$_POST['pic'] = isset($_POST['pic']) ? $_POST['pic'] : ''; 
    //if(preg_match('/\.(jpg|gif|jpeg)$/i',$_POST['pic'])) 
     //{$clean_price = $_POST['pic'];} 
    //else 
     //{$error++; $errmsg .= 'Invalid pic. ';} 

    // validate 'quantity': must consist of numbers only. 
    //$_POST['pic'] = isset($_POST['pic']) ? $_POST['pic'] : ''; 
    //if(preg_match('/\.(jpg|gif|jpeg)$/i',$_POST['pic'])) 
     //{ 
     $clean_quantity = $_POST['quantity']; 
     //} 
    //else 
     //{$error++; $errmsg .= 'Invalid pic. ';} 

    // validate 'status': must be one of the drop down options. 
    $_POST['status'] = isset($_POST['status']) ? $_POST['status'] : ''; 
    if($_POST['status']=='available'||$_POST['status']=='unavailable'||$_POST['status']=='ebay'||$_POST['status']=='new') 
     {$clean_status = $_POST['status'];} 
    else 
     {$error++; $errmsg .= 'Invalid status. ';} 

    // validate 'catagory': must be one of the drop down options. 
    /* 
    $_POST['catagory'] = isset($_POST['catagory']) ? $_POST['catagory'] : ''; 
    if($_POST['catagory']=='cd'||$_POST['catagory']=='tshirt') 
     {$clean_status = $_POST['catagory'];} 
    else 
     {$error++; $errmsg .= 'Invalid catagory. ';}*/ 
} 


if (isset($_POST['add']) && ($error==0)) 
{     


    // open connection 
    $connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!"); 
    // select database 
    mysql_select_db($db) or die ("Unable to select database!"); 
    // create query 
    $query = "UPDATE paulyout_pauly.products 
      SET 
      name='$clean_name', description='$clean_description', 
      price='$clean_price', status='$clean_status', quantity='$clean_quantity' 
      WHERE id='$currentItemID';";  

    // execute query 
    mysql_query($query) or die ("Error in query: $query.".mysql_error()); 
    // close connection 
    mysql_close($connection); 
    echo"<p>Item succesfully updated.</p><a href=\"../\">Back to Control Panel</a>.</p>"; 
    echo(htmlspecialchars($_GET["id"])); 
    echo"what is going on"; 
    echo"currentItemID = $currentItemID"; 
    echo"$currentItemID"; 



} 

else //output error messages 
{if ($error>0) {echo "<p><strong>There were errors in your submission:</strong> $errmsg</p>\n";} 


///////////////////get existing item details: 
// open connection 
$connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!"); 
// select database 
mysql_select_db($db) or die ("Unable to select database!"); 
// create query 
$query = "SELECT id, name, description, price, pic, status, quantity FROM products where id = '$currentItemID';"; 

// execute query 
$result = mysql_query($query) or die ("Error in query!"); 

//return results 
$counter = 0; 
if(mysql_num_rows($result) > 0) { 
    while(list($db_id, $db_name, $db_description, $db_price, $db_pic, $db_status, $db_quantity) = mysql_fetch_row($result)){ 


      //render form 
?> 
<form enctype="multipart/form-data" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" id="save"><fieldset> 
<table id="site-form"> 
    <tr> 
    <td class="one_of_three"><label>Item Name:&nbsp;&nbsp;</label></td> 
    <td class="two_of_three"><input type="text" name="name" id="name" value="<?php echo"$db_name";?>"/></td> 
    <td><label class="errors" id="nameError">&nbsp;</label></td> 
    </tr> 
    <tr> 
    <td class="one_of_three"><label>Description:&nbsp;&nbsp;</label></td> 
    <td class="two_of_three"><textarea rows="10" cols="30" name="description" id="description"><?php echo"$db_description";?></textarea></td> 
    <td><label class="errors" id="descriptionError">&nbsp;</label></td> 
    </tr> 
    <tr> 
    <td class="one_of_three"><label>Price(£):&nbsp;&nbsp;</label></td> 
    <td class="two_of_three"><input type="text" name="price" id="price" value="<?php echo"$db_price";?>"/></td> 
    <td><label class="errors" id="priceError">&nbsp;</label></td> 
    </tr> 
    <tr> 
    <td class="one_of_three"><label>Quantity:&nbsp;&nbsp;</label></td> 
    <td class="two_of_three"><input type="text" name="quantity" id="quantity" value="<?php echo"$db_quantity";?>"/></td> 
    <td><label class="errors" id="quantityError">&nbsp;</label></td> 
    </tr> 
    <tr> 
    <td class="one_of_three"><label>Picture:&nbsp;&nbsp;</label></td> 
    <td class="two_of_three"><input type="file" name="userfile[]" id="pic"/></td> 
    <td><label class="errors" id="picError">&nbsp;</label></td> 
    </tr> 
    <tr> 
    <td class="one_of_three"><label>Status:&nbsp;&nbsp;</label></td> 
    <td class="two_of_three"> 
     <select name="status" id="status" value=""> 
     <option value="<?php echo"$db_status";?>"><?php echo(ucfirst(strtolower($db_status)));?></option> 
     <option value="available">Available</option> 
     <option value="new">New</option> 
     </select> 
    </td> 
    <td><label class="errors" id="statusError">&nbsp;</label></td> 
    </tr> 
    <!-- 
    <tr> 
    <td class="one_of_three"><label>Catagory:&nbsp;&nbsp;</label></td> 
    <td class="two_of_three"> 
     <select name="catagory" id="catagory"> 
     <option value="cd">CD</option> 
     <option value="tshirt">T-Shirt</option> 
     </select> 
    </td> 
    <td><label class="errors" id="statusError">&nbsp;</label></td> 
    </tr>--> 
    <tr> 
     <td class="one_of_three">&nbsp;</td> 
     <td class="two_of_three"><input name="add" id="save_button" type="submit" value="Add Item"/>&nbsp;&nbsp;<a href="../">Cancel</a>.</td> 
     <td>&nbsp;</td> 
    </tr> 
</table> 
</fieldset></form> 
<?php 


    } 
} 
else {echo "<p>Product not found.</p>";}//the item could not be found!!! 





// free result set from memory 
mysql_free_result($result); 
// close connection 
mysql_close($connection); 
} 
?> 


<?php ob_end_flush()?> 

Answer 1

당신은 $_SERVER['PHP_SELF']에 양식을 게시하고 있습니다. 이렇게하면 제출시 GET 매개 변수가 재설정됩니다. 대신 $_SERVER['PHP_SELF']."?id=".$currentItemID에 게시해야합니다.

또는

그냥