-1
タイトルに「'が入っている文字列がウェブサイトのページ自体に正しく表示されません。 「空白ですが、それより前のもの」の後のものはすべて表示されます。しかし、私がデータベースに行き、そこで情報を見ると、その言葉は完全に表示されます。Stripslahes関数が機能していない、文字列の後ろに "'"がついている文字の後に値がありません
データベースに文字列値を入力するときに、文字列値を挿入する前にmysqli_real_escape_stringを使用します。そして私は、これらの値を元に戻してテキストボックスに入れることでこれらの値を更新するオプションをWebサイトに持っています。
Exampe: - :O
以下のすべてのコードをO」ローク は>のように戻ってくるだろう。顧客との取引。
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>MindFactory - Performance For Less</title>
<link rel="stylesheet" type="text/css" href="global.css">
</head>
<body id = "container">
<!-- --------------------------- Creating The Menu Bar ----------------------------------- -->
<ul class = "menuBar">
<li><a href="index.php">Home</a></li>
<li><a class = "active" href="customer.php">Customer</a></li>
<li><a href="sales.php">Sales</a></li>
<li><a href="http://www.example.com">User: Administrator</a></li>
</ul>
<div class = "products">
<!-- -------------------------- HEADING --------------------- -->
<h1>Register a Customer</h1>
<div id = "inputFormat">
<form method="post" action="customer.php">
<label>Email: *
<input type="text" name="email" placeholder="Enter Email" />
</label><br>
<label>First Name: *
<input type="text" name="forename" placeholder="Enter First Name" />
</label><br>
<label>Last Name: *
<input type="text" name="surname" placeholder="Enter Last Name" />
</label><br>
<label>Address: *
<input type="text" name="address" placeholder="Enter Address" />
</label><br>
<input type="submit" name="register" value="Register Customer" />
</form><br><hr>
</div>
<?php
// -------------------------------------- WHEN A NEW CUSTOMER IS BEING REGISTERED, DO THIS -----------------------------
if(isset($_POST['register'])){
$forename = $_POST['forename'];
$surname = $_POST['surname'];
$address = $_POST['address'];
$email = $_POST['email'];
if($forename == "" OR $surname == "" OR $address == "" OR $email == "") {
echo("You Did Not Enter All Details<br><br>");
}
else {
include 'connection.php';
$forenameEsc = mysqli_real_escape_string($connection,$forename);
$surnameEsc = mysqli_real_escape_string($connection,$surname);
$addressEsc = mysqli_real_escape_string($connection,$address);
$emailEsc = mysqli_real_escape_string($connection,$email);
$sql = "INSERT INTO customer(email,forename,surname,address) VALUES('$emailEsc','$forenameEsc','$surnameEsc','$addressEsc')";
$result = mysqli_query($connection,$sql);
if($result == 0) {
echo("<p>Error Registering: ". mysqli_error($connection) . "</p>");
}
else {
echo("<br><strong>Success</strong>. User: " . $forename . " " . $surname . " Has Been Registered");
}
}
}
// ---------------------------------------- WHEN NO CUSTOMER HAS BEEN CHOSEN TO UPDATE ------------------------------
if(!isset($_POST['update']) AND !isset($_POST['delete'])) {
include 'connection.php';
$statement = "SELECT * FROM customer";
$result = mysqli_query($connection, $statement);
if(!$result) {
echo "Query One Failed";
exit();
}
else {
if(mysqli_num_rows($result) < 1) {
echo "No Users Created";
}
else {
echo "<h1>Update or Delete a Customer</h1>";
echo "<table border=1>";
echo "<tr><th>Customer ID</th><th>Email</th><th>First Name</th><th>Second Name</th><th>Address</th><th>Update</th><th>Delete</th></tr>";
while ($row = mysqli_fetch_array($result)) {
$custID = $row['custID'];
echo ("<tr><td>");
echo $custID;
echo("</td><td>");
echo $row['email'];
echo("</td><td>");
echo $row['forename'];
echo("</td><td>");
echo $row['surname'];
echo("</td><td>");
echo $row['address'];
echo("</td><td>");
echo("<form method='post' action='customer.php'><input type='hidden' name='custID' value='$custID'/><input type='submit' name='update' value='Update This User' /></form>");
echo("</td><td>");
echo("<form method='post' action='customer.php'><input type='hidden' name='custID' value='$custID'/><input type='submit' name='delete' value='Delete This User' /></form>");
echo("</td></tr>");
}
echo "</table>";
}
}
mysqli_free_result($result);
mysqli_close($connection);
}
// ---------------------------------------- WHEN USER TO UPDATE IS CHOSEN, DISPLAY THIS ------------------------------
if(isset($_POST['update'])) {
$custID = (int) $_POST['custID'];
include 'connection.php';
$statement = "SELECT * FROM customer WHERE custID = $custID";
$result = mysqli_query($connection,$statement);
if(!$result) {
echo "Query Failed";
exit();
}
else {
$row = mysqli_fetch_array($result);
$firstName = $row['forename'];
$lastName = $row['surname'];
$address = $row['address'];
$sFirstName = stripslashes($firstName);
$sLastName = stripslashes($lastName);
$sAddress = stripslashes($address);
echo ("
<form method='post' action = 'customer.php'>
<label>New Forename: <br>
<input type='text' name='ud_forename' value='$sFirstName' />
</label><br>
<label>New Surname: <br>
<input type='text' name='ud_surname' value='$sLastName' />
</label><br>
<label>New Address: <br>
<input type='text' name='ud_address' value='$sAddress' />
</label><br><br>
<input type='hidden' name='userToUpdate' value='$custID' />
<input type='submit' name='user_update' value='Confirm Changes' />
</form>");
}
mysqli_free_result($result);
mysqli_close($connection);
}
// ------------------------------ WHEN USER ENTERS THE NEW VALUES, DO THIS ----------------------------------
if(isset($_POST['user_update'])) {
include 'connection.php';
$updatedForename = $_POST['ud_forename'];
$updatedSurname = $_POST['ud_surname'];
$updatedAddress = $_POST['ud_address'];
$userToUpdate = (int) $_POST['userToUpdate'];
if($updatedForename == '' OR $updatedSurname == '' OR $updatedAddress == '') {
echo "<br>Missing Information. Please Try Again";
exit();
}
$updatedForenameEsc = mysqli_real_escape_string($connection,$updatedForename);
$updatedSurnameEsc = mysqli_real_escape_string($connection,$updatedSurname);
$updatedAddressEsc = mysqli_real_escape_string($connection,$updatedAddress);
$statement = "UPDATE customer SET forename = '$updatedForenameEsc', surname = '$updatedSurnameEsc', address = '$updatedAddressEsc' WHERE custID = $userToUpdate";
$result = mysqli_query($connection,$statement);
if(!$result) {
echo "Query Failed";
exit();
}
else {
if(mysqli_affected_rows($connection) < 1) {
echo "No Updates Made";
}
else {
echo ("<br>Customer ID Number: " . $userToUpdate . " Updated");
mysqli_close($connection);
}
}
}
// ---------------------------------- WHEN A CUSTOMER IS CHOSEN TO DELETE --------------------------------------
if(isset($_POST['delete'])) {
include 'connection.php';
$userToDelete = (int) $_POST['custID'];
$statement = "DELETE FROM customer WHERE custID = $userToDelete";
$result = mysqli_query($connection,$statement);
if(!$result) {
echo "Query Failed - " . mysqli_error($connection);
echo "<br><br><strong>Error: </strong>Customer Exists In A Sale";
exit();
}
else {
if(mysqli_affected_rows($connection) < 1) {
echo "No Deletion Made";
}
else {
echo ("<br>Customer ID Number: " . $userToDelete . " Deleted");
mysqli_close($connection);
}
}
}
?>
</div>
</body>
</html>
http://php.net/manual/en/function.htmlentities.php – AbraCadaver
スクリプトは、[SQLインジェクション攻撃]のリスク(HTTPであります://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) [Little Bobby Tables](http://bobby-tables.com)に何が起こったのか見てみましょう/)Even [あなたが入力をエスケープしている場合、それは安全ではありません!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) [準備されたパラメータ化されたステートメント](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly