1

SQLインジェクションを防ぐことで、しばらくの間、Webページを保護しようとしています。ただし、フォームを送信した後、ページに何も表示されません。エラーが発生している場所がわからないため、ここに私の完全なコードを示します。

   <?php
   require_once 'db_connect.php';
   ?>
   <head> 
   <title> Data </title>
   <link href = "ss2.css" type = "text/css" rel = "stylesheet" >
   </head>
  <body>
  <h1> Research Center </h1>
  <a href = "home.php"> Data Home Page </a>

  <ol class = 'instructions'>

  <li> Step 1: Please select your first year you want to gather data from. </li>
  <li> Step 2: Next, select a second year to create a time interval. </li>
  <li> Step 3: Then, select the time of year you want to retrieve data from. </li>
  <li> Step 4: Finally, specify a specific regional location. </li>

  </ol>


  <form action="unemployed2.php" method ="post">
  <input type="hidden" name="submitted" value="true" />

  <fieldset>
  <legend>
  Specify Date, Month, and County
  </legend>
  <p class = 'year'>
  <label for="year">
  Please Select years: From 
  </label>

  <select name= 'year'>
  <option value= ''> </option>
  <?php
  $query = "select distinct year from unemployed";

  $result = $conn->query($query);
  while($row = $result->fetch_object()) {
    echo "<option value='".$row->year."'>".$row->year."</option>";
   }
  ?>
  </select>
  </p>

  <p class = 'year'>
  <label for="year">
  To
  </label>

  <select name= 'year2'>
  <option value= ''> </option>
  <?php
  $query = "select distinct year from unemployed";

  $result = $conn->query($query);
  while($row = $result->fetch_object()) {
    echo "<option value='".$row->year."'>".$row->year."</option>";
   }
  ?>
  </select>
  </p>


  <p>
  <label for="month">
  Please select a month
  <label>

  <select name= 'month'>
  <option value= ''> </option>
  <?php
  $query = "select distinct month from unemployed";

  $result = $conn->query($query);
  while($row = $result->fetch_object()) {
    echo "<option value='".$row->month."'>".$row->month."</option>";
   }
  ?>
  <option value = "All Months"> All Months </option>
  </select>
  </p>

  <p>
  <label for="location">
  Please specify a location
  </label>

  <select name='location'>
  <option value= ''> </option>

  <option value = 'Fayette'> Fayette County (IN) </option>
  <option value = 'Henry'> Henry County (IN) </option>
  <option value = 'Randolph'> Randolph County (IN) </option>
  <option value = 'Rush'> Rush County (IN) </option>
  <option value = 'Union'> Union County (IN) </option>
 <option value = 'Wayne'> Wayne County (IN) </option>
 <option value = 'INCounties'> Local Indiana Counties </option>
 <option value = 'Indiana'> Indiana </option>
 <option value = 'Butler'> Butler County (OH) </option>
 <option value = 'Darke'> Darke County (OH) </option>
 <option value = 'Mercer'> Mercer County (OH) </option>
 <option value = 'Preble'> Preble County (OH) </option>
 <option value = 'OHCounties'> Local Ohio Counties </option>
 <option value = 'Ohio'> Ohio </option>
 <option value = 'US'> United States </option>

 </select>
 </p>


 <input type ="submit" />

 </fieldset>
 </form>

<?php

  if (isset($_POST['submitted'])) {


  $gYear = $_POST["year"];
  $gYear2 = $_POST["year2"];
 $gMonth = $_POST["month"];


 $array = array('loc1' => 'Fayette', 'loc2' => 'Henry', 'loc3' => 'Randolph', 
         'loc4' => 'Rush', 'loc5' => 'Union', 'loc6' => 'Wayne',
         'loc7' => 'INCounties','loc8' => 'Indiana', 'loc9' => 'Butler', 'loc10' => 'Darke',
         'loc11' => 'Mercer', 'loc12' => 'Preble', 'loc13' => 'OHCounties',
         'loc14' => 'Ohio', 'loc15' => 'US');

 if ($gYear > $gYear2) {

 die('ERROR: Your second year cant be a time period before the first year you selected');
 }

 else {

 if (array_key_exists($_POST["location"], $array)) {

 $column = $_POST["location"];
 }

 else {
 echo "ERROR";
 }



 $sql = "SELECT `$column`, `Year`, `Month` FROM unemployed WHERE year BETWEEN ? AND ? and month= ?";
 $query = $conn->prepare($sql);
 $query->bind_param('sss', $gyear, $gYear2, $gMonth);

 $query->execute(); 
 $result = $query->get_result();

 echo "<table>";
 echo "<tr><th>Year</th><th>Month</th><th>$column</th></tr>";

 while ($row = $result->fetch_object()){

 echo "<tr><td>";
 echo $row->$column;
 echo "</td><td>";
 echo $row->Year;
 echo "</td><td>";
 echo $row->Month;
 echo "</td></tr>";

 }

 $query->close();



 echo "</table>";

 }
 } // end of main if statement

 ?>

 </body>

推測する必要がある場合は、送信ボタンを押した後に Web ページに ERROR が表示されるため、エラーは次のコード行にあります。

$array = array('loc1' => 'Fayette', 'loc2' => 'Henry', 'loc3' => 'Randolph', 
             'loc4' => 'Rush', 'loc5' => 'Union', 'loc6' => 'Wayne',
             'loc7' => 'INCounties','loc8' => 'Indiana', 'loc9' => 'Butler', 'loc10' => 'Darke',
             'loc11' => 'Mercer', 'loc12' => 'Preble', 'loc13' => 'OHCounties',
             'loc14' => 'Ohio', 'loc15' => 'US');
else {

     if (array_key_exists($_POST["location"], $array)) {

     $column = $_POST["location"];
     }

     else {
     echo "ERROR";
     }

誰が私のエラーが何であるか知っていますか? どんな助けでも大歓迎です。

4

4 に答える 4

0

一致するキーの場所の配列をチェックしていますが、場所は実際には値です。また、場所を 2 回繰り返しています。ファイルの先頭に $locations 配列を作成し、それを使用してオプション タグを設定し、検証テストにも使用することをお勧めします。これにより、「array_key_exists」テストが期待どおりに実行されます。

<?php

// top

$locations = array(
    'Fayette'       => 'Fayette Counter (IN)',
    'Henry'         => 'Henry County (IN)',
    'Randolph'      => 'Randolph County (IN)',
    'Rush'          => 'Rush County (IN)',
    'Union'         => 'Union County (IN)',
    'Wayne'         => 'Wayne County (IN)',
    'INCounties'    => 'Local Indiana Counties (IN)',
    'Indiana'       => 'Indiana',
    'Butler'        => 'Butler County (OH)',
    'Darke'         => 'Darke County (OH)',
    'Mercer'        => 'Mercer County (OH)',
    'Preble'        => 'Preble County (OH)',
    'OHCounties'    => 'Local Ohio Counties',
    'Ohio'          => 'Ohio',
    'US'            => 'United States'
);

?>

<!-- middle -->

<select name='location'>
    <option value= ""> </option>
    <?php

    foreach($locations as $k => $v){
        echo "<option value=\"{$k}\">{$v}</option>";
    }

    ?>
</select>

<?php

// bottom

if (array_key_exists($_POST["location"], $locations)){
    $column = $_POST["location"];
} else {
    echo "ERROR";
}

?>
于 2013-09-17T15:48:08.507 に答える
0

error_reporting(E_ALL) を追加します。および ini_set("display_errors",1); コードの先頭で、エラーを確認してください

于 2013-09-17T15:15:44.503 に答える