0
我嘗試使用「landlord_home.php」中使用方法POST的表單的按鈕中的值屬性發送值。問題是,當我點擊按鈕進入下一頁「edit_post.php」時,它會在該頁面執行php驗證代碼,並在該頁面中顯示驗證錯誤。將value屬性的值發送到其他php頁面?
如何在不使用表單(POST或GET方法)的情況下將值傳遞給「edit_post.php」或者有沒有其他方法?
while ($row = mysqli_fetch_array($r, MYSQLI_ASSOC)) {
echo '<tr>
<td>' . $row['property_id'] . '</td>
<td>' . $row['username']. '</td>
<td>' . $row['property_type']. '</td>
<td>RM' . $row['property_price']. '</td>
<td>' . $row['address']. '</td>
<td>' . $row['location']. '</td>
<td>
<img src="data:property_type;base64,' .
$row['property_picture'] .
'" class="img-thumbnail" width="100" height="100">
</td>
<td>' . $row['title'] . '</td>
<td>' . $row['description'] . '</td>
<td>' . date('F d, Y h:mA', strtotime($row['reg_date'])) . '</td>
<td>
<form action="edit_post.php" method="POST">
<button class="btn btn-success btn-sm" name="edit" value="' .
$row['property_id'] . '">
Edit
</button>
<br>
<button class="btn btn-danger btn-sm" name="delete"
value="'.$row['property_id'] . '">
Delete
</button>
</form>
</td>
</tr>';
}
echo '</table>';
以上是「landlord_home.php」中的代碼。以下是我在上面的代碼中討論的代碼部分。
<form action="edit_post.php" method="POST">
<button class="btn btn-success btn-sm" name="edit" value="' .
$row['property_id'] . '">
Edit
</button>
<br>
<button class="btn btn-danger btn-sm" name="delete" value="' .
$row['property_id'] . '">
Delete
</button>
</form>
及以下下一頁 「edit_post.php」
session_start();
$user = $_SESSION['username'];
if(!isset($_SESSION['username'])) {
require('login_tools_landlord.php');
load();
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Edit Property</title>
<link rel="stylesheet" href="css/add_property.css">
<link rel="stylesheet" href="css/header.css">
<link rel="stylesheet" href="css/bootstrap.min.css">
<script type="text/javascript" src="js/jquery.js"></script>
<script type="text/javascript" src="js/bootstrap.js"></script>
</head>
<body>
<?php include 'includes/header_landlord.php' ?>
<div class="container wrapper">
<div class="text-center title_bar">
<h3>Fill in your property details</h3>
<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
require ('core/connect_db.php');
$errors = array();
if (isset($_POST['edit'])) {
$edit = $_POST['edit'];
$q = "SELECT * FROM property WHERE property_id = '$edit'";
$r = mysqli_query($dbc, $q);
$row = mysqli_fetch_array($r, MYSQLI_ASSOC);
$prop_type = $row['property_type'];
$price = $row['property_price'];
$address = $row['address'];
$location = $row['location'];
$pic = $row['property_picture'];
$title = $row['title'];
$desc = $row['description'];
$dt = $row['reg_date'];
if (empty($_POST['property_type'])) {
$errors[] = 'Choose property type.';
} else {
$pr = mysqli_real_escape_string($dbc, trim($_POST['property_type']));
}
if (empty($_POST['price'])) {
$errors[] = 'Enter your property price.';
} else {
$p = mysqli_real_escape_string($dbc, trim($_POST['price']));
}
if (empty($_POST['address'])) {
$errors[] = 'Enter your address.';
} else {
$ad = mysqli_real_escape_string($dbc, trim($_POST['address']));
}
if (empty($_POST['location'])) {
$errors[] = 'Choose your location.';
} else {
$lo = mysqli_real_escape_string($dbc, trim($_POST['location']));
}
// if (empty($_POST['picture'])) {
// $errors[] = 'Pick a picture.';
// } else {
// $pc = mysqli_real_escape_string($dbc, trim($_POST['picture']));
// }
if (isset($_POST['submit'])) {
if (getimagesize($_FILES['picture']['tmp_name']) == FALSE) {
$errors[] = "Please select an image.";
} else {
$picture = addslashes($_FILES['picture']['tmp_name']);
$name = addslashes($_FILES['picture']['name']);
$picture = file_get_contents($picture);
$picture = base64_encode($picture);
}
}
if (empty($_POST['title'])) {
$errors[] = 'Enter your title.';
} else {
$ti = mysqli_real_escape_string($dbc, trim($_POST['title']));
}
if (empty($_POST['description'])) {
$errors[] = 'Enter your description.';
} else {
$de = mysqli_real_escape_string($dbc, trim($_POST['description']));
}
if (empty($errors)) {
$qa = "
UPDATE property
SET property_type = '$pr', property_price = '$p', address = '$ad',
location = '$lo', property_picture = '$picture', title = '$ti',
description = '$de', reg_date = NOW()
WHERE property_type = '$prop_type', property_price = '$price',
address = '$address', location = '$location',
property_picture = '$pic', title = '$title',
description = '$desc', reg_date = '$dt'
";
$ra = mysqli_query($dbc, $qa);
if ($ra) {
echo '<h1 class="sccs_msg">Successful</h1>
<p class="sccs_msg">REDIRECTING YOU TO DASHBOARD in 3 SECOND</p>
<meta http-equiv="refresh" content="3;URL=landlord_home.php" />';
}
mysqli_close($dbc);
exit();
} else {
echo '<h1 class="err_msg">ERROR!</h1>
<p class="err_msg">The following error(s) occurred:<br>';
foreach ($errors as $msg) {
echo "- $msg<br>";
}
echo 'Please try again.</p>';
mysqli_close($dbc);
}
}
}
?>
</div>
<form method="post" action="edit_post.php" enctype="multipart/form-data">
<div class="form-group">
<label for="property_type">Property Type</label>
<select class="form-control" name="property_type" id="property_type"
value="<?php
if (isset($_POST['property_type'])) {
echo $_POST['property_type'];
}
?>">
<option></option>
<option>Room</option>
<option>Whole Unit</option>
</select>
</div>
<div class="form-group">
<label for="price">Unit Price(RM)</label>
<input type="text" class="form-control" name="price" id="unit_price"
placeholder="Unit Price" value="<?php
if (isset($_POST['price'])) {
echo $_POST['price'];
}
?>">
</div>
<div class="form-group">
<label for="address">Address</label>
<textarea class="form-control" name="address" id="address" rows="3"
value="<?php
if (isset($_POST['address'])) {
echo $_POST['address'];
}
?>"></textarea>
</div>
<div class="form-group">
<label for="location">Location</label>
<select class="form-control" name="location" id="location"
value="<?php
if (isset($_POST['location'])) {
echo $_POST['location'];
}
?>">
<optgroup label="Kuala Lumpur">
<option></option>
<option>Puchong</option>
<option>Salak Selatan</option>
<option>Segambut</option>
<option>Sentul</option>
<option>Seputih</option>
</optgroup>
<optgroup label="Selangor">
<option>Cheras</option>
<option>Damansara</option>
<option>Cyberjaya</option>
<option>Kajang</option>
<option>Kelana Jaya</option>
</optgroup>
</select>
</div>
<div class="form-group">
<label for="picture">Picture</label>
<input type="file" class="form-control-file" name="picture"
id="picture" aria-describedby="fileHelp"
value="<?php
if (isset($_POST['picture'])) {
echo $_POST['picture'];
}
?>">
<small id="fileHelp" class="form-text text-muted">
Please provide a photo of your property.
</small>
</div>
<div class="form-group">
<label for="title">Title</label>
<input type="text" class="form-control" name="title" id="title"
placeholder="Post Title" value="<?php
if (isset($_POST['title'])) {
echo $_POST['title'];
}
?>">
</div>
<div class="form-group">
<label for="description">Description</label>
<textarea class="form-control" name="description" id="description"
rows="3" value="<?php
if (isset($_POST['description'])) {
echo $_POST['description'];
}
?>"></textarea>
</div>
<button type="submit" class="btn btn-primary" name="submit">
Submit
</button>
</form>
</div>
</body>
</html>
**警告**:使用'mysqli'時,您應該使用[參數化查詢](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php)和['bind_param' ](http://php.net/manual/en/mysqli-stmt.bind-param.php)將用戶數據添加到您的查詢。 **不要**使用手動轉義和字符串插值或串聯來實現此目的,因爲如果您忘記正確地轉義像您一樣的東西,您將創建嚴重的[SQL注入漏洞](http://bobby-tables.com/)用'$ edit'。 – tadman
@tadman感謝您的提醒。有點新手在PHP。我仍然沒有探索php的安全性,所以我的代碼非常脆弱。 – Amher25
意識到這是採取一種不會讓自己陷入麻煩的紀律的第一步。通常在你編寫代碼後,它有一種蠕蟲進入生產的方式,所以最好是安全而不是抱歉。 – tadman