2
此頁面從URL的$ _GET獲取資產ID,並在查詢mysql數據庫後顯示關於資產的一些信息。爲什麼在瀏覽器中顯示這個PHP文檔時顯示這個不需要的「>」字符?
當我在瀏覽器中查看頁面時,頁面內出現不需要的「>」字符,我不知道爲什麼。
我已評論它出現的位置。它出現在<表格>創建標籤之後。table>標籤最初在php腳本部分之外,但是我把它扔進去看它是否有所作爲。它沒。謝謝你們。
我正在查看Firefox中的頁面。 Web服務器在筆記本電腦上的Ubuntu Server 10.04虛擬機上運行。
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" type="text/css" href="style.css" />
<title>Wagman IT Asset</title>
</head>
<body>
<div id="page">
<div id="header">
<img src="images/logo.png" />
</div>
</div>
<div id="content">
<div id="container">
<div id="main">
<div id="menu">
<ul>
<table width="100%" border="0">
<tr>
<td><li><a href="index.php">Search Assets</a></li></td>
<td><li><a href="browse.php">Browse Assets</a></li></td>
<td><li><a href="add_asset.php">Add Asset</a></li></td>
<td> </td>
</tr>
</table>
</ul>
</div>
<div id="text">
<ul>
<li>
<h1>View Asset</h1>
</li>
</ul>
//UNWANTED > CHARACTER APPEARS HERE
<?php
echo "<table width='100%' border='0' cellpadding='2'>";
//make database connect
mysql_connect("localhost", "asset_db", "asset_db") or die(mysql_error());
mysql_select_db("asset_db") or die(mysql_error());
//get asset
$id = $_GET["id"];
//get type of asset
$sql = "SELECT asset.type
From asset
WHERE asset.id = $id";
$result = mysql_query($sql)
or die(mysql_error());
$row = mysql_fetch_assoc($result);
$type = $row['type'];
switch ($type){
case "Server":
$sql = "
SELECT asset.id
,asset.company
,asset.location
,asset.purchase_date
,asset.purchase_order
,asset.value
,asset.type
,asset.notes
,server.manufacturer
,server.model
,server.serial_number
,server.esc
,server.user
,server.prev_user
,server.warranty
FROM asset
LEFT JOIN server
ON server.id = asset.id
WHERE asset.id = $id
";
$result = mysql_query($sql);
while($row = mysql_fetch_assoc($result))
{
echo "<tr><td> </td><td>Asset ID:</td><td>";
$id = $row['id'];
setcookie('id', $id);
echo "$id</td></tr>";
echo "<tr<td> </td>><td>Company:</td><td>";
$company = $row['company'];
setcookie('company', $company);
echo "$company</td></tr>";
echo "<tr><td> </td><td>Location:</td><td>";
$company = $row['location'];
setcookie('location', $location);
echo "$location</td></tr>";
echo "<tr><td> </td><td>Purchase Date:</td><td>";
$purchase_date = $row['purchase_date'];
setcookie('purchase_date', $purchase_date);
echo "$purchase_date</td></tr>";
echo "<tr><td> </td><td>Purchase Order:</td><td>";
$purchase_order = $row['purchase_order'];
setcookie('purchase_order', $purchase_order);
echo "$purchase_order</td></tr>";
echo "<tr><td> </td><td>Value:</td><td>";
$value = $row['value'];
setcookie('value', $value);
echo "$value</td></tr>";
echo "<tr><td> </td><td>Type:</td><td>";
$type = $row['type'];
setcookie('type', $type);
echo "$type</td></tr>";
echo "<tr><td> </td><td>Notes:</td><td>";
$notes = $row['notes'];
setcookie('notes', $notes);
echo "$notes</td></tr>";
echo "<tr><td> </td><td>Manufacturer:</td><td>";
$manufacturer = $row['manufacturer'];
setcookie('manufacturer', $manufacturer);
echo "$manufacturer</td></tr>";
echo "<tr><td> </td><td>Model/Description:</td><td>";
$model = $row['model'];
setcookie('model', $model);
echo "$model</td></tr>";
echo "<tr><td> </td><td>Serial Number/Service Tag:</td><td>";
$serial_number = $row['serial_number'];
setcookie('serial_number', $serial_number);
echo "$serial_number</td></tr>";
echo "<tr><td> </td><td>Express Service Code:</td><td>";
$escy = $row['esc'];
setcookie('esc', $esc);
echo "$esc</td></tr>";
echo "<tr><td> </td><td>User:</td><td>";
$user = $row['user'];
setcookie('user', $user);
echo "$user</td></tr>";
echo "<tr><td> </td><td>Previous User:</td><td>";
$prev_user = $row['prev_user'];
setcookie('prev_user', $prev_user);
echo "$prev_user</td></tr>";
echo "<tr><td> </td><td>Warranty:</td><td>";
$warranty = $row['warranty'];
setcookie('warranty', $warranty);
echo "$warranty</td></tr></table>";
}
break;
case "Laptop":
$sql = "
SELECT asset.id
,asset.company
,asset.location
,asset.purchase_date
,asset.purchase_order
,asset.value
,asset.type
,asset.notes
,laptop.manufacturer
,laptop.model
,laptop.serial_number
,laptop.esc
,laptop.user
,laptop.prev_user
,laptop.warranty
FROM asset
LEFT JOIN laptop
ON laptop.id = asset.id
WHERE asset.id = $id
";
$result = mysql_query($sql);
while($row = mysql_fetch_assoc($result))
{
echo "<tr><td> </td><td>Asset ID:</td><td>";
$id = $row['id'];
setcookie('id', $id);
echo "$id</td></tr>";
echo "<tr<td> </td>><td>Company:</td><td>";
$company = $row['company'];
setcookie('company', $company);
echo "$company</td></tr>";
echo "<tr><td> </td><td>Location:</td><td>";
$company = $row['location'];
setcookie('location', $location);
echo "$location</td></tr>";
echo "<tr><td> </td><td>Purchase Date:</td><td>";
$purchase_date = $row['purchase_date'];
setcookie('purchase_date', $purchase_date);
echo "$purchase_date</td></tr>";
echo "<tr><td> </td><td>Purchase Order:</td><td>";
$purchase_order = $row['purchase_order'];
setcookie('purchase_order', $purchase_order);
echo "$purchase_order</td></tr>";
echo "<tr><td> </td><td>Value:</td><td>";
$value = $row['value'];
setcookie('value', $value);
echo "$value</td></tr>";
echo "<tr><td> </td><td>Type:</td><td>";
$type = $row['type'];
setcookie('type', $type);
echo "$type</td></tr>";
echo "<tr><td> </td><td>Notes:</td><td>";
$notes = $row['notes'];
setcookie('notes', $notes);
echo "$notes</td></tr>";
echo "<tr><td> </td><td>Manufacturer:</td><td>";
$manufacturer = $row['manufacturer'];
setcookie('manufacturer', $manufacturer);
echo "$manufacturer</td></tr>";
echo "<tr><td> </td><td>Model/Description:</td><td>";
$model = $row['model'];
setcookie('model', $model);
echo "$model</td></tr>";
echo "<tr><td> </td><td>Serial Number/Service Tag:</td><td>";
$serial_number = $row['serial_number'];
setcookie('serial_number', $serial_number);
echo "$serial_number</td></tr>";
echo "<tr><td> </td><td>Express Service Code:</td><td>";
$escy = $row['esc'];
setcookie('esc', $esc);
echo "$esc</td></tr>";
echo "<tr><td> </td><td>User:</td><td>";
$user = $row['user'];
setcookie('user', $user);
echo "$user</td></tr>";
echo "<tr><td> </td><td>Previous User:</td><td>";
$prev_user = $row['prev_user'];
setcookie('prev_user', $prev_user);
echo "$prev_user</td></tr>";
echo "<tr><td> </td><td>Warranty:</td><td>";
$warranty = $row['warranty'];
setcookie('warranty', $warranty);
echo "$warranty</td></tr></table>";
}
break;
case "Desktop":
$sql = "
SELECT asset.id
,asset.company
,asset.location
,asset.purchase_date
,asset.purchase_order
,asset.value
,asset.type
,asset.notes
,desktop.manufacturer
,desktop.model
,desktop.serial_number
,desktop.esc
,desktop.user
,desktop.prev_user
,desktop.warranty
FROM asset
LEFT JOIN desktop
ON desktop.id = asset.id
WHERE asset.id = $id
";
$result = mysql_query($sql);
while($row = mysql_fetch_assoc($result))
{
echo "<tr><td> </td><td>Asset ID:</td><td>";
$id = $row['id'];
setcookie('id', $id);
echo "$id</td></tr>";
echo "<tr<td> </td>><td>Company:</td><td>";
$company = $row['company'];
setcookie('company', $company);
echo "$company</td></tr>";
echo "<tr><td> </td><td>Location:</td><td>";
$company = $row['location'];
setcookie('location', $location);
echo "$location</td></tr>";
echo "<tr><td> </td><td>Purchase Date:</td><td>";
$purchase_date = $row['purchase_date'];
setcookie('purchase_date', $purchase_date);
echo "$purchase_date</td></tr>";
echo "<tr><td> </td><td>Purchase Order:</td><td>";
$purchase_order = $row['purchase_order'];
setcookie('purchase_order', $purchase_order);
echo "$purchase_order</td></tr>";
echo "<tr><td> </td><td>Value:</td><td>";
$value = $row['value'];
setcookie('value', $value);
echo "$value</td></tr>";
echo "<tr><td> </td><td>Type:</td><td>";
$type = $row['type'];
setcookie('type', $type);
echo "$type</td></tr>";
echo "<tr><td> </td><td>Notes:</td><td>";
$notes = $row['notes'];
setcookie('notes', $notes);
echo "$notes</td></tr>";
echo "<tr><td> </td><td>Manufacturer:</td><td>";
$manufacturer = $row['manufacturer'];
setcookie('manufacturer', $manufacturer);
echo "$manufacturer</td></tr>";
echo "<tr><td> </td><td>Model/Description:</td><td>";
$model = $row['model'];
setcookie('model', $model);
echo "$model</td></tr>";
echo "<tr><td> </td><td>Serial Number/Service Tag:</td><td>";
$serial_number = $row['serial_number'];
setcookie('serial_number', $serial_number);
echo "$serial_number</td></tr>";
echo "<tr><td> </td><td>Express Service Code:</td><td>";
$escy = $row['esc'];
setcookie('esc', $esc);
echo "$esc</td></tr>";
echo "<tr><td> </td><td>User:</td><td>";
$user = $row['user'];
setcookie('user', $user);
echo "$user</td></tr>";
echo "<tr><td> </td><td>Previous User:</td><td>";
$prev_user = $row['prev_user'];
setcookie('prev_user', $prev_user);
echo "$prev_user</td></tr>";
echo "<tr><td> </td><td>Warranty:</td><td>";
$warranty = $row['warranty'];
setcookie('warranty', $warranty);
echo "$warranty</td></tr></table>";
}
break;
}
?>
</div>
</div>
</div>
<div class="clear"></div>
<div id="footer" align="center">
<p> </p>
</div>
</div>
<div id="tagline">
Wagman Construction - Bridging Generations since 1902
</div>
</body>
</html>
謝謝你的建議。我對此很陌生,只是爲了讓所有的東西都能正常工作,所以我可以多玩一些。我意識到我的代碼有很多漏洞。你有什麼好的參數化查詢資源,你可以指向我的方向? – 2010-05-19 14:37:30
......實際上什麼也沒有,因爲MySQL不支持這樣的多種語句。但是,是的,SQL注入問題仍然嚴重; 'mysql_real_escape_string'和 - 與''''或參數化查詢是必不可少的。每次將文本字符串(如'$ company'等)放入HTML中時,您還需要使用'htmlspecialchars()',否則會導致HTML注入,從而導致潛在的XSS漏洞。 – bobince 2010-05-19 14:51:40