如何 $_POST 在 PHP 中动态分配的值? [英] How to $_POST a dynamically assigned value in PHP?
问题描述
我在 mySQL 中创建了一个表,其中包含诸如name"之类的字段.等等,我动态创建了几个 div(包含一个表单和一个按钮)相对于该表中有多少行.
看起来像这样:
0) {for ($x = 0; $x < $tabLength; $x++) {echo "<div class='data'><li class='data__item name-value'>>.$tab[$x][1] .</li>- <div class='data-modifiers'><form action='../extern/delete.ext.php' method='post'><输入类型='隐藏'名称=''.$tab[$x][1] ."'/><button type='submit' name='delete-submit' class='btn btn-link'>Delete</button></表单>
</div>";}}
现在我想要当我点击删除"时按钮它专门删除那个div.
事情是,因为输入的名称"属性是动态创建的(最终是Bob"、Frank"以及每个 div 输入的任何内容)我不知道如何在delete.ext.php 文件"上使用 $_POST.
这是我在 delete.ext.php 中的代码:
因此,例如,如果删除"我点击的按钮位于 div 中,该 div 包含一个带有动态创建的名称"的输入;弗兰克"的属性,我应该在 $_POST 中传递什么来有效地从 mySQL 表中有效地删除该行?
谢谢!
代码更新:
0) {for ($x = 0; $x < $tabLength; $x++) {echo "<div class='data'><li class='data__item name-value'>>.$tab[$x][1] .</li>- <div class='data-modifiers'><form action='../extern/delete.ext.php'方法='发布'><input type='hidden' name='name' value=''.$tab[$x][1] ."'/><button type='submit' name='delete-submit' class='btn btn-link'>Delete</button></表单>
</div>";}}
还有:
prepare($sql);$stmt->bind_param('s', $_POST['name']);$res = $stmt->execute();如果(!$res){header("位置:../persons/persons.php?error=sqlerror");退出;}其他{标头(位置:../persons/persons.php");退出();}}这是 dbh.ext.php 中的内容
不要把一些数据放在 name 属性中,而是让 name 属性成为你知道和使用的东西value 属性为未知数据,在本例中为名称.
所以
变成
SQL注入攻击问题,我们通过准备带有参数的查询然后绑定一个像这样的参数值prepare($sql);//将值绑定到参数$stmt->bind_param('s', $_POST['thename']);$res = $stmt->execute();如果(!$res){header("位置:../persons/persons.php?error=sqlerror");退出;}其他{标头(位置:../persons/persons.php");退出();}}
I created a table in mySQL that contains fields such as "name" etc, and I dynamically created several divs (containing a form and a button) relative to how many rows are in that table.
It looks like this :
<?php if ($tabLength > 0) {
for ($x = 0; $x < $tabLength; $x++) {
echo "<div class='data'>
<ul class='data__list bg-grey'>
<li class='data__item name-value'>" . $tab[$x][1] . "</li>
<li class='data__item'>
<div class='data-modifiers'>
<form action='../extern/delete.ext.php' method='post'>
<input type='hidden' name='" . $tab[$x][1] . "' />
<button type='submit' name='delete-submit' class='btn btn-link'>Delete</button>
</form>
</div>
</li>
</ul>
</div>";
}
}
Now I want that when I click the "Delete" button it delete specifically that div.
Thing is, since the inputs's "name" attributes are created dynamically (and which end up being "Bob", "Frank" and whatever for each div's input) I don't know how to use $_POST on the "delete.ext.php file.
Here's my code in delete.ext.php :
<?php
session_start();
if (isset($_POST["delete-submit"])) {
require "dbh.ext.php";
$name = $_POST[' --- what to put in here ? ---']
$sql = "DELETE FROM persons WHERE name='" . $name . "';";
$res = mysqli_query($conn, $sql);
if (!$res) {
header("Location: ../persons/persons.php?error=sqlerror");
exit();
} else {
header("Location: ../persons/persons.php");
exit();
}
}
So, for example, if the "Delete" button I'm clicking on is in the div which contains an input with a dynamically created "name" attribut of "Frank", what should I pass in $_POST to effectively delete specifically that row from the mySQL table ?
Thanks !
Code update :
<?php if ($tabLength > 0) {
for ($x = 0; $x < $tabLength; $x++) {
echo "<div class='data'>
<ul class='data__list bg-grey'>
<li class='data__item name-value'>" . $tab[$x][1] . "</li>
<li class='data__item'>
<div class='data-modifiers'>
<form action='../extern/delete.ext.php'
method='post'>
<input type='hidden' name='name' value='" . $tab[$x][1] . "' />
<button type='submit' name='delete-submit' class='btn btn-link'>Delete</button>
</form>
</div>
</li>
</ul>
</div>";
}
}
And :
<?php
session_start();
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST["delete-
submit"]))
{
require "dbh.ext.php";
$sql = "DELETE FROM persons WHERE name= ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param('s', $_POST['name']);
$res = $stmt->execute();
if (!$res) {
header("Location: ../persons/persons.php?error=sqlerror");
exit;
} else {
header("Location: ../persons/persons.php");
exit();
}
}
this is what's in dbh.ext.php
<?php
$servername = "localhost";
$dBUsername = "root";
$dBPassword = "";
$dBName = "ruchesdb";
$conn = mysqli_connect($servername, $dBUsername, $dBPassword, $dBName);
if(!$conn) {
die("Connection failed".mysqli_connect_error());
}
解决方案 Instead of placing some data in a name attribute, make the name attribute something you know and use the value attribute the unknown data, the name in this case.
So
<input type='hidden' name='" . $tab[$x][1] . "' />
becomes
<input type='hidden' name="thename" value='" . $tab[$x][1] . "' />
Now in the PHP you know what to look for. So all we need to fix now is the SQL Injection Attack issues, we do that by preparing the query with a parameter and then binding a value to the parameter like this
<?php
session_start();
if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST["delete-submit"]))
{
require "dbh.ext.php";
// add a parameter to the query and not a concatenated value
$sql = "DELETE FROM `persons` WHERE `name` = ?";
$stmt = $conn->prepare($sql);
// bind the value to the parameter
$stmt->bind_param('s', $_POST['thename']);
$res = $stmt->execute();
if (!$res) {
header("Location: ../persons/persons.php?error=sqlerror");
exit;
} else {
header("Location: ../persons/persons.php");
exit();
}
}
这篇关于如何 $_POST 在 PHP 中动态分配的值?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
