使用prepared语句在数据库中插入数据时出错

mrfwxfqh  于 2021-06-23  发布在  Mysql
关注(0)|答案(1)|浏览(327)

我正在为我的公司使用php和prepared语句的票证系统工作。添加票证时,应填写以下字段:
票证类型
票名
票证描述
请求的日期
请求的小时数
公司
就诊类型
优先
地位
指派的技术人员
这是有效的:1。您可以选择从数据库中提取的票证类型。2您可以从数据库中选择公司。三。您可以选择从数据库中提取的访问类型。4您可以选择从数据库中提取的技术人员。
问题是当你按下add ticket时,它不会向数据库中添加任何内容。
这是我的密码:
newticket.php文件

<?php
   $projects = ProjectData::getAll();
   $priorities = PriorityData::getAll();
   $ticket= TicketData::getAll();
   $statuses = StatusData::getAll();
   $kinds = KindData::getAll();
   $users = UserData::getAll();

   ?>
<div class="row">
   <div class="col-md-12">
      <div class="card">
         <div class="card-header" data-background-color="blue">
            <h4 class="title">Nuevo Ticket</h4>
         </div>
         <div class="card-content table-responsive">
            <form class="form-horizontal" role="form" method="post" action="./?action=addticket">
               <div class="form-group">
                  <label for="inputEmail1" class="col-lg-2 control-label">Tipo</label>
                  <div class="col-lg-10">
                     <select name="kind_id" class="form-control" required>
                        <?php foreach($kinds as $p):?>
                        <option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
                        <?php endforeach; ?>
                     </select>
                  </div>
               </div>
               <div class="form-group">
                  <label for="inputEmail1" class="col-lg-2 control-label">Titulo</label>
                  <div class="col-lg-10">
                     <input type="text" name="title" required class="form-control" id="inputEmail1" placeholder="Titulo">
                  </div>
               </div>
               <div class="form-group">
                  <label for="inputEmail1" class="col-lg-2 control-label">Descripcion</label>
                  <div class="col-lg-10">
                     <textarea class="form-control" name="description" required placeholder="Descripcion"></textarea>
                  </div>
               </div>
               <div class="form-group">
                  <label for="inputEmail1" class="col-lg-2 control-label">Fecha de la Visita</label>
                  <div class="col-lg-4">
                     <input name="date_at" id="date_at" class="form-control" type="date">
                  </div>
                  <label for="inputEmail1" class="col-lg-2 control-label">Hora de la Visita</label>
                  <div class="col-lg-4">
                     <input name="time_at" id="time_at" class="form-control" type="time" />
                  </div>
               </div>
               <div class="form-group">
                  <label for="inputEmail1" class="col-lg-2 control-label">Proyecto</label>
                  <div class="col-lg-4">
                     <select name="project_id" class="form-control" required>
                        <option value="">-- SELECCIONE --</option>
                        <?php foreach($projects as $p):?>
                        <option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
                        <?php endforeach; ?>
                     </select>
                  </div>
                  <label for="inputEmail1" class="col-lg-2 control-label">Categoria</label>
                  <div class="col-lg-4">
                     <select name="category_id" class="form-control" required>
                        <option value="">-- SELECCIONE --</option>
                        <?php foreach(CategoryData::getAll() as $p):?>
                        <option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
                        <?php endforeach; ?>
                     </select>
                  </div>
               </div>
               <div class="form-group">
                  <label for="inputEmail1" class="col-lg-2 control-label">Prioridad</label>
                  <div class="col-lg-4">
                     <select name="priority_id" class="form-control" required>
                        <option value="">-- SELECCIONE --</option>
                        <?php foreach($priorities as $p):?>
                        <option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
                        <?php endforeach; ?>
                     </select>
                  </div>
                  <label for="inputEmail1" class="col-lg-2 control-label">Estado</label>
                  <div class="col-lg-4">
                     <select name="status_id" class="form-control" required>
                        <?php foreach($statuses as $p):?>
                        <option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
                        <?php endforeach; ?>
                     </select>
                  </div>
               </div>
               <div class="form-group">
                  <label for="inputEmail1" class="col-lg-2 control-label">Asignar a</label>
                  <div class="col-lg-4">
                     <select name="tecnico_id" class="form-control" required>
                        <option value="">-- SELECCIONE --</option>
                        <?php foreach($users as $p):?>
                        <option value="<?php echo $p->id; ?>"><?php echo $p->name." ".$p->lastname; ?></option>
                        <?php endforeach; ?>
                     </select>
                  </div>
               </div>
               <div class="form-group">
                  <div class="col-lg-offset-2 col-lg-10">
                     <button type="submit" class="btn btn-default">Agregar Ticket</button>
                  </div>
               </div>
            </form>
         </div>
      </div>
   </div>
</div>

ticketdata.php文件

<?php
class TicketData {
    public static $tablename = "ticket";

    public function TicketData(){
        $this->name = "";
        $this->lastname = "";
        $this->email = "";
        $this->password = "";
        $this->date_at="";
        $this->time_at="";
        $this->tecnico_id="";
        $this->created_at = "NOW()";
    }
    public function getTicket(){ return TicketData::getById($this->ticket_id); }
    public function getProject(){ return ProjectData::getById($this->project_id); }
    public function getPriority(){ return PriorityData::getById($this->priority_id); }
    public function getStatus(){ return StatusData::getById($this->status_id); }
    public function getKind(){ return KindData::getById($this->kind_id); }
    public function getCategory(){ return CategoryData::getById($this->category_id); }

    public function add(){
        $sql = "insert into ticket (title,description,date_at,time_at,category_id,project_id,priority_id,user_id,status_id,kind_id,created_at,tecnico_id) ";
        $sql .= "value (\"$this->title\",\"$this->description\",\"$this->date_at\",\"$this->time_at\",\"$this->category_id\",\"$this->project_id\",$this->priority_id,$this->user_id,$this->status_id,$this->kind_id,$this->created_at,$this->tecnico_id)";
        return Executor::doit($sql);
    }

    public static function delById($id){
        $sql = "delete from ".self::$tablename." where id=$id";
        Executor::doit($sql);
    }
    public function del(){
        $sql = "delete from ".self::$tablename." where id=$this->id";
        Executor::doit($sql);
    }

// partiendo de que ya tenemos creado un objecto TicketData previamente utilizamos el contexto
    public function update(){
        $sql = "update ".self::$tablename." set title=\"$this->title\",category_id=\"$this->category_id\",date_at=\"$this->date_at\",time_at=\"$this->time_at\",tecnico_id=\"$this->tecnico_id\",project_id=\"$this->project_id\",priority_id=\"$this->priority_id\",description=\"$this->description\",status_id=\"$this->status_id\",kind_id=\"$this->kind_id\",updated_at=NOW() where id=$this->id";
        Executor::doit($sql);
    }

    public static function getById($id){
        $sql = "select * from ".self::$tablename." where id=$id";
        $query = Executor::doit($sql);
        return Model::one($query[0],new TicketData());
    }

    public static function getRepeated($pacient_id,$medic_id,$date_at,$time_at){
        $sql = "select * from ".self::$tablename." where pacient_id=$pacient_id and medic_id=$medic_id and date_at=\"$date_at\" and time_at=\"$time_at\"";
        $query = Executor::doit($sql);
        return Model::one($query[0],new TicketData());
    }

    public static function getByMail($mail){
        $sql = "select * from ".self::$tablename." where mail=\"$mail\"";
        $query = Executor::doit($sql);
        return Model::one($query[0],new TicketData());
    }

    public static function getEvery(){
        $sql = "select * from ".self::$tablename;
        $query = Executor::doit($sql);
        return Model::many($query[0],new TicketData()); 
    }

    public static function getEvents(){
        $sql = "select * from ".self::$tablename;
        $query = Executor::doit($sql);
        return Model::many($query[0],new TicketData());
    }

    public static function getAll(){
        $sql = "select * from ".self::$tablename." order by created_at desc";
        $query = Executor::doit($sql);
        return Model::many($query[0],new TicketData());
    }

    public static function getAllPendings(){
        $sql = "select * from ".self::$tablename." where status_id=1";
        $query = Executor::doit($sql);
        return Model::many($query[0],new TicketData());
    }

    public static function getAllByPacientId($id){
        $sql = "select * from ".self::$tablename." where pacient_id=$id order by created_at";
        $query = Executor::doit($sql);
        return Model::many($query[0],new TicketData());
    }

    public static function getAllByMedicId($id){
        $sql = "select * from ".self::$tablename." where medic_id=$id order by created_at";
        $query = Executor::doit($sql);
        return Model::many($query[0],new TicketData());
    }

    public static function getBySQL($sql){
        $query = Executor::doit($sql);
        return Model::many($query[0],new TicketData());
    }

    public static function getOld(){
        $sql = "select * from ".self::$tablename." where date(date_at)<date(NOW()) order by date_at";
        $query = Executor::doit($sql);
        return Model::many($query[0],new TicketData());
    }

    public static function getLike($q){
        $sql = "select * from ".self::$tablename." where title like '%$q%'";
        $query = Executor::doit($sql);
        return Model::many($query[0],new TicketData());
    }

}

?>

更新
对ticketdata.php做了细微的更改,更正了@smith和@nick的观察结果。它们看起来像这样:

class TicketData {
    public static $tablename = "ticket";
    public function TicketData(){
        $this->name = "";
        $this->title = "";
        $this->description= "";
        $this->lastname = "";
        $this->email = "";
        $this->password = "";
        $this->date_at="";
        $this->time_at="";
        $this->tecnico_id="";
        $this->created_at = "NOW()";
    }
    public function getProject(){ return ProjectData::getById($this->project_id); }
    public function getPriority(){ return PriorityData::getById($this->priority_id); }
    public function getStatus(){ return StatusData::getById($this->status_id); }
    public function getKind(){ return KindData::getById($this->kind_id); }
    public function getCategory(){ return CategoryData::getById($this->category_id); }
    public function add(){
        $sql = "insert into ticket (title,description,date_at,time_at,category_id,project_id,priority_id,user_id,status_id,kind_id,created_at,tecnico_id) ";
        $sql .= "values (\"$this->title\",\"$this->description\",\"$this->date_at\",\"$this->time_at\",\"$this->category_id\",\"$this->project_id\",\"$this->priority_id\",\"$this->user_id\",\"$this->status_id\",\"$this->kind_id\",\"$this->created_at\",\"$this->tecnico_id\")";
        return Executor::doit($sql);
    }

现在,它将保存以下字段:
票证类型( kind_id )
票名( title )
票证描述( description )
请求的日期( date_at )
请求的小时数( hour_at )
公司( project_id )
就诊类型( category_id )
优先权( priority_id )
状态( status_id )
它不会保存此字段:
指派的技术人员( tecnico_id )
addticket-action.php文件

<?php
        $r = new TicketData();
        $r->title = $_POST["title"];
        $r->description = $_POST["description"];
        $r->category_id = $_POST["category_id"];
        $r->project_id = $_POST["project_id"];
        $r->priority_id = $_POST["priority_id"];
        $r->user_id = $_SESSION["user_id"];
        $r->status_id = $_POST["status_id"];
        $r->kind_id = $_POST["kind_id"];
        $r->date_at = $_POST["date_at"];
        $r->time_at = $_POST["time_at"];
        $r->tecnico_id = $_POST["tecnico_id"];
        $r->created_at = $_POST["created_at"];
        $r->add();
        Core::alert("Successfully added!");
        Core::redir("./index.php?view=tickets");
 ?>

我想让一切工作之前,消毒和转换成一个适当的准备声明。要使脚本保存( date_at ) ( hour_at )以及( tecnico_id )田地?

w6lpcovy

w6lpcovy1#

提供一些日志或后端错误消息对于解决此问题非常有帮助。
不过,乍一看,最重要的是你并没有使用一个事先准备好的语句。您基本上是将一个字符串连接在一起以生成一个sql语句,这是非常糟糕的,原因有两个:
你很容易受到sql注入的攻击。例如,如果你把 ","",""); DROP TABLE ticket; -- 在您的标题字段中,有人可能会破坏您的票证表,因为您的代码没有对此进行检查。
你需要净化你的输入。如果title包含双引号,它将提前结束字符串输入,导致sql失败。
这是一个相当大的安全漏洞,所以堵上它,同时为自己节省一些输入净化的麻烦!如果您转换为prepared语句并且它可以工作,那么这可能是一个卫生处理问题。如果它仍然不起作用,在那里得到一些日志语句,让我们看看你有什么。
http://php.net/manual/en/mysqli.quickstart.prepared-statements.phphttps://www.w3schools.com/php/php_mysql_prepared_statements.asp

相关问题