在主页中,我希望以下链接打开一个详细信息页面:
<td><a href=details.php?c_id=<?php echo $c_id ?> ><img src="./images/<?php echo $row['cfilename']; ?>" width="90" height="120" alt="" /></a></td>
详细信息.php代码:
<?php
$mysqli = new mysqli("localhost", "joseph", " ", "collectionsdb");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %sn", mysqli_connect_error());
exit();
}
// get value of object id that was sent from address bar
//$c_id = mysql_real_escape_string(c_id);
/* Create the prepared statement */
if ($stmt = $mysqli->prepare("SELECT c_id,ctitle,csubject,creference,cyear,cobjecttype,cmaterial,ctechnic,cwidth,cheight,cperiod,cmarkings,cdescription,csource,cartist,cfilename FROM collections WHERE c_id=$c_id")) {
/* Execute the prepared Statement */
$stmt->execute();
/* Bind results to variables */
$stmt->bind_result($c_id,$ctitle,$csubject,$creference,$cyear,$cobjecttype,$cmaterial,$ctechnic,$cwidth,$cheight,$cperiod,$cmarkings,$cdescription,$csource,$cartist,$cfilename);
/* fetch values */
while ($rows = $stmt->fetch()) {
// display records in a table
// and the table of results
?>
但是,当我按下链接时,details.php会打开所有数据。我希望只打开特定$c_id变量的数据。我不知道为什么它没有被传递到详细信息页面。按照我设置WHERE条件的方式,我得到了c_id的未定义变量错误。
拜托,我错过了什么?
Joseph
第一个
$mysqli = new mysqli("localhost", "joseph", " ", "collectionsdb");
您正在将空间传递给数据库密码。应该是
$mysqli = new mysqli("localhost", "joseph", "", "collectionsdb");
第二次
php.ini中的global_register指令是否已启用?
如果启用,则指定为查询字符串的变量将作为$c_id传递。您可以通过在该页面中写入php_info()来检查register_globals是否已启用。参见此处
如果未启用,则需要将查询字符串变量值分配给变量或直接将变量传递给数据库。
样式1:
$c_id = $_GET['c_id'];
$stmt = $mysqli->prepare("SELECT c_id,ctitle,csubject,creference,cyear,cobjecttype,cmaterial,ctechnic,cwidth,cheight,cperiod,cmarkings,cdescription,csource,cartist,cfilename FROM collections WHERE c_id=$c_id"
样式2:
$stmt = $mysqli->prepare("SELECT c_id,ctitle,csubject,creference,cyear,cobjecttype,cmaterial,ctechnic,cwidth,cheight,cperiod,cmarkings,cdescription,csource,cartist,cfilename FROM collections WHERE c_id=$_GET['c_id']"
对样式1的查询字符串中的值进行Sanitize;2.可破解。:)
启用register_global指令是不好的。Advise,从查询字符串中获取值,对其进行净化并传递给查询。