当试图在mySQL搜索中包含下拉选项时,我不断收到以下错误:警告:in_array()要求参数2为数组,在第24行给出布尔值
有人能帮忙吗?非常感谢!
搜索页面:
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>
<?php include("../includes/header-home.php"); ?>
<div class="container">
<div class="col=md-12">
<p><strong>Search:</strong></p>
<form name="form1" method="post" action="search_results.php">
<p><input name="search" type="text" size="40" maxlength="50"/></p>
<p><strong>Type:</strong></p>
<input type="checkbox" name="type[]" value="1"> Medalist</p>
<select name="medal[]">
<option value="1">Medal 1</option>
<option value="2">Medal 2</option>
<option value="3">Medal 3</option>
<option value="4">Medal 4</option>
<option value="5">Medal 5</option>
<option value="6">Medal 6</option>
<option value="7">Medal 7</option>
<option value="8">Medal 8</option>
</select>
<p><strong>Year:</strong></p>
<p><input name="search" type="text" size="40" maxlength="50"/></p>
<p><input type="submit" name="submit" value="Search" /></p>
</form>
</div></div>
<?php include($_SERVER['DOCUMENT_ROOT']."/includes/footer.php");?>
搜索结果页面:
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>
<?php
if (!isset ($_POST['search'])) {
header("Location:admin.php");
}
$search_sqli="SELECT * FROM profiles WHERE
(first_name LIKE '%".$_POST ['search']."%'
OR last_name LIKE '%".$_POST ['search']."%'
OR first_name2 LIKE '%".$_POST ['search']."%'
OR last_name2 LIKE '%".$_POST ['search']."%'
OR last_name2 LIKE '%".$_POST ['search']."%'
OR city LIKE '%".$_POST ['search']."%'
OR agency LIKE '%".$_POST ['search']."%'
OR subcomponent LIKE '%".$_POST ['search']."%'
OR team_name LIKE '%".$_POST ['search']."%'
OR achievement LIKE '%".$_POST ['search']."%'
OR profile LIKE '%".$_POST ['search']."%'
OR year LIKE '%".$_POST ['search']."%')"
. (isset($_POST['type']) && in_array('1', $_POST['type']) ? " AND medalist='1'" : "")
. (isset($_POST['medal']) && in_array('1', (int)$_POST['medal'] > 0) ? " AND medal='".(int)$_POST['medal']."'" : "");
$search_query=mysqli_query($connection, $search_sqli);
if (mysqli_num_rows($search_query) !=0) {
$search_rs=mysqli_fetch_assoc($search_query);
}
?>
<?php include("../includes/header-home.php"); ?>
<div class="container">
<div class="col=md-12">
<p>Search:</p>
<form name="form1" method="post" action="search_results.php">
<input name="search" type="text" size="40" maxlength="50"/>
<input type="submit" name="submit" value="Search" />
</form>
<br />
<p><strong>Search Results:</strong></p>
<?php if (mysqli_num_rows($search_query) !=0) {
do {
?>
<p><ul>
<li><a href="view_profile.php?profile=<?php echo urlencode($search_rs["id"]); ?>"><?php echo $search_rs['first_name']; ?> <?php echo $search_rs['last_name']; ?> <?php echo $search_rs['first_name2']; ?> <?php echo $search_rs['last_name2']; ?></a></li></ul></p>
<?php } while ($search_rs=mysqli_fetch_assoc($search_query));
} else {
echo "No results found";
}
?>
<br />
<p> <a class="btn btn-default" href="search.php" role="button">Back to search</a></p>
</div></div>
<?php include($_SERVER['DOCUMENT_ROOT']."/includes/footer.php");?>
此处:in_array('1', $_POST['type'])
传递给in_array
的第二个参数不是数组。它是您发布为"type"的任何值,并且您在第二个实例中执行了类似的操作。我相信您可以将使用in_array的两行替换为:
. (isset($_POST['type']) && $_POST['type']=='1' ? " AND medalist='1'" : "")
. (isset($_POST['medal']) && (int)$_POST['medal'] > 0 ? " AND medal='".(int)$_POST['medal']."'" : "");
我还建议重写代码的第一部分:
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>
<?php
if (!isset ($_POST['search'])) {
header("Location:admin.php");
}
为了避免重复的标记,也为了预处理这些变量,使代码更易于阅读和维护。我还建议将$_POST['medal']的类型限制为int
以避免强制转换,但在您的情况下可能不可能。
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");?>
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");?>
<?php
if (!isset ($_POST['search'])) {
header("Location:admin.php");
}
$search_sqli="SELECT * FROM profiles WHERE
(first_name LIKE '%".$_POST ['search']."%'
OR last_name LIKE '%".$_POST ['search']."%'
OR first_name2 LIKE '%".$_POST ['search']."%'
OR last_name2 LIKE '%".$_POST ['search']."%'
OR last_name2 LIKE '%".$_POST ['search']."%'
OR city LIKE '%".$_POST ['search']."%'
OR agency LIKE '%".$_POST ['search']."%'
OR subcomponent LIKE '%".$_POST ['search']."%'
OR team_name LIKE '%".$_POST ['search']."%'
OR achievement LIKE '%".$_POST ['search']."%'
OR profile LIKE '%".$_POST ['search']."%'
OR year LIKE '%".$_POST ['search']."%')"
. (isset($_POST['type']) && in_array('1', $_POST['type']) ? " AND medalist='1'" : "")
. (isset($_POST['medal']) && in_array('1', (int)$_POST['medal'] > 0) ? " AND medal='".(int)$_POST['medal']."'" : "");
$search_query=mysqli_query($connection, $search_sqli);
if (mysqli_num_rows($search_query) !=0) {
$search_rs=mysqli_fetch_assoc($search_query);
}
?>
<?php include("../includes/header-home.php"); ?>
将变成:
<?php require_once($_SERVER['DOCUMENT_ROOT']."/includes/session.php");
require_once($_SERVER['DOCUMENT_ROOT']."/includes/db_connection.php");
require_once($_SERVER['DOCUMENT_ROOT']."/includes/functions.php");
if (!isset ($_POST['search'])) { header("Location:admin.php"); }
$search = $_POST['search'];
$type = (isset($_POST['type']) ? "AND medalist = '1'" : "";
$medal = (isset($_POST['medal']) ? "AND medal = '{$_POST['medal']}' : "";
$search_sqli = "
SELECT * FROM profiles WHERE (
first_name LIKE '%{$search}%'
OR last_name LIKE '%{$search}%'
OR first_name2 LIKE '%{$search}%'
OR last_name2 LIKE '%{$search}%'
OR last_name2 LIKE '%{$search}%'
OR city LIKE '%{$search}%'
OR agency LIKE '%{$search}%'
OR subcomponent LIKE '%{$search}%'
OR team_name LIKE '%{$search}%'
OR achievement LIKE '%{$search}%'
OR profile LIKE '%{$search}%'
OR year LIKE '%{$search}%'
)
{type}
{$medal}
";
$search_query = mysqli_query($connection, $search_sqli);
if (mysqli_num_rows($search_query) !=0) {
$search_rs=mysqli_fetch_assoc($search_query);
}
include("../includes/header-home.php");
?>
我想你会发现这将更容易阅读和维护。这应该有效,但我还没有进行现场测试。如果你有任何问题,我很乐意帮助你。请注意评论中对你问题的建议。SQL注入是一个真正的危险,如果这是一个可访问互联网的页面,任何人都可以轻松访问你的数据库。即使是面向内部的,它也无法阻止恶意用户删除整个数据库,或插入未验证的数据,或查看数据库中可能存在的任何敏感数据。按照你的代码,我可以免费访问你的数据。mysqli确实支持几种停止注入的方法。
快速修复方法是进行以下更改:
(isset($_POST['medal']) && is_array($_POST['medal']) && in_array('1', $_POST['medal']) === true)
按照建议,您应该了解如何处理和过滤用户输入数据,并将其持久化到DB中。