我正在为我的公司使用php和prepared语句的票证系统工作。添加票证时,应填写以下字段:
票证类型
票名
票证描述
请求的日期
请求的小时数
公司
就诊类型
优先
地位
指派的技术人员
这是有效的:1。您可以选择从数据库中提取的票证类型。2您可以从数据库中选择公司。三。您可以选择从数据库中提取的访问类型。4您可以选择从数据库中提取的技术人员。
问题是当你按下add ticket时,它不会向数据库中添加任何内容。
这是我的密码:
newticket.php文件
<?php
$projects = ProjectData::getAll();
$priorities = PriorityData::getAll();
$ticket= TicketData::getAll();
$statuses = StatusData::getAll();
$kinds = KindData::getAll();
$users = UserData::getAll();
?>
<div class="row">
<div class="col-md-12">
<div class="card">
<div class="card-header" data-background-color="blue">
<h4 class="title">Nuevo Ticket</h4>
</div>
<div class="card-content table-responsive">
<form class="form-horizontal" role="form" method="post" action="./?action=addticket">
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Tipo</label>
<div class="col-lg-10">
<select name="kind_id" class="form-control" required>
<?php foreach($kinds as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
<?php endforeach; ?>
</select>
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Titulo</label>
<div class="col-lg-10">
<input type="text" name="title" required class="form-control" id="inputEmail1" placeholder="Titulo">
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Descripcion</label>
<div class="col-lg-10">
<textarea class="form-control" name="description" required placeholder="Descripcion"></textarea>
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Fecha de la Visita</label>
<div class="col-lg-4">
<input name="date_at" id="date_at" class="form-control" type="date">
</div>
<label for="inputEmail1" class="col-lg-2 control-label">Hora de la Visita</label>
<div class="col-lg-4">
<input name="time_at" id="time_at" class="form-control" type="time" />
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Proyecto</label>
<div class="col-lg-4">
<select name="project_id" class="form-control" required>
<option value="">-- SELECCIONE --</option>
<?php foreach($projects as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
<?php endforeach; ?>
</select>
</div>
<label for="inputEmail1" class="col-lg-2 control-label">Categoria</label>
<div class="col-lg-4">
<select name="category_id" class="form-control" required>
<option value="">-- SELECCIONE --</option>
<?php foreach(CategoryData::getAll() as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
<?php endforeach; ?>
</select>
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Prioridad</label>
<div class="col-lg-4">
<select name="priority_id" class="form-control" required>
<option value="">-- SELECCIONE --</option>
<?php foreach($priorities as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
<?php endforeach; ?>
</select>
</div>
<label for="inputEmail1" class="col-lg-2 control-label">Estado</label>
<div class="col-lg-4">
<select name="status_id" class="form-control" required>
<?php foreach($statuses as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name; ?></option>
<?php endforeach; ?>
</select>
</div>
</div>
<div class="form-group">
<label for="inputEmail1" class="col-lg-2 control-label">Asignar a</label>
<div class="col-lg-4">
<select name="tecnico_id" class="form-control" required>
<option value="">-- SELECCIONE --</option>
<?php foreach($users as $p):?>
<option value="<?php echo $p->id; ?>"><?php echo $p->name." ".$p->lastname; ?></option>
<?php endforeach; ?>
</select>
</div>
</div>
<div class="form-group">
<div class="col-lg-offset-2 col-lg-10">
<button type="submit" class="btn btn-default">Agregar Ticket</button>
</div>
</div>
</form>
</div>
</div>
</div>
</div>ticketdata.php文件
<?php
class TicketData {
public static $tablename = "ticket";
public function TicketData(){
$this->name = "";
$this->lastname = "";
$this->email = "";
$this->password = "";
$this->date_at="";
$this->time_at="";
$this->tecnico_id="";
$this->created_at = "NOW()";
}
public function getTicket(){ return TicketData::getById($this->ticket_id); }
public function getProject(){ return ProjectData::getById($this->project_id); }
public function getPriority(){ return PriorityData::getById($this->priority_id); }
public function getStatus(){ return StatusData::getById($this->status_id); }
public function getKind(){ return KindData::getById($this->kind_id); }
public function getCategory(){ return CategoryData::getById($this->category_id); }
public function add(){
$sql = "insert into ticket (title,description,date_at,time_at,category_id,project_id,priority_id,user_id,status_id,kind_id,created_at,tecnico_id) ";
$sql .= "value (\"$this->title\",\"$this->description\",\"$this->date_at\",\"$this->time_at\",\"$this->category_id\",\"$this->project_id\",$this->priority_id,$this->user_id,$this->status_id,$this->kind_id,$this->created_at,$this->tecnico_id)";
return Executor::doit($sql);
}
public static function delById($id){
$sql = "delete from ".self::$tablename." where id=$id";
Executor::doit($sql);
}
public function del(){
$sql = "delete from ".self::$tablename." where id=$this->id";
Executor::doit($sql);
}
// partiendo de que ya tenemos creado un objecto TicketData previamente utilizamos el contexto
public function update(){
$sql = "update ".self::$tablename." set title=\"$this->title\",category_id=\"$this->category_id\",date_at=\"$this->date_at\",time_at=\"$this->time_at\",tecnico_id=\"$this->tecnico_id\",project_id=\"$this->project_id\",priority_id=\"$this->priority_id\",description=\"$this->description\",status_id=\"$this->status_id\",kind_id=\"$this->kind_id\",updated_at=NOW() where id=$this->id";
Executor::doit($sql);
}
public static function getById($id){
$sql = "select * from ".self::$tablename." where id=$id";
$query = Executor::doit($sql);
return Model::one($query[0],new TicketData());
}
public static function getRepeated($pacient_id,$medic_id,$date_at,$time_at){
$sql = "select * from ".self::$tablename." where pacient_id=$pacient_id and medic_id=$medic_id and date_at=\"$date_at\" and time_at=\"$time_at\"";
$query = Executor::doit($sql);
return Model::one($query[0],new TicketData());
}
public static function getByMail($mail){
$sql = "select * from ".self::$tablename." where mail=\"$mail\"";
$query = Executor::doit($sql);
return Model::one($query[0],new TicketData());
}
public static function getEvery(){
$sql = "select * from ".self::$tablename;
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getEvents(){
$sql = "select * from ".self::$tablename;
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getAll(){
$sql = "select * from ".self::$tablename." order by created_at desc";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getAllPendings(){
$sql = "select * from ".self::$tablename." where status_id=1";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getAllByPacientId($id){
$sql = "select * from ".self::$tablename." where pacient_id=$id order by created_at";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getAllByMedicId($id){
$sql = "select * from ".self::$tablename." where medic_id=$id order by created_at";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getBySQL($sql){
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getOld(){
$sql = "select * from ".self::$tablename." where date(date_at)<date(NOW()) order by date_at";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
public static function getLike($q){
$sql = "select * from ".self::$tablename." where title like '%$q%'";
$query = Executor::doit($sql);
return Model::many($query[0],new TicketData());
}
}
?>更新
对ticketdata.php做了细微的更改,更正了@smith和@nick的观察结果。它们看起来像这样:
class TicketData {
public static $tablename = "ticket";
public function TicketData(){
$this->name = "";
$this->title = "";
$this->description= "";
$this->lastname = "";
$this->email = "";
$this->password = "";
$this->date_at="";
$this->time_at="";
$this->tecnico_id="";
$this->created_at = "NOW()";
}
public function getProject(){ return ProjectData::getById($this->project_id); }
public function getPriority(){ return PriorityData::getById($this->priority_id); }
public function getStatus(){ return StatusData::getById($this->status_id); }
public function getKind(){ return KindData::getById($this->kind_id); }
public function getCategory(){ return CategoryData::getById($this->category_id); }
public function add(){
$sql = "insert into ticket (title,description,date_at,time_at,category_id,project_id,priority_id,user_id,status_id,kind_id,created_at,tecnico_id) ";
$sql .= "values (\"$this->title\",\"$this->description\",\"$this->date_at\",\"$this->time_at\",\"$this->category_id\",\"$this->project_id\",\"$this->priority_id\",\"$this->user_id\",\"$this->status_id\",\"$this->kind_id\",\"$this->created_at\",\"$this->tecnico_id\")";
return Executor::doit($sql);
}现在,它将保存以下字段:
票证类型( kind_id )
票名( title )
票证描述( description )
请求的日期( date_at )
请求的小时数( hour_at )
公司( project_id )
就诊类型( category_id )
优先权( priority_id )
状态( status_id )
它不会保存此字段:
指派的技术人员( tecnico_id )
addticket-action.php文件
<?php
$r = new TicketData();
$r->title = $_POST["title"];
$r->description = $_POST["description"];
$r->category_id = $_POST["category_id"];
$r->project_id = $_POST["project_id"];
$r->priority_id = $_POST["priority_id"];
$r->user_id = $_SESSION["user_id"];
$r->status_id = $_POST["status_id"];
$r->kind_id = $_POST["kind_id"];
$r->date_at = $_POST["date_at"];
$r->time_at = $_POST["time_at"];
$r->tecnico_id = $_POST["tecnico_id"];
$r->created_at = $_POST["created_at"];
$r->add();
Core::alert("Successfully added!");
Core::redir("./index.php?view=tickets");
?>我想让一切工作之前,消毒和转换成一个适当的准备声明。要使脚本保存( date_at ) ( hour_at )以及( tecnico_id )田地?
1条答案
按热度按时间w6lpcovy1#
提供一些日志或后端错误消息对于解决此问题非常有帮助。
不过,乍一看,最重要的是你并没有使用一个事先准备好的语句。您基本上是将一个字符串连接在一起以生成一个sql语句,这是非常糟糕的,原因有两个:
你很容易受到sql注入的攻击。例如,如果你把
","",""); DROP TABLE ticket; --在您的标题字段中,有人可能会破坏您的票证表,因为您的代码没有对此进行检查。你需要净化你的输入。如果title包含双引号,它将提前结束字符串输入,导致sql失败。
这是一个相当大的安全漏洞,所以堵上它,同时为自己节省一些输入净化的麻烦!如果您转换为prepared语句并且它可以工作,那么这可能是一个卫生处理问题。如果它仍然不起作用,在那里得到一些日志语句,让我们看看你有什么。
http://php.net/manual/en/mysqli.quickstart.prepared-statements.phphttps://www.w3schools.com/php/php_mysql_prepared_statements.asp