如您所见,我添加了“添加服务相关问题”部分,当管理员单击加号图标时,它会附加问题的输入框1次单击等于1个输入框,因此管理员可以在需要该服务时添加多个问题但这些问题不会进入数据库。 这是它的图片:
现在此代码中包含其他服务,管理员可以编辑这些服务,如您在第一张和第二张图片中看到的那样。第一个显示在主页中创建的服务,第二个显示从管理员端创建的服务,他可以通过单击
操作列中的管理按钮来编辑这些服务(参见第二张图片) 当管理员单击管理按钮时,他会看到以下屏幕:
动态添加和删除表单问题部分(我复制并对其进行了一些修改,以便我可以在创建服务时添加添加服务相关问题部分) 现在,棘手的部分来了,至少对我来说,首先查看
aaa gst服务,当我单击“立即申请”按钮时,它没有任何问题: 当我从管理员端单击“aaa gst
”上的“管理”(第 5 张图)并添加几个问题并单击“保存”时,它会添加到数据库中并显示在该特定服务页面中。有2张图片可以解释这个说法。第一:
& 第二: 代码:
if(isset($_POST['submit'])){
$categorya = validate($_POST['category']);
$namea = validate($_POST['name']);
$servicecosta = validate($_POST['servicecost']);
$cashback = validate($_POST['cashback']);
$advancea = validate($_POST['advance']);
$advancepercentagea = validate($_POST['advancepercentage']);
$serviceduedaysa = validate($_POST['serviceduedays']);
$paymentduedaysa = validate($_POST['paymentduedays']);
$servicetypea = validate($_POST['servicetype']);
if( isset($_FILES['pic']["name"]) && isset($_FILES['pic']["tmp_name"]) )
{
$pic = array();
$pic = $_FILES['pic']["name"];
$pic = explode(' ', $pic);
$pic = array_values(array_filter($pic));
$pic_temp = array();
$pic_temp = $_FILES['pic']["tmp_name"];
$pic_temp = explode(' ', $pic_temp);
$pic_temp = array_values(array_filter($pic_temp));
$z=$_FILES['pic']["name"];
for($i=0;$i<count($pic);$i++)
{
$my_ext1 = pathinfo( $pic[$i], PATHINFO_EXTENSION ); if( $my_ext1=='jpg' || $my_ext1=='png' || $my_ext1=='jpeg' || $my_ext1=='gif' ) {
$final_name1 = $z;//.'.'.$my_ext1;
move_uploaded_file($pic_temp[$i],"../images/".$final_name1);
} }
if(isset($final_name1)) {
$photo = $final_name1;
}else{$photo ='';} }
//Incorrect double value: '' for column `efillings`.`service`.`duepay` at row 1
$sql =mysqli_query($con,"INSERT INTO `service`(`catid`, `name`, `cost`, `cashback`,`advrequired`, `advper`, `duedays`, `duepay`, `type`, `pic`) VALUES ('".$categorya."','".$namea."','".$servicecosta."','".$cashback."','".$advancea."','".$advancepercentagea."','".$serviceduedaysa."','".$paymentduedaysa."','".$servicetypea."','".$photo."')")or die(mysqli_error($con));
$lid=mysqli_insert_id($con);
if (isset($_POST['documents'])) {
foreach ($_POST['documents'] as $key => $value) {
$sql=mysqli_query($con,"INSERT INTO `servicedoc`(`serviceid`, `document`) VALUES ('$lid','$value')");
}
}
if($sql>0){echo "<script>window.open('service?success','_self')</script>";
}else{echo "<script>alert('Server Busy');window.open('service?failed','_self')</script>";
}}
这是输入字段代码:
<form action="#" method="post" enctype="multipart/form-data">
<div class="row" style="margin-top: 20px; margin-left: 5px;margin-right: 5px">
<div class=col-sm-3>
<div class="form-group mb-10">
<label>Service Category :<span style="color:red"></span></label>
<select class="form-control" name="category" required="required">
<?php $service=mysqli_query($con,"SELECT `id`, `cast` FROM `cat` ORDER BY `cast` ASC");while($runservice=mysqli_fetch_array($service)){?>
<option value="<?php echo $runservice['id']; ?>"><?php echo ucwords($runservice['cast']); ?></option>
<?php }?>
</select>
</div>
</div>
<div class=col-sm-6>
<div class="form-group mb-10">
<label> Service Name<span style="color:red">*</span></label>
<input type="text" class="form-control" name="name" maxlength="225" required placeholder="Enter Here" />
</div>
</div>
<div class=col-sm-3>
<div class="form-group mb-10">
<label> Service Cost<span style="color:red">*</span></label>
<input type="text" pattern="[0-9]+" class="form-control" name="servicecost" maxlength="10" required placeholder="Enter Here" />
</div>
<div class="form-group mb-10">
<label>Distribution Amt<span style="color:red">*</span></label>
<input type="text" pattern="[0-9]+" class="form-control" name="cashback" maxlength="10" required placeholder="Enter Here" />
</div>
</div>
<div class=col-sm-5>
<div class="form-group mb-10">
<label> Advance Required </label>
<select class="form-control" name="advance">
<option value="yes">Yes</option>
<option value="no">No</option></select>
</div>
</div>
<div class=col-sm-4>
<div class="form-group mb-10">
<label>Advance Percentage <small>(Fill Number only)</small></label>
<input type="text" pattern="[0-9]+" class="form-control" name="advancepercentage" placeholder="Enter Here"/>
</div>
</div>
<div class=col-sm-4>
<div class="form-group mb-10">
<label>Service Due Days (Fill Number only)</label>
<input type="text" pattern="[0-9]+" class="form-control" name="serviceduedays" placeholder="Enter Here" />
</div>
</div>
<div class=col-sm-4>
<div class="form-group mb-10">
<label>Payment Due Days (Fill Number only)</label>
<input type="text" pattern="[0-9]+" class="form-control" name="paymentduedays" placeholder="Enter Here" />
</div>
</div><div class=col-sm-3>
<div class="form-group mb-10">
<label>Image</label>
<input type="file" name="pic">
</div>
</div>
<div class=col-sm-12></div>
<div class=col-sm-4>
<div class="form-group mb-10">
<label>Service Type</label>
<select class="form-control" name="servicetype">
<option value="onetime">One Time</option>
<option value="recurrent">Recurrent</option>
</select>
</div>
</div>
<div class=col-sm-8>
<div class="form-group mb-10">
<label>Required Documents:<span style="color:red"></span></label>
<select class="form-control select2" multiple="multiple" data-placeholder="Select Documents" style="width: 100%;" name="documents[]" id="documentlist">
<?php
$dcs=mysqli_query($con,"SELECT `name`, `type`FROM `documentlist` ORDER BY `name` ASC");while($doctsrun=mysqli_fetch_array($dcs)){?>
<option value="<?php echo ucwords($doctsrun['name']); ?>"><?php echo ucwords($doctsrun['name']); //echo ucwords($doctsrun['type']);?></option>
<?php }?></select></div>
<div id="result"></div></div></div>
<!-- Dynamic Questions From Admin -->
<strong> Add Service Related Questions <button id="rowwAdder" type="button" class="btn btn-dark">
<span class="bi bi-plus-square-dotted">
</span> <i class="fa fa-plus"></i>
</button></strong>
<div class="">
<div id="newinput"></div>
<div align="center" style="padding-top:3%;"> <input type="submit" class="btn btn-info" name="submit"></div>
</form>
所有告诉我它对 SQL 注入开放的人都知道这一点:我知道这一点,但这是为了我的公司,当我告诉他们这件事时,他们说就让它解决问题,不要担心注入。
我添加的代码是这样的:
if (isset($_POST['multi_question'])) {
$category_id = validate($_POST['category']);
$service_id = $lid;
foreach ($_POST['multi_question'] as $key => $value) {
$question = addslashes(validate($value));
$in_question = mysqli_query($con, 'INSERT INTO form_question
(question, cat_id, service_id) VALUES ("' . $question . '","' .
$category_id . '", "' . $service_id . '")');
}
}