请问这段代码有什么问题吗?
我正在使用它向数据库中添加一些数据,但在尝试插入时我会变空$toid
和$toname
。
这是表格。变量$toid
和$toname
在这里可以。
//write new message
if (isset($_GET['action']) && $_GET['action'] == compose) {
if (isset($_GET['toid'])) {
$toid = $_GET['toid'];
$tosql = "select * from authors where id =".$toid."";
$toquery = mysql_query($tosql,$connection) or die(mysql_error());
$torow = mysql_fetch_array($toquery);
$toname = $torow['displayname'];
if (isset($_GET['subject'])) { $subject = $_GET['subject']; }
if (isset($_GET['message'])) {
$message = $_GET['message'];
echo "<h3>Replying</h3>
<table>
<tr>
<td colspan='2'>Replying to ".$toname.".</td>
</tr>
<tr>
<td colspan='2'>".$subject."".nl2br($message)."<br />
</td>
</tr>
</table><br />Type your answer:<br /><br />";
} else { echo "New message"; }
echo "<form action=\"mail.php?action=send\" method=post>
<table>
<tr>
<td>To:</td><td><input type=\"text\" name=\"to\" size=\"50\" value=\"".$toname."\"></td>
</tr>
<tr>
<td>Title:</td><td><input type=text name=subject size=50 value=".$subject."></td>
</tr>
<tr>
<td valign=\"top\">Message:</td><td><textarea rows=\"10\" cols=\"70\" name=\"message\"></textarea></td>
</tr>
<tr>
<td align=\"right\" colspan=\"2\"><input id=\"submitstyle\" type=\"submit\" value=\"Enviar Mensagem\"></td>
</tr>
</table>
</form>";
}
}
以下是将消息插入数据库的代码,此处$toid
和$toname
为空。它可以从上面的表格中找回来,对吗?
//send message
if (isset($_GET['action']) && $_GET['action'] == send) {
if ($subject == "" || $message == "") {
header('Location: mail.php?action=compose&toid='.$toid.'&subject=\''.$subject.'\'&sendpm=false');
exit();
}
$date = DATE(YmdHis);
echo $userid."from<br />to".$toid."<br />toname".$toname;
$sendsql = "INSERT INTO mail (sender, reciever, subject, message, created_at, status, sender_deleted, reciever_deleted)
VALUES (".$userid.", ".$toid.", ".$subject.", ".$message.", ".$date.",unread, 0, 0)";
$sendquery = mysql_query($sendsql,$connection) or die(mysql_error());
echo "<div class=\"alert\" style=\"text-align: center; margin-top: 13px;\"><b>Mensagem particular enviada com sucesso!</b></div>
<br /><table align=\"center\" width=\"75%\" class=\"sortable\">
<tr>
<td colspan='2' style=\"text-align:center;font-weight:normal;\">Mensagem particular enviada para ".$toname.".</td>
</tr>
<tr>
<td colspan='2'>
Title: ".$subject."
Message: ".nl2br($message)."
</td>
</tr>
</table>";
}
我也在第2行得到了这个sql错误You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' RE: assunto3, 3, 20121017023723,unread, 0, 0)'
因为提到的空变量而我认为它。
答案 0 :(得分:1)
首先,您需要将这些变量作为隐藏的表单值传递:http://www.echoecho.com/htmlforms07.htm
然后你需要通过$ _POST从表单中获取变量。
尝试$ toid = $ _POST ['toid']和$ toname = $ _POST ['toname']。但要注意SQL注入:http://php.net/manual/en/security.database.sql-injection.php
不要只是从$ _POST盲目接受价值观。请务必先验证并过滤它们。
或者如果用户不能改变toid / toname,为什么不为他们重新查询呢?
答案 1 :(得分:1)
您需要转义INSERT
值,并将字符串放在引号中:
$sendsql = 'INSERT INTO mail (sender, reciever, subject, message, created_at, status, sender_deleted, reciever_deleted)
VALUES ("'.mysql_real_escape_string($userid).'", "'.mysql_real_escape_string($toid).'", "'.mysql_real_escape_string($subject).'", "'.mysql_real_escape_string($message).'", "'.mysql_real_escape_string($date).'","unread", 0, 0)';
此外,请确保始终转义在$ _GET或$ _POST的SQL查询中立即使用的值。否则,您最有可能遇到SQL注入
答案 2 :(得分:1)
你需要在php中编写SQL语句:
$tosql = "select * from authors where id ='$toid'";
和
$sendsql = "INSERT INTO mail (sender, reciever, subject, message, created_at, status, sender_deleted, reciever_deleted)
VALUES ('$userid', '$toid', '$subject', '$message', '$date', 'unread', 0, 0)";
我认为这会对你有所帮助。