这是测试代码,我知道sql注入以及如何修复它们。这是一个很长的问题需要解释,所以我会尽力而为。
这些是我数据库中的列
contentid (auto increments with every post, comment, and reply)
hostid (gets the value of the person who uploaded the original post)
postid (gets the value of the post, auto increments with every post)
userid (gets the value of the person who commented or replied)
date (gets the current time)
title (gets the title of the post entered by the host)
description (gets the description of the post entered by the host)
fileid (describes the type of post ex. video, picture, or blog)
commentid (auto increments with every comment)
comment (the actual comment entered by a user)
replyid (auto increments with every reply)
reply (the actual reply entered by a user)
我正在开发一个帖子系统,该系统将允许用户发布内容,然后评论帖子或回复帖子中的评论。我有一个名为posts的数据库,其中包含所有帖子的评论和回复。如果数据库中没有与帖子具有相同postid值的评论,则不应回显任何内容。如果数据库中没有与之前的评论具有相同postid和commentid的回复,则不应回显任何内容。
换句话说,如果没有评论或回复,则不会弹出任何内容。我看到了实际的帖子,但是数据库中没有出现评论和答复,没有任何想法吗?
我的代码
function getPost($conn) {
$userName = $_GET["user"];
$postid = $_GET["post"];
$usersql = "SELECT * FROM users WHERE userName = '$userName'";
$userresult = mysqli_query($conn, $usersql);
while ($userrow = mysqli_fetch_assoc($userresult)) {
$hostid = $userrow['userid'];
$postsql = "SELECT * FROM posts WHERE hostid = '$hostid' AND postid = '$postid' AND commentid = 0";
$postresult = mysqli_query($conn, $postsql);
while ($postrow = mysqli_fetch_assoc($postresult)) {
if (mysqli_num_rows($postresult)==0) {
echo '
<p>Error. Post does not exist.</p>
';
}
else {
$title = $postrow['title'];
$description = $postrow['description'];
$filename = "posts/".$hostid."/".$postid.".*";
$fileinfo = glob($filename);
$fileext = explode(".", $fileinfo[0]);
$fileactualext = $fileext[1];
echo '
<div class="PostPage">
<p>
'.$postrow['title'].'<br>
<img src="posts/'.$hostid.'/'.$postid.'.'.$fileactualext.'"><br>
'.$postrow['date'].'<br>
'.$postrow['description'].'
</p>
</div>
';
// this part of the code I can't get to show up on the website
$commentsql = "SELECT * FROM posts WHERE hostid = '$hostid' AND postid = 'postid' AND commentid > 0 AND replyid = 0";
$commentresult = mysqli_query($conn, $commentsql);
while ($commentrow = mysqli_fetch_assoc($commentresult)) {
if (mysqli_num_rows($commentresult)==0) {
echo '
<p>There are no Comments.</p>
';
}
else {
echo '
<div class="PostComments">
<p>
'.$commentrow['comment'].'
</p>
</div>
';
$currentcommentid = $commentrow['commentid'];
$replysql = "SELECT * FROM posts WHERE hostid = '$hostid' AND postid = '$postid' AND commentid = '$currentcommentid' AND replyid > 0";
$replyresult = mysqli_query($conn, $repysql);
while ($replyrow = myslqi_fetch_assoc($replyresult)) {
if (mysqli_num_rows($replyresult)==0) {
echo '';
}
else {
echo '
<div class="PostReplies">
<p>
'.$replyrow['reply'].'
</p>
</div>
';
}
}
}
}
}
}
}
}
如果您还有其他问题,我将很乐意回答。
答案 0 :(得分:0)
这部分... AND postid = 'postid' AND ...应该是... AND postid = '$postid' AND ...
您的查询正在查找具有 postid ==(字符串)“ postid” 的记录 postid ==($ postid的值),如您所愿。