Question

我创建了一个文字发布网站。除了post.php页面上的帖子，我想让用户在键入www.mywebsite.com/post.php?name=MyName&body=MyText时发帖。我该怎么做？

邮政编码如下：

  <?php


  //insert category to database
  if(isset($_POST['qty'])) {
    // Fetch and clean the <select> value.
    // The (int) makes sure the value is really a integer.
    $qty = (int)$_POST['qty'];


    // Create the INSERT query.
    $sql = "INSERT INTO `table`(`quantity`)
            VALUES ({$qty})";

    // Connect to a database and execute the query.
    $dbLink = mysql_connect('MyServer', 'username', 'password') or die(mysql_error());
              mysql_select_db('database_name', $dbLink) or die(mysql_errno());

    $result = mysql_query($sql);

    // Check the results and print the appropriate message.
    if($result) {
        echo "Record successfully inserted!";
    }
    else {
        echo "Record not inserted! (". mysql_error() .")";
    }
}



     if ($_POST['post'])
{
    //get data
    $title = $_POST['title'];
    $body = $_POST['body'];

    //check for existance
    if ($title&&$body)
    {
        mysql_connect("MyServer","username","password") or die(mysql_error());
        mysql_select_db("database_name") or die(mysql_error());

        $date = date("Y-m-d");

        //insert data
        $insert = mysql_query("INSERT INTO news VALUES ('','$title','$body','$date')") or die(mysql_error());

        die("Your text has been posted!");

    }
    else
        echo "Please fill out your name and text";
}
?>

Answer 1

您将需要对查询字符串中的数据使用$ _GET而不是POST。

//get data
$title = $_GET['title']; // or name if it's name
$body = $_GET['body'];

Answer 2

尝试使用$ _REQUEST - 它包含您发布到脚本的所有数据（来自$ _GET，$ _POST和$ _COOKIE全局数组）

Answer 3

第一个建议是，尽可能避免基于查询字符串的直接查询！这是一个巨大的安全问题。

此外，您提供的代码可能存在许多安全漏洞和问题。

无论何时通过$ _COOKIE，$ _POST或$ _GET调用变量并在查询中使用它，尽可能使用MySQLI / PDO Prepared语句，或者至少使用mysql_real_escape_string。这将尝试清理进入数据库的数据。

此外，您正在从url / query字符串中获取参数，将POST更改为GET。

此外，您的话说：

if($_GET['post'])

总是会失败，你的url中没有一个名为post的参数。要做到这一点，它需要看起来像：

post.php?post&name=MyName&body=MyText?)

见下文：

<?php

//insert category to database
// makes sure qty is numeric # added by sixeightzero
if(isset($_GET['qty']) && is_numeric($_GET['qty'])) {
// Fetch and clean the <select> value.
// The (int) makes sure the value is really a integer.
$qty = (int)$_GET['qty'];


// Create the INSERT query.
$sql = "INSERT INTO `table`(`quantity`)
        VALUES ({$qty})";

// Connect to a database and execute the query.
$dbLink = mysql_connect('MyServer', 'username', 'password') or die(mysql_error());
          mysql_select_db('database_name', $dbLink) or die(mysql_errno());

$result = mysql_query(mysql_real_escape_string($sql));     
// sanitizes input # added by sixeightzero

// Check the results and print the appropriate message.
if($result) {
    echo "Record successfully inserted!";
}
else {
    echo "Record not inserted! (". mysql_error() .")";
}
}



if (!isset($_GET['name']) && !isset($_GET['body'])){

//get data
$title = $_GET['name'];
$body = $_GET['body'];

//check for existance
if ($title && $body)
{
    mysql_connect("MyServer","username","password") or die(mysql_error());
    mysql_select_db("database_name") or die(mysql_error());

    $date = date("Y-m-d");

    //insert data
    $insert = mysql_query("INSERT INTO news VALUES ('','".mysql_real_escape_string($title)."','".mysql_real_escape_string($body)."','".mysql_real_escape_string($date)."')") or die(mysql_error());
    // sanitizes input # added by sixeightzero

    die("Your text has been posted!");

}
else
    echo "Please fill out your name and text";
}
?>

Answer 4

这是完整的源代码！尝试使用此

  <?php


  //insert category to database
  if(isset($_POST['qty'])) {
    // Fetch and clean the <select> value.
    // The (int) makes sure the value is really a integer.
    $qty = (int)$_POST['qty'];


    // Create the INSERT query.
    $sql = "INSERT INTO `table`(`quantity`)
            VALUES ({$qty})";

    // Connect to a database and execute the query.
    $dbLink = mysql_connect('MyServer', 'username', 'password') or die(mysql_error());
              mysql_select_db('database_name', $dbLink) or die(mysql_errno());

    $result = mysql_query($sql);

    // Check the results and print the appropriate message.
    if($result) {
        echo "Record successfully inserted!";
    }
    else {
        echo "Record not inserted! (". mysql_error() .")";
    }
}



     if ($_SERVER['REQUEST_METHOD'] == "GET") //check whether its a GET method
{
    //get data, since you know that a valid "GET" request was sent
    $title = $_REQUEST['title'];
    $body = $_REQUEST['body'];


    if (isset($title) && isset($body)) //check for existance
    {
        mysql_connect("MyServer","username","password") or die(mysql_error());
        mysql_select_db("database_name") or die(mysql_error());

        $date = date("Y-m-d");

        //insert data
        $insert = mysql_query("INSERT INTO news VALUES ('','$title','$body','$date')") or die(mysql_error());

        die("Your text has been posted!");

    }
    else
        echo "Please fill out your name and text";
}
?>

Answer 5

$_REQUEST基本上是array_merge($_GET,$_POST,$_COOKIE)的结果，因此您可以使用它来获取可能是GET或POST变量的值。

在浏览器中启用发布（post.php？name = MyName＆amp; body = MyText？）

5 个答案: