我有2个php页面:editpost.php只是生成一个表单来编辑用户评论。 addcomment.php,在这种情况下应该更新该帖子的mysql。它只是测试是否设置了$ _GET ['edit']和正确的变量。出于某种原因,它从未读过真实。我在safari中检查了editpost.php的'view source',它看起来很好。
editpost.php:
<?php
require_once('checklogin.php');
//require_once('text_encode.php');
//die("Made it past require once");
if(isset($_SESSION['user'])&&isset($_GET['id']))
{
//die("made it past if statement");
$con = mysql_connect('localhost','REDACTED','REDACTED');
mysql_select_db('dancks_db',$con);
$q = mysql_query(sprintf("SELECT userID FROM UserTable WHERE nick='%s'",$_SESSION['user']),$con) or die(mysql_error());
if(mysql_num_rows($q)!=1)
{
//die("1");
redir();
}
else
{
$match = array(); $match2=array();
preg_match("/[0-9]{1,5}/",$_GET['id'],$match);
//preg_match("/[0-1]{1,1}/",$GET['type'],$match2);
if(implode($match)!=$_GET['id'])
{
die("2");
redir();
}
//if($_GET['id']==0)
else
{
$q2 = mysql_query(sprintf("SELECT * FROM Comments WHERE CommentID='%s'",$_GET['id']),$con) or die(mysql_query());
if(mysql_num_rows($q2)==1)
{
$vars = mysql_fetch_assoc($q2);
echo "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">
<html xmlns=\"http://www.w3.org/1999/xhtml\">
<head>
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />
<title>Edit Post</title>
</head>
<body>";
echo "<form method=\"post\" action=\"addcomment.php?type=1,edit=1\">
<p>Rating:";
//die("rating: ".$q2['rating']);
for($i=1;$i<6;$i++)
{
echo "<label>".$i."</label><input type=\"radio\" name=\"rating\" value=\"".$i."\" ";if($vars['rating']==$i){echo "checked=\"checked\"";}echo " id=\"star".$i."\" />\n";
}
echo"</p>
<p>Title:<input type=\"text\" name=\"title\" value=\"".$vars['title']."\" /></p>
<p>Comment:<textarea rows=\"5\" cols=\"80\" name=\"review\" >".$vars['review']."</textarea></p>
<input type=\"hidden\" name=\"commentid\" value=\"".$_GET['id']."\" />
<input type=\"hidden\" name=\"subject\" value=\"".$vars['subject']."\" />
<input type=\"submit\" value=\"submit review\" />
</form>
</body>
</html>";
}
else
{
die("No comment found: get: ".$_GET['id']);
}
}
mysql_free_result($q);
}
}
else
{
die("3");
redir();
}
?>
addcomment.php:
<?php require_once('checklogin.php');
//die("type=".$_GET['type']." rating=".$_POST['rating']);
require_once('text_encode.php');
require_once('validate.php');
if(safe_isset($_GET['type'])&&safe_isset($_SESSION['user']))
{
if( (safe_isset($_POST['rating']))&&(safe_isset($_POST['title']))&&(safe_isset($_POST['review']))&&($_GET['type']==1))
{
$match = array(); $match2 = array();
preg_match("/[0-5]{1,1}/",$_POST['rating'],$match);
preg_match("/[0-1]{1,1}/",$_GET['type'],$match2);
if((implode($match)!=$_POST['rating'])&&(implode($match2)!=$_GET['type']))
{
die("type=".$_GET['type']." implode=".implode($match)." rating=".$_POST['rating']." implode=".implode($match2));
//die("Invalid input for rating or type");
redir();
}
else if( $_POST['rating']=="" || $_GET['type']=="" )
{
die("Rating or type reads empty string");
redir();
}
else if(safe_isset($_GET['edit']))
{
$con = mysql_connect('localhost','REDACTED','REDACTED');
mysql_select_db('dancks_db',$con);
$query=sprintf("UPDATE Comments SET rating='%s', title='%s', review='%s' WHERE CommentID='%s'",
mysql_real_escape_string($_POST['rating']),
mysql_real_escape_string($_POST['title']),
mysql_real_escape_string($_POST['review']),
mysql_real_escape_string($_POST['commentid']));
$r = mysql_query($query,$con) or die(mysql_error());
mysql_close($con);
die("Successful edit");
header(sprintf("Location:http://example.com/redacted/redacted/seller.php?ID=%s",$_POST['subject']));
}
else
{
if(contains($_SERVER['HTTP_REFERER'],"editpost.php"))
{
die("Wrong spot");
}
$con = mysql_connect('localhost','REDACTED','REDACTED');
mysql_select_db('dancks_db',$con);
$query=sprintf("INSERT INTO Comments(nick,type,subject,rating,title,review) VALUES ('%s','%s','%s','%s','%s','%s')",
mysql_real_escape_string($_SESSION['user']),
mysql_real_escape_string($_GET['type']),
mysql_real_escape_string($_POST['subject']),
mysql_real_escape_string($_POST['rating']),
mysql_real_escape_string($_POST['title']),
mysql_real_escape_string($_POST['review']));
$r = mysql_query($query,$con) or die(mysql_error());
mysql_close($con);
//die("successful insert");
header(sprintf("Location:http://example.com/redacted/redacted/seller.php?ID=%s",$_POST['subject']));
}
}
else
{
die("rating, title or review isnt set");
redir();
}
}
else
{
die("type isnt set or user isnt logged in");
redir();
}
?>
相关额外代码:
function contains($text,$match)
{
return (preg_match("/".$match."/",$text)==1);
}
function safe_isset($text)
{
$good = false;
if(isset($text))
{
if(strlen($text)>0)
{
$good = true;
}
}
return $good;
}
这可能是我很容易忽视的事情。如果是这样,我道歉。我现在正在塞满,所以我很容易错过任何事情。或者也许是关于我是否应该简单地重写这个或重组它的想法是受欢迎的。
答案 0 :(得分:4)
你是对的,这很简单。您需要&而不是,
echo "<form method=\"post\" action=\"addcomment.php?type=1,edit=1\">
<p>Rating:";
// Should be:
echo "<form method=\"post\" action=\"addcomment.php?type=1&edit=1\">
<p>Rating:";
// -----------------------------------------------------^^^^
你拥有它的方式,edit值是传递,但是它作为type值的一部分传递,所以PHP看到了
$_POST['type'] == '1,edit=1'
我还注意到稍后您正在寻找$_GET['id'],但您已在查询字符串中定义了ID。数组键区分大小写,因此请务必使用正确的大小写。
header(sprintf("Location:http://example.com/redacted/redacted/seller.php?ID=%s",$_POST['subject']));
//---------------------------------------------------------------------^^^^ upper case here....
// Access as $_GET['ID'], not $_GET['id']
答案 1 :(得分:2)
echo "<form method=\"post\" action=\"addcomment.php?type=1,edit=1\">
应该是
echo "<form method=\"post\" action=\"addcomment.php?type=1&edit=1\">
答案 2 :(得分:1)
"<form method=\"post\" action=\"addcomment.php?type=1,edit=1\">
<p>Rating:";
USE &
"<form method=\"post\" action=\"addcomment.php?type=1&edit=1\">
<p>Rating:";