有php_self的问题

时间:2013-04-01 02:06:53

标签: php mysql

我正在尝试实现一个用户输入评论的页面,它会在同一页面中显示。我遇到的问题是,每次你去页面时,页面中都没有评论(实际上有评论)。 这是我的场景我有:

  1. 我进入页面并且没有评论,我输入评论'hello'并立即显示。
  2. 我转到另一页,然后我回到评论页面,没有评论。(评论“你好”应该已经显示)
  3. 我输入评论“hi”,两个评论“hello”和“hi”显示

    4. 我无法解决这个问题..

    这是我的代码,很长

      <?php
 session_start(); //starts or continues the session
 require_once('functions.php'); //needed for some function calls
 error_reporting(E_ALL ^ E_NOTICE);
 ?>

<!DOCTYPE html>
<html lang = "en">

<head>
<script type = "text/javascript" src = "functions.js"></script>
<link href="style.css" rel="stylesheet" type="text/css">      
</head>

<body>

<?php
 GetUserLayout($_SESSION['userId'], $_SESSION['superUser']);

 ?>

    <div id = "shareyouridea_form" class = "post">
      <h1> Share your post</h1>    
      <!-- used for the form -->
      <form id = "idea_form" method = "post"  
        action = "<?php echo $PHP_SELF;?>"
    onkeypress = "return DisableEnterKey(event);">
        <table>
      <caption> 
        <strong> 
          <br /> Share post form:
        </strong> 
      </caption>
      <tr class = "spacearound"> <!-- input for bright idea -->
                <td> &emsp;Post: </td>
                <td>
          <textarea form = "idea_form" name = "b_idea" rows = "12" 
          cols = "85" title = "Please describe your product idea" 
          id = "bright_idea" maxlength = "1000"
          onkeypress = 
          "return InputLimiter(event, 'lettersSpacePunctuation');">
          </textarea>
                </td>
              </tr>
    </table>

        <p>
      &emsp;&emsp;&emsp;&nbsp;
      <input type = "reset" value = "Reset" />
      &emsp;&emsp;        
      <input type = "submit" value = "Share Idea!"
        title = "complete form first to submit"
        id = "submit_button"
        name = "add_comment"
                onmousedown = "IsIdeaFormCompleted();" />
    </p>
          </form> <!-- end idea_form -->            
        </div>
  </div> <!-- end of ShareYourIdea_middle -->
  <script>
        DisplayFooter();
 </script>

 <?php
  if(isset($_POST['add_comment'])){ // if add comment was pressed

   // get variables
 $name = $_SESSION['firstName'];
     $empId = $_SESSION['userId'];
     $idea = $_POST['b_idea'];

    // CONNECTING TO OUR DATABASE
$db = mysqli_connect(dbHost, dbUser, dbPassword, dbName);

   if (mysqli_connect_errno()) { //if connection to the database failed
 echo("<p id = 'greatideadescription'>
          Connection to database failed: " .
      mysqli_connect_error($db) . "</p>");
exit("goodbye");
  }  //by now we have connection to the database


// WE WRITE OUR QUERY TO INSERT POST INFO TO DATABASE
 $query = "INSERT INTO posts(postId,empl_Id,post,postDate)
        VALUES('','$empId','$idea',NOW())";
    $result = mysqli_query($db, $query);



  }

 ?>

 <?php
  // WE DO A QUERY TO SHOW ALL COMMENTS IN THE PAGE
 $query = "SELECT firstName,lastName, post,
      date_format((date_add(postDate,interval -7 hour)),'%a, %M, %d, %Y at %I:%i%p' ) as        mydatefield 
      FROM users INNER JOIN posts ON userId = empl_Id
      ORDER BY postDate DESC";

 $result = mysqli_query($db,$query);
 if (!$result) { //if the query failed
    echo("<p id = 'greatideadescription'>
     Error, the query could not be executed: " .
     mysqli_error($db) . "</p>");
    mysqli_close($db);}

if (mysqli_num_rows($result) == 0) { //if no rows returned
  echo("<div id = 'blogs'>
          <div id ='name'>
            No posts detected
          </div>
        </div>
        <div class='fb-like' data-href='http://jacobspayroll.zxq.net/index/blog.php'   data-send='true' data-width='450' data-show-faces='true'></div>
    ");
  mysqli_close($db); //close the database
  exit("</table></div></form></div></div>
      <script>DisplayFooter();</script></body></html>");
      } //by now we know that we have some products purchases returned
  $numRows = mysqli_num_rows($result); //gets number of rows
  $numFields = mysqli_num_fields($result); //gets number of fields
  //prints the data in the table

  while($row = mysqli_fetch_assoc($result)){
  $posted = $row['post'];
  $message = wordwrap($posted,5);
  echo 
    '<div id ="blogs">
        <table id = "blog_id">
          </br>
           <div id = "name">
            <strong>'.$row['firstName'] . '&nbsp;' .$row['lastName'].
          '</strong>
          &nbsp;: ' .$message .
          '<br/> 
          </div>
          <div id ="date">'.
          $row['mydatefield'] . '
          </div>
          <div id ="delete_comment">
            Delete this comment 
          </div>
          <p>
        </table>
    </div>';    
 }
  mysqli_close($db); 

  ?>
  </body>

  </html>

2 个答案:

答案 0 :(得分:6)

您使用PHP_SELF

的错误 
//You must use  Server and execution environment information `$_SERVER[]`

$_SERVER['PHP_SELF'];

// For your form action like this
 action = "<?php echo $_SERVER['PHP_SELF'];?>"

答案 1 :(得分:0)

正如Kail所说你错了但你可能想要使用$_SERVER['SCRIPT_NAME']代替$_SERVER['PHP_SELF']然后你可能想要添加一些脚本来获取GET参数(如果你将它们用于你的脚本) 。如果您使用PHP_SELF,则可能有script.php/%22%3E%3Cscript%3Ealert('xss')%3C/script%3E%3Cfoo的用户链接可能看起来像action="script.php/"><script>alert('xss')</script>,或者可能是重定向以收集cookie,换句话说就是XSS攻击。

$_SERVER['PHP_SELF'] vs $_SERVER['SCRIPT_NAME'] vs $_SERVER['REQUEST_URI']

XSS Woes

What's the difference between $_SERVER['PHP_SELF'] and $_SERVER['SCRIPT_NAME']?

相关问题
最新问题