我有一个带有mysql后端的聊天应用程序。我正在尝试添加一行代码,在房间更改功能完成后发布“...已加入房间”。
这是我的代码:
$PHP_PW = $_POST['password'];
$PHP_USER = $_POST['email'];
$PHP_ALIAS = $_POST['alias'];
$PHP_GENDER = $_POST['gender'];
$PHP_LON = $_POST['lon'];
$PHP_LAT = $_POST['lat'];
$PHP_STATUS = $_POST['status'];
$PHP_ROOM = $_POST['room'];
$PHP_ICON = $_POST['iconid'];
//$PHP_IP = $_SERVER['REMOTE_ADDR'];
$PHP_AGE = substr($_POST['age'],0,2);
$PHP_LOC = $_POST['location'];
$PHP_DOB = $_POST['dob'];
$PHP_IP = $_POST['device_id'];
if ($_POST['action']=="update")
{
if(!isset($PHP_USER))
{
echo "ERROR";
} else
{
if(isset($PHP_ROOM))
$update = mysql_query("UPDATE USER SET room='$PHP_ROOM',lastupdate=NOW() WHERE email='$PHP_USER'")or die("ERROR80");
$postmsg = mysql_query("INSERT INTO DATA (msgid,userid,date,message,room) VALUES (NULL,1,CURRENT_TIMESTAMP,'"...has joined the room"','$PHP_ROOM')") or die("ERROR1");
echo "OK 1";
}
mysql_close($db);
}
代码在没有$postmsg = mysql_query("INSERT INTO DATA (msgid,userid,date,message,room) VALUES (NULL,1,CURRENT_TIMESTAMP,'"...has joined the"','$PHP_ROOM')") or die("ERROR1");
但是,如果我使用$ postmsg行运行它,我不会得到错误或来自服务器的任何回复。
答案 0 :(得分:1)
我认为问题出在$ postmsg "...has joined the room"。它不是连接字符串的正确方法
它应该是,'"."..has joined the room"."',
答案 1 :(得分:0)
如果省略花括号,则只有下一行被认为是if语句正文的一部分。您的代码的行为如下:
if (isset($PHP_ROOM)) {
$update = mysql_query("UPDATE USER SET room='$PHP_ROOM',lastupdate=NOW() WHERE email='$PHP_USER'")or die("ERROR80");
}
$postmsg = mysql_query("INSERT INTO DATA (msgid,userid,date,message,room) VALUES (NULL,1,CURRENT_TIMESTAMP,'"...has joined the room"','$PHP_ROOM')") or die("ERROR1");
你希望它这样做:
if (isset($PHP_ROOM)) {
$update = mysql_query("UPDATE USER SET room='$PHP_ROOM',lastupdate=NOW() WHERE email='$PHP_USER'")or die("ERROR80");
$postmsg = mysql_query("INSERT INTO DATA (msgid,userid,date,message,room) VALUES (NULL,1,CURRENT_TIMESTAMP,'"...has joined the room"','$PHP_ROOM')") or die("ERROR1");
}
此外,通过将未经过处理的文本直接插入查询,您的应用程序容易受到SQL注入攻击。看看这个问题:How can I prevent SQL injection in PHP?