我有这个代码存储在view_profile.php页面上。它有一个名为Add的朋友形式。没有语法错误。但是,当我提交表单时,它应该刷新并将我发送到发件箱页面时没有任何反应?此外,它应该向所请求的用户收件箱发送消息。有什么想法吗?
PS:我是PHP / MySQL的新手,很抱歉,如果代码不是100%。我将来会把这篇文章转换成PDO,只是不想这样做,因为它是练习掌握查询等。
<?php
session_start();
include "db.php";
$sqlCommand = "SELECT userid, username FROM users WHERE username='" . $_SESSION['username'] . "'";
$query = mysql_query($sqlCommand, $connection) or die (mysql_error());
while ($row = mysql_fetch_array($query)) {
$pid = $row["userid"];
$from_username = $_SESSION['username'];
}
mysql_free_result($query);
$to_userid = $_POST['to_userid'];
$sqlCommand = "SELECT userid, username FROM users WHERE userid='$to_userid' LIMIT 1";
$query = mysql_query($sqlCommand, $connection) or die (mysql_error());
while ($row = mysql_fetch_array($query)) {
$TOid = $_SESSION['username'];
}
mysql_free_result($query);
?>
<input name="to_username" type="hidden" id="to_username" value="<?php print $username;?>"/>
<input name="title" type="hidden" id="title" value="<?php print $from_username ?> wants to add you as a friend!"/>
<input name="content" type="hidden" id="content" value="<?php print $from_username; ?> wants to add you as a friend!"/>
<input name="to_userid" type="hidden" id="to_userid" value="<?php print $TOid; ?>"/>
<input name="from_username" type="hidden" id="from_username" value="<?php print $from_username ?>"/>
<input name="userid" type="hidden" id="from_username" value="<?php print $_SESSION['userid'] ?>"/>
<input name="senddate" type="hidden" id="senddate" value="<?php echo date("l, jS F Y, g:i:s a"); ?>"/>
<input type="submit" name="addFriend" id="addFriend" value="Add <?php print $username ?> as a friend!" />
<?php
if($_POST['addFriend']){
$to_username = $_POST['to_username'];
$title = $_POST['title'];
$content = $_POST['content'];
$to_userid = $_POST['to_userid'];
$userid = $_POST['userid'];
$from_username = $_POST['from_username'];
$senddate = $_POST['senddate'];
require_once "db.php";
$query = mysql_query("INSERT INTO pm_outbox (userid, username, to_userid, to_username, title, content, senddate)VALUES('$userid', '$from_username', '$to_userid', '$to_username', '$title', '$content', '$senddate')",$connection) or die (mysql_error($connection));
$query = mysql_query( "INSERT INTO pm_inbox (userid,username,from_id, from_username, title,content,recieve_date)VALUES('$to_userid', '$to_username','$userid','$from_username', '$title', '$content','$senddate')",$connection) or die (mysql_error($connection));
echo "<meta http-equiv=\"refresh\" content=\"0; URL=pm_outbox.php\">";
exit();
}
?>
答案 0 :(得分:0)
您从未启动过表单标记
你需要在输入之前启动它们并在它之后结束它们才变成
<form action='Your_action_page_here.php' method='POST'>
<input name="to_username" type="hidden" id="to_username" value="<?php print $username;?>"/>
<input name="title" type="hidden" id="title" value="<?php print $from_username ?> wants to add you as a friend!"/>
<input name="content" type="hidden" id="content" value="<?php print $from_username; ?> wants to add you as a friend!"/>
<input name="to_userid" type="hidden" id="to_userid" value="<?php print $TOid; ?>"/>
<input name="from_username" type="hidden" id="from_username" value="<?php print $from_username ?>"/>
<input name="userid" type="hidden" id="from_username" value="<?php print $_SESSION['userid'] ?>"/>
<input name="senddate" type="hidden" id="senddate" value="<?php echo date("l, jS F Y, g:i:s a"); ?>"/>
<input type="submit" name="addFriend" id="addFriend" value="Add <?php print $username ?> as a friend!" />
</form>
此外,我注意到在将变量插入表格之前,您既未验证或清理变量
这是一个非常重要的安全问题,您必须关注..我建议使用 filter_var()进行验证。您还需要阅读本文,了解如何防止SQL注入How to prevent SQL injection?