首先我是PHP / MySQL的新手,我知道其他人已经指出我的代码可以使用MySQL注入,但是现在我正在努力学习功能,然后再进入安全性
好的,所以我从头开始构建一个私人消息系统,以帮助我理解编码,我遇到了一个障碍,我试图在回复字符串中发布“to_user”数据,我可以得到一切否则成功发布,但“to_user”(发送PM的人)和主题数据没有结转。
这是我的“view_pm.php”文件。
<?php
include 'core/init.php';
include 'includes/overall/header.php';
?>
<?php include "includes/inbox-menu.php"; ?>
<table>
<?php
$id = $_GET['id'];
$to_user = $user_data['user_id'];
$sql = "SELECT users.user_id, users.username, users.profile, messages.id, messages.to_user, messages.from_user,
messages.subject, messages.message, messages.has_read, messages.deleted, messages.date_sent
FROM `messages`
JOIN `users` ON messages.from_user = users.user_id
WHERE messages.to_user = '$to_user' AND messages.id = '$id' ORDER BY messages.date_sent DESC";
$result = mysql_query($sql);
$rows = mysql_fetch_array($result);
?><tr>
<td width="50px" align="center">
<img src="<?php echo $rows['profile']; ?>" width="40px"><br><?php echo $rows['username']; ?>
</td>
<td valign="top" width="350px">
<b><?php echo $rows['subject']; ?></b><br>
<?php echo $rows['message']; ?>
</td><td><?php echo $rows['date_sent']; ?></td>
</tr>
<tr>
<td colspan="3"><hr></td>
</tr>
<?php
$sql2 = "SELECT users.user_id, users.username, users.profile, messages.id, messages.reply_id, messages.to_user, messages.from_user,
messages.subject, messages.message, messages.has_read, messages.deleted, messages.date_sent
FROM `messages`
JOIN `users` ON messages.from_user = users.user_id
WHERE messages.to_user = '$to_user' AND messages.reply_id = '$id' ORDER BY messages.date_sent DESC";
$result2 = mysql_query($sql2);
while ($rows = mysql_fetch_assoc($result2)) {
?>
<tr>
<td width="50px" align="center">
<img src="<?php echo $rows['profile']; ?>" width="40px"><br><?php echo $rows['username']; ?>
</td>
<td valign="top" width="350px">
<b><?php echo $rows['subject']; ?></b><br>
<?php echo $rows['message'] ?>
</td><td><?php echo $rows['date_sent']; ?></td>
</tr>
<tr>
<td colspan="3"><hr></td>
</tr>
<?php } ?>
</table>
<form method="post" action="parsers/reply_pm.php">
Reply: <textarea name="message"></textarea><br>
<input type="hidden" name="from_user" value="<? echo $to_user; ?>">
<input type="hidden" name="to_user" value="<? echo $rows['from_user']; ?>">
<input type="hidden" name="subject" value="<? echo $rows['subject']; ?>">
<input type="hidden" name="reply_id" value="<? echo $id ?>">
<input type="submit" name="submit" value="Send Message">
</form>
<?php include 'includes/overall/footer.php'; ?>
这是我的“reply_pm.php”文件。
<?php
include '../core/init.php';
$reply_id = $_POST['reply_id'];
$to_user = $_POST['to_user'];
$from_user = $user_data['user_id'];
$subject = $_POST['subject'];
$message = $_POST['message'];
echo $sql = "INSERT INTO `messages`
(reply_id, to_user, from_user, subject, message, date_sent)
VALUES
('$reply_id','$to_user','$from_user','$subject','$message',now())";
$result = mysql_query($sql);
exit();
if($result){
header("Location: ../view_pm.php?id=$reply_id");
} else {
echo "Error sending message.";
}
?>
您可能会或可能没有注意到我在测试时回应结果,它正在返回..
INSERT INTO messages(reply_id,to_user,from_user,subject,message,date_sent)VALUES('8','','1','','test reply goes here',now())
提前致谢。
答案 0 :(得分:0)
您应该了解的关于PHP的一个问题是您在两个方括号{}中定义的变量只能在您使用的代码中访问
while ($rows = mysql_fetch_assoc($result2)) {
所以$rows在开放式括号{中定义,直到关闭的<?php } ?>,您关闭括号后无法访问该变量。喜欢:
<input type="hidden" name="to_user" value="<? echo $rows['from_user']; ?>">
您应该在while声明之前定义一个变量,并在以后使用它,如:
$from_user = "";
while ($rows = mysql_fetch_assoc($result2)) {
$from_user = $rows['from_user'];
.....
}
<input type="hidden" name="to_user" value="<? echo $from_user; ?>">
了解更多相关信息: