我正在为我正在处理的网站制作一个简单的评论部分,但我的代码似乎有些不妥。这是表格:
<?php
if($_SESSION['authenticated']) { //// if not logged show registration form
echo "<form name='comment' action='addcomment.php' method='get'>";
echo "<textarea name='CommentText'></textarea>";
echo "<input type='submit' value='Submit' />";
echo "</form><br><br>";}
else {
echo "Please log in to post.";
}
$res=mysqli_query($db, "SELECT * FROM comments");
$row = mysqli_fetch_array($res);
while ($row) {
echo '<p>from</p>';
$row = mysqli_fetch_array($res);
}
?>
这是将表单数据添加到我的数据库表(表的命名注释)的PHP / SQL
<?php $dbHost = 'cust-mysql-123-17';
$dbUser = 'user';
$dbPass = 'mypass';
$dbName = 'ollie';
$db = mysqli_connect( $dbHost, $dbUser, $dbPass, $dbName ) or die("Cannot connect");
$CommentText = $_GET['CommentText'];
$email = $_SESSION['authenticated'];
$res=mysqli_query($db, "INSERT INTO 'comments' (email, CommentText) VALUES('$email','$CommentText')");
if ($res){echo"<script lang='javascript' type='text/javascript'>
alert('Post successful');
window.location = 'forum.php';
</script>";}
else{
echo "alert('Post Failed');";
}
?>
每当我尝试运行它时,它会显示我在最后一个if语句中设置的“post failed”警告。帮助
答案 0 :(得分:0)
从表名中删除引号 - 如果要包含它,请使用反引号`(键下面的转义)
$res = mysqli_query($db, "INSERT INTO comments (email, CommentText) VALUES('$email','$CommentText')");
关于安全性,我建议您了解php.net
上的mysqli::real_espace_string