我的php文件有点问题,想知道是否有人可以看看。 如果我使用@mention更新并使用下面的php更新一些文本,它将更新数据库并输出ajax。如果它没有@mention而只有文本,则不输出任何内容。我怎样才能纠正代码来做到这两点。
它们都包含在$_POST['newmsg'];
我还没有逃避变量以防止SQL注入。
PHP:
<?php
error_reporting(E_ALL); ini_set('display_errors', 1);
error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE);
session_start();
require_once "rawfeeds_load.php";
include_once "include/functions.youtube.php";
?>
<?
if(isset($_SESSION['id'])){
$user1_id=mysqli_real_escape_string($mysqli,$_SESSION['id']);
if(isset($_POST['toid'])){
if($_POST['toid']==""){$_POST['toid']=$_SESSION['id'];}
if(isset($_POST['newmsg'])&& isset($_POST['toid'])&& isset($_POST['privacy'])&& isset($_POST['red'])){
$_POST['newmsg']=str_replace('@'.$_POST['red'].'','<a href="profile.php?username='.$_POST['red'].'">'.$_POST['red'].'</a>', $_POST['newmsg']);
$date=date('y:m:d H:i:s');
if($_POST['toid']==$_SESSION['id']){
rawfeeds_user_core::create_streamitem("1",mysqli_real_escape_string($mysqli,$_SESSION['id']),mysqli_real_escape_string($mysqli,$_POST['newmsg']),mysqli_real_escape_string($mysqli,$_POST['privacy']),mysqli_real_escape_string($mysqli,$_POST['toid']),mysqli_real_escape_string($mysqli,$date));
}else{
rawfeeds_user_core::create_streamitem("3",mysqli_real_escape_string($mysqli,$_SESSION['id']),mysqli_real_escape_string($mysqli,$_POST['newmsg']),mysqli_real_escape_string($mysqli,$_POST['privacy']),mysqli_real_escape_string($mysqli,$_POST['toid']),mysqli_real_escape_string($mysqli,$date));
}
}
}
PHP USER_CORE
public function create_streamitem($typeid,$creatorid,$content,$ispublic,$targetuser,$date){
global $mysqli;
$content = $content;
// $content = strip_tags($content);
if(strlen($content)>0){
$date=date('y:m:d H:i:s');
$insert = "INSERT INTO streamdata(streamitem_type_id,streamitem_creator,streamitem_target,streamitem_timestamp,streamitem_content,streamitem_public) VALUES ($typeid,$creatorid,$targetuser,'$date','$content',$ispublic)";
$add_post = mysqli_query($mysqli,$insert) or die(mysqli_error($mysqli));
$last_id = mysqli_insert_id($mysqli);
if(!($creatorid==$targetuser)){
$fromuser=rawfeeds_user_core::getuser($creatorid);
rawfeeds_user_core::add_notification(2,$_POST['toid'],$fromuser['id'],$fromuser['fullname']." posted a status on your wall","../singlepoststreamitem.php?sid=$last_id");
$_SESSION['id']==$content;
}
return;
}else{
return false;
}
}
AJAX
$("form#myforms").submit(function(event) {
event.preventDefault();
var content = $(this).children("#toid").val();
var newmsg= $(this).children("#newmsg").text();
var username = $(".red").attr("href");
var privacy = $("#privacy").val();
$.ajax({
type: "POST",
url: "insert.php",
cache: false,
dataType: "json",
data: { toid: content, newmsg: newmsg, privacy: privacy, red: username },
success: function(response){
答案 0 :(得分:1)
将$_POST['red']
的支票移出主检查:
if(isset($_POST['newmsg'])&& isset($_POST['toid'])&& isset($_POST['privacy'])){
// remove $_POST['red'] here -^
if (isset($_POST['red'])) { // check it here, otherwise your insert will not happen if $_POST['red'] is empty.
$_POST['newmsg']=str_replace('@'.$_POST['red'].'','<a href="profile.php?username='.$_POST['red'].'">'.$_POST['red'].'</a>', $_POST['newmsg']);
}
$date=date('y:m:d H:i:s');
if($_POST['toid']==$_SESSION['id']){
rawfeeds_user_core::create_streamitem("1",mysqli_real_escape_string($mysqli,$_SESSION['id']),mysqli_real_escape_string($mysqli,$_POST['newmsg']),mysqli_real_escape_string($mysqli,$_POST['privacy']),mysqli_real_escape_string($mysqli,$_POST['toid']),mysqli_real_escape_string($mysqli,$date));
}else{
rawfeeds_user_core::create_streamitem("3",mysqli_real_escape_string($mysqli,$_SESSION['id']),mysqli_real_escape_string($mysqli,$_POST['newmsg']),mysqli_real_escape_string($mysqli,$_POST['privacy']),mysqli_real_escape_string($mysqli,$_POST['toid']),mysqli_real_escape_string($mysqli,$date));
}
}