@mention和文本或没有@mention和文本

时间:2014-09-29 08:18:54

标签: php ajax json

我的php文件有点问题,想知道是否有人可以看看。 如果我使用@mention更新并使用下面的php更新一些文本,它将更新数据库并输出ajax。如果它没有@mention而只有文本,则不输出任何内容。我怎样才能纠正代码来做到这两点。

它们都包含在$_POST['newmsg'];

我还没有逃避变量以防止SQL注入。

PHP:

<?php
   error_reporting(E_ALL); ini_set('display_errors', 1);
   error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE);
   session_start();
   require_once "rawfeeds_load.php";
   include_once "include/functions.youtube.php";
?>
<?
   if(isset($_SESSION['id'])){
     $user1_id=mysqli_real_escape_string($mysqli,$_SESSION['id']);
     if(isset($_POST['toid'])){
      if($_POST['toid']==""){$_POST['toid']=$_SESSION['id'];}
       if(isset($_POST['newmsg'])&& isset($_POST['toid'])&& isset($_POST['privacy'])&& isset($_POST['red'])){
          $_POST['newmsg']=str_replace('@'.$_POST['red'].'','<a href="profile.php?username='.$_POST['red'].'">'.$_POST['red'].'</a>', $_POST['newmsg']);
          $date=date('y:m:d H:i:s');
            if($_POST['toid']==$_SESSION['id']){
                rawfeeds_user_core::create_streamitem("1",mysqli_real_escape_string($mysqli,$_SESSION['id']),mysqli_real_escape_string($mysqli,$_POST['newmsg']),mysqli_real_escape_string($mysqli,$_POST['privacy']),mysqli_real_escape_string($mysqli,$_POST['toid']),mysqli_real_escape_string($mysqli,$date));
            }else{
                rawfeeds_user_core::create_streamitem("3",mysqli_real_escape_string($mysqli,$_SESSION['id']),mysqli_real_escape_string($mysqli,$_POST['newmsg']),mysqli_real_escape_string($mysqli,$_POST['privacy']),mysqli_real_escape_string($mysqli,$_POST['toid']),mysqli_real_escape_string($mysqli,$date));
            }
        }
    }

PHP USER_CORE

 public function create_streamitem($typeid,$creatorid,$content,$ispublic,$targetuser,$date){
      global $mysqli;
        $content = $content;
  //    $content =  strip_tags($content);

        if(strlen($content)>0){
           $date=date('y:m:d H:i:s');
          $insert = "INSERT INTO streamdata(streamitem_type_id,streamitem_creator,streamitem_target,streamitem_timestamp,streamitem_content,streamitem_public) VALUES ($typeid,$creatorid,$targetuser,'$date','$content',$ispublic)";
        $add_post = mysqli_query($mysqli,$insert) or die(mysqli_error($mysqli));
        $last_id  = mysqli_insert_id($mysqli); 
            if(!($creatorid==$targetuser)){
                $fromuser=rawfeeds_user_core::getuser($creatorid);
                rawfeeds_user_core::add_notification(2,$_POST['toid'],$fromuser['id'],$fromuser['fullname']." posted a status on your wall","../singlepoststreamitem.php?sid=$last_id");
                $_SESSION['id']==$content;
        }       
        return;
        }else{
            return false;
        }           
}

AJAX

$("form#myforms").submit(function(event) {
    event.preventDefault();
    var content = $(this).children("#toid").val();
    var newmsg= $(this).children("#newmsg").text();
    var username = $(".red").attr("href");
    var privacy = $("#privacy").val();

    $.ajax({
      type: "POST",
      url: "insert.php",
      cache: false,
      dataType: "json",
      data: { toid: content, newmsg: newmsg, privacy: privacy, red: username }, 
      success: function(response){ 

1 个答案:

答案 0 :(得分:1)

$_POST['red']的支票移出主检查:

if(isset($_POST['newmsg'])&& isset($_POST['toid'])&& isset($_POST['privacy'])){
                                               // remove $_POST['red'] here -^

  if (isset($_POST['red'])) { // check it here, otherwise your insert will not happen if $_POST['red'] is empty.
    $_POST['newmsg']=str_replace('@'.$_POST['red'].'','<a href="profile.php?username='.$_POST['red'].'">'.$_POST['red'].'</a>', $_POST['newmsg']);
  }
  $date=date('y:m:d H:i:s');
  if($_POST['toid']==$_SESSION['id']){
     rawfeeds_user_core::create_streamitem("1",mysqli_real_escape_string($mysqli,$_SESSION['id']),mysqli_real_escape_string($mysqli,$_POST['newmsg']),mysqli_real_escape_string($mysqli,$_POST['privacy']),mysqli_real_escape_string($mysqli,$_POST['toid']),mysqli_real_escape_string($mysqli,$date));
  }else{
     rawfeeds_user_core::create_streamitem("3",mysqli_real_escape_string($mysqli,$_SESSION['id']),mysqli_real_escape_string($mysqli,$_POST['newmsg']),mysqli_real_escape_string($mysqli,$_POST['privacy']),mysqli_real_escape_string($mysqli,$_POST['toid']),mysqli_real_escape_string($mysqli,$date));
  }
}