如果我放了'

时间:2017-04-16 14:04:38

标签: php mysql

此源是PHP / SQL中的自定义论坛。 除非我在创建新线程区域内放置' 来发布新帖子或回复,否则一切似乎都很有效。

如果我尝试发帖(例如:你好我很棒)那么这个帖子就会成功发布,并且可以在网站上看到。

但是,如果我尝试发布(例如:您好我做得很好),那么该帖子将显示已成功发布,但它不会向数据库显示或提交任何数据。

这是附带的来源。



<?
include 'header.php';

if($guest == 1){
echo Message("You are not supposed to be here!");
include 'footer.php';
die();
}
$tobe = $_GET['id'];
$f1= 0;$f2= 0;$f3=0;
$clany = 0;
if($tobe == 16){

$clanx = mysql_query("SELECT * FROM `clans` WHERE `id` = '$user->clan'");
$clan = mysql_fetch_object($clanx);
$clanpowerx = mysql_query("SELECT * FROM `clanrank` WHERE `rank` = '$user->clanrank' AND `clanid` = '$user->clan'");
$clanpower =  mysql_fetch_object($clanpowerx);

if($clan->id > 0){
if($clan->forum == 0){
echo Message("Your clan doesn't have a forums!");
include 'footer.php';
die();
}
$chk1 = mysql_query("SELECT * FROM `F_forums` WHERE `id` = '16'");
$chk = mysql_fetch_object($chk1);
$f1 = $clanpower->f1;
$f2 = $clanpower->f2;
$f3 = $clanpower->f3;
$clany = $clan->id;
if($clan->leader == $user->username){
$f1 =1;
$f2 =1;
$f3 = 1;
}
if($f1 == 0){
echo Message("You don't have the power to create threads!");
include 'footer.php';
die();
}


}
else{
echo Message("You are not in any clan!");
include 'footer.php';
die();
}

}
else{
$chk1 = mysql_query("SELECT * FROM `F_forums` WHERE `id` = '$tobe' AND `uppercat` != '0' AND `active` = '1'");
$chk = mysql_fetch_object($chk1);
if($chk->id < 1){$errorz = 1;}
if($errorz != 1){
if(!check_power($user->adm,$chk->id,"p4")){$errorz = 1;}
}
if($errorz == 1){
echo Message("Please don't change links!");
include 'footer.php';
die();
}
}

$subject = $_POST['subject'];
$content = $_POST['content'];

if($_POST['create'] != ""){
if(strlen($content) <= 7){
$error = 1;
$errorz = "Please Enter a bigger message";
}
if(strlen($content) >= 50000){
$error = 1;
$errorz = "Please Enter a smaller message";
}

if(strlen($subject) <= 5){
$error = 1;
$errorz = "Please Enter a bigger subject";
}
if(strlen($subject) >= 56){
$error = 1;
$errorz = "Please Enter a smaller subject";
}

if($error ==1){echo Message($errorz);}
else{
$time = time();
mysql_query("INSERT INTO `F_threads`( `createid`, `createname`, `topic`, `stick`, `stickpic`, `time`, `lasttime`, `lastpostuid`, `lastpostuname`, `posts`, `views`, `pages`, `forumid`,`ip`,`stat`,`clan`)"."VALUES ('$user->id','$user->username','$subject','2','','$time','$time','$user->id','$user->username','1','0','1','$chk->id','$userf->lastip','0','$clany')")or die(mysql_error());

$currentcreat = mysql_query("SELECT * FROM `F_threads` WHERE `createid` = '$user->id' AND `time` = '$time'");
$current = mysql_fetch_object($currentcreat);

mysql_query("INSERT INTO `F_posts`(`tid`, `uname`, `uid`, `time`, `lastedittime`, `lasteditby`, `delete`, `html`, `subject`, `msgtext`) VALUES ('$current->id','".$user->username."','$user->id','$time','','','0','0','".$subject."','".$content."')");


mysql_query("UPDATE `F_users` SET `totalthreads` = `totalthreads` + 1 , `totalpost` = `totalpost` + 1, `lastthread` = '$subject' , `lastpost` = '$subject', `lastpostip` = '$userf->lastip' WHERE `id` = '$user->id' ");

mysql_query("UPDATE `F_stats` SET `totalposts` = `totalposts` + 1, `totalthreads` = `totalthreads` + 1 WHERE `id` = '1'")or die(mysql_error());

mysql_query("UPDATE `F_forums` SET `totalthreads` = `totalthreads` + 1 , `lastpostid` = '$current->id' , `totalposts` = `totalposts` + 1, `lastpostn` = '$subject' , `lastpostu` = '$user->username', `lastposttime` = '$time' WHERE `id` = '$chk->id' ")or die(mysql_error());

if($clany != 0){

mysql_query("UPDATE `clans` SET `totalthreads` = `totalthreads` + 1 , `lastpostid` = '$current->id' , `totalposts` = `totalposts` + 1, `lastpostn` = '$subject' , `lastpostu` = '$user->username', `lastposttime` = '$time' WHERE `id` = '$clany' ")or die(mysql_error());
}

echo Message("You have successfully posted your new thread.<br><br> Teleporting Back...");
mrefresh("forum.php?id=".$current->forumid);
include 'footer.php';
die();

}}


if($_POST['preview'] != ""){
include_once("bbcode.php");
$precont = bb($content);
echo Message2($precont,"Preview");
}
?>

<script>
function insertSmiley(smiley){     
var currentText = document.getElementById("message");         
var smileyWithPadding = " " + smiley + " "; 
currentText.value += smileyWithPadding;
currentText.focus();
};
</script>

<form method="post" action="newthread.php?id=<?=$chk->id?>">
<table border="0" cellspacing="0" cellpadding="5" class="tborder">
<tbody><tr>
<td class="thead" colspan="2"><strong>Post a new Thread</strong></td>

</tr>
<!-- start: changeuserbox -->
<tr>
<td class="trow3" width="360"><strong>Username:</strong></td>
<td class="trow3"><?=$user->username?></td>
</tr>

<!-- end: changeuserbox -->
<tr>
<td class="trow3" width="360"><strong>Thread Subject</strong></td>
<td class="trow3"><input type="text" class="textbox" name="subject" size="40" maxlength="55" value="<?=$subject?>" tabindex="1"></td>

</tr>

<tr>
<td class="trow3" valign="top"><strong>Your Message:</strong>

<!-- start: smilieinsert -->

<div style="margin:auto; width: 300px; margin-top: 20px;">
<table border="0" cellspacing="0" cellpadding="5" class="tborder">
<tbody><tr>
<td class="thead"><span class="smalltext"><strong>Smilies</strong></span></td>
</tr>
<tr>
<td class="trow3">
<table width="100%" align="center" border="0" cellspacing="0" cellpadding="1" id="clickable_smilies">

<tbody><tr>
<td style="text-align: center"><img src="img/smilies/3.gif" border="0" class="smilie" onclick="insertSmiley(':3:')" alt=":3:" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/angry.gif" border="0" class="smilie" onclick="insertSmiley(':@')"alt=":@" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/bad.gif" border="0" class="smilie" onclick="insertSmiley(':bad:')"alt=":bad:" style="cursor: pointer;"></td>
</tr>
<tr>
<td style="text-align: center"><img src="img/smilies/cry.gif" border="0" class="smilie" onclick="insertSmiley(':\'(:')" alt=":'(" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/eee.gif" border="0" class="smilie" onclick="insertSmiley(':eee:')" alt=":eee:" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/error.gif" border="0" class="smilie" onclick="insertSmiley(':error:')" alt=":error:" style="cursor: pointer;"></td>
</tr>
<tr>
<td style="text-align: center"><img src="img/smilies/excited.gif" border="0" class="smilie" onclick="insertSmiley(':excited:')" alt=":excited:" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/explode.gif" border="0" class="smilie" onclick="insertSmiley(':explode:')" alt=":explode:" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/hey.gif" border="0" class="smilie" onclick="insertSmiley(':hey:')" alt=":hey:" style="cursor: pointer;"></td>
</tr>
<tr>
<td style="text-align: center"><img src="img/smilies/lol.gif" border="0" class="smilie" onclick="insertSmiley(':lol:')" alt=":lol:" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/love.gif" border="0" class="smilie" onclick="insertSmiley(':love:')" alt=":love:" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/magikarp.gif" border="0" class="smilie" onclick="insertSmiley(':magikarp:')"  alt=":magikarp:" style="cursor: pointer;"></td>
</tr>
<tr>
<td style="text-align: center"><img src="img/smilies/noo.gif" border="0" class="smilie" onclick="insertSmiley(':ohnoes:')" alt=":ohnoes:" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/oo.gif" border="0" class="smilie" onclick="insertSmiley(':oo:')" alt=":oo:" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/pikapika.gif" border="0" class="smilie" onclick="insertSmiley(':pika:')" alt=":pika:" style="cursor: pointer;"></td>
</tr>
<tr>
<td style="text-align: center"><img src="img/smilies/sad.gif" border="0" class="smilie" onclick="insertSmiley(':(')" alt=":(" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/suck.gif" border="0" class="smilie" onclick="insertSmiley(':suck:')" alt=":suck:" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/toilet.gif" border="0" class="smilie" onclick="insertSmiley(':loo:')" alt=":loo:" style="cursor: pointer;"></td>
</tr>
<tr>
<td style="text-align: center"><img src="img/smilies/wink.gif" border="0" class="smilie" onclick="insertSmiley(';)')" alt=";)" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/wobby.gif" border="0" class="smilie" onclick="insertSmiley(':wobby:')" alt=":wobby:" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/wobby2.gif" border="0" class="smilie" onclick="insertSmiley(':wobby2:')" alt=":wobby2:" style="cursor: pointer;"></td>
</tr>
<tr>
<td style="text-align: center"><img src="img/smilies/woo.gif" border="0" class="smilie" onclick="insertSmiley(':woo:')" alt=":woo:" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/wtf.gif" border="0" class="smilie" onclick="insertSmiley(':wtf:')" alt=":wtf:" style="cursor: pointer;"></td>
<td style="text-align: center"><img src="img/smilies/yes.gif" border="0" class="smilie" onclick="insertSmiley(':yes:')" alt=":yes:" style="cursor: pointer;"></td>
</tr>
</tbody></table>
</td>
</tr>

</tbody></table>
</div>


<!-- end: smilieinsert -->
</td>


<td class="trow3">
<textarea class="textarea" name="content" id="message" rows="30" style="width: 70%; padding: 4px;"><?=$content?></textarea>
</td>
</tr></tbody></table>

<br><br>
<div style="text-align:center"><input type="submit" class="button" name="preview" value="Preview Thread" tabindex="4"> 
<input type="submit" class="button" name="create" value="Post Thread" tabindex="4" accesskey="s"></div>
<br><br>
</form>
<? include 'footer.php'; ?>
&#13;
&#13;
&#13;

你们可以帮我解决问题吗?

1 个答案:

答案 0 :(得分:0)

http://php.net/manual/en/function.mysql-real-escape-string.php 由于您正在使用PHP的mysql扩展,因此在插入数据库之前,请在论坛主题上使用mysql_real_escape_string。

然而,正确而现代的方式;将切换到PDO而不是mysql ext并使用预准备语句。然后参数转义将是隐含的。 http://php.net/manual/en/pdo.prepare.php