这是错误的。 (您的SQL语法有错误;请查看与您的MySQL服务器版本对应的手册,以便在第1行的'@ myemail.net'附近使用正确的语法)
$user_id = $_SESSION['user_id'];
$emails = $_REQUEST['emails'];
$subject = "Invitation from $email";
$headers = 'From: '.$email;
$emails = $_REQUEST['emails'];
foreach ($emails as $to) {
list($to,$name) = split(':::',$to,2);
$message = "Hi $name, $email would like you to take a look at this site! http://www.lunarsys.com\r\n\r\n";
mail($to, $subject, $message, $headers);
echo "Mail sent to $name ($to)<br/>\r\n";
$query = "SELECT j_user_id FROM jt_members_external_contacts WHERE j_user_id = $user_id AND contact_email = $to;";
$result = mysql_query($query) or die(mysql_error());
$conrows = mysql_num_rows($result);
if($conrows > 0)
{
echo "Exist";
}else
{
//
//Insert News into Articles Database
$sql_insert = "INSERT into `jt_members_external_contacts`
(`j_user_id`,`contact_email`,`firstname`
)
VALUES
('$user_id','$to','$name'
)
";
mysql_query($sql_insert) or die(header("Location: /error_page?error_msg=1"));
}
答案 0 :(得分:0)
替换此行:
$query = "SELECT j_user_id FROM jt_members_external_contacts WHERE j_user_id = $user_id AND contact_email = $to;";
用这个:
$query = "SELECT j_user_id FROM jt_members_external_contacts WHERE j_user_id = $user_id AND contact_email = '$to'";
答案 1 :(得分:0)
$to附近应该有引号:
$query = "SELECT j_user_id FROM jt_members_external_contacts WHERE j_user_id = $user_id AND contact_email = '$to';";
顺便说一句 - 如果这是您的实际源代码,请不要忘记正确地转义用户输入$_REQUEST['emails'];,因为此脚本有一个严重的SQL注入漏洞,其中特制的请求参数可以妥协你的数据库。
例如:
foreach ($emails as $to) {
list($to,$name) = split(':::',$to,2);
$to = mysql_escape_string($to);
...
这也会阻止有效的电子邮件地址,例如tim.o'brein@example.com破坏您的脚本。