您好我正在尝试制作交易脚本,用户可以交易对方的怪物。 所以我有一个脚本,它显示有怪物和他们输入的用户怪物,所以如果用户输入缺口,它将显示口袋妖怪的昵称怪物和用怪物输入它的用户。 所有的工作都很好,它显示了我想要的东西。 现在我想存储他们想要的怪物并在数据库中提供。那是我们遇到的问题。对于某些resosn,它存储用户名和交易者的用户名,但不是怪物。它的存储
{ “小宠物”:[ “”]} 对于trade_pokeid和trade_mypokeid
这里是我如何显示怪物和用户怪物工作正常
Trade with </h4>
<?php
$username_trade = $_POST['username_trade'];
$_SESSION['username_trade'] = $username_trade ;
echo "You put in id ". $username_trade . ".<br />";
?>
</p>
<p> </p>
<p><span class="mid_box">
<?php
// get and display userbox
$q = "SELECT id,pokemon,exp,level FROM user_pokemon WHERE belongsto='". $_SESSION['username_trade']."'";
$r = mysql_query($q);
if (mysql_num_rows($r) <= 0) {
echo "You have no current pokemon stored";
}
?>
</span></p>
<p> </p>
<p>
<?php
echo "<form action='test_process.php' method='POST'>";
while ( $v = mysql_fetch_object( $r ) )
{
echo "<label><input type='checkbox' name='pokemon[]' value='$v->dbid'/> They have a $v->pokemon </label><br/>";
echo "<label> Level $v->level </label><br/>";
}
echo "<input type='hidden' name='user' value='$username_trade'/>";
echo "<input type='submit' value='Check!!'/>";
?>
</p>
<p><strong>Pick what you want two offer for the pokemon </strong></p>
<p>
<?php
// get and display userbox
$q = "SELECT id,pokemon,exp,level FROM user_pokemon WHERE belongsto='". $_SESSION['username']."'";
$t = mysql_query($q);
if (mysql_num_rows($t) <= 0) {
echo "You have no current pokemon stored";
}
?>
</p>
<p>
<?php
echo "<form action='test_process.php' method='POST'>";
while ( $v = mysql_fetch_object( $t ) )
{
echo "<label><input type='checkbox' name='pokemonin[]' value='$v->dbid'/> I have a $v->pokemon</label><br/>";
echo "<label> Level $v->level </label><br/>";
}
echo "<input type='hidden' name='userin' value='$username'/>";
echo "</form>";
?>
<p align="center">
现在,我将尝试存储它们。
<?php
include 'config.php';
$pokemon = $_POST['pokemon'];
$pokemonin = $_POST['pokemonin'];
$meid = $_SESSION['username'];
$toid = $_POST['user'];
$dbid = array();
$dbid2 = array();
foreach ( $pokemon as $poke )
{ $dbid['pokemon'][] = $poke;
}
foreach ( $pokemonin as $poke2 )
{ $dbid2['pokemonin'][] = $poke2;
}
srand ((double) microtime( )*1000000);
$random_number = rand( );
echo "$random_number";
mysql_query("INSERT INTO trade (trade_id, trade_to, trade_from, trade_pokeid, trade_mypokeid)
VALUES ('$random_number','$toid', '$meid', '"$dbid."', '".$dbid2."');") or die("Error: ". mysql_error());
?>
我做错了什么?为什么结果没有存储?或继承db connect和session start在config.php页面
答案 0 :(得分:2)
在上一次MySQL查询中,您尝试将PHP数组作为字符串插入到查询中,这将无法正常工作。如果我猜对了,你会想要使用implode(",",$dbid['pokemon'])而不是$dbid之类的东西。
此外,在将查询放入查询之前,对来自用户和/或URL的任何内容运行mysql_real_escape_string绝对是一个好主意!
答案 1 :(得分:1)
您的代码已打开 sql注入! 你应该避免将参数(没有转义)传递给sql query =&gt;开始检查:
http://php.net/manual/en/function.mysql-real-escape-string.php
答案 2 :(得分:0)
你的MYSQL语句中有错误(不够 - 或点太多)......
VALUES ('$random_number','$toid', '$meid', '"$dbid."', '".$dbid2."')
应该阅读
VALUES ('$random_number','$toid', '$meid', '$dbid', '$dbid2')