php - 在浏览器中启用发帖 (post.php?name=MyName&body=MyText?)

Question

我创建了一个文本发布网站。除了在 post.php 页面上发布之外，我想让用户在键入 www.mywebsite.com/post.php?name=MyName&body=MyText? 时发布文本？我怎样才能做到这一点？

邮政编码如下所示：

  <?php


  //insert category to database
  if(isset($_POST['qty'])) {
    // Fetch and clean the <select> value.
    // The (int) makes sure the value is really a integer.
    $qty = (int)$_POST['qty'];


    // Create the INSERT query.
    $sql = "INSERT INTO `table`(`quantity`)
            VALUES ({$qty})";

    // Connect to a database and execute the query.
    $dbLink = mysql_connect('MyServer', 'username', 'password') or die(mysql_error());
              mysql_select_db('database_name', $dbLink) or die(mysql_errno());

    $result = mysql_query($sql);

    // Check the results and print the appropriate message.
    if($result) {
        echo "Record successfully inserted!";
    }
    else {
        echo "Record not inserted! (". mysql_error() .")";
    }
}



     if ($_POST['post'])
{
    //get data
    $title = $_POST['title'];
    $body = $_POST['body'];

    //check for existance
    if ($title&&$body)
    {
        mysql_connect("MyServer","username","password") or die(mysql_error());
        mysql_select_db("database_name") or die(mysql_error());

        $date = date("Y-m-d");

        //insert data
        $insert = mysql_query("INSERT INTO news VALUES ('','$title','$body','$date')") or die(mysql_error());

        die("Your text has been posted!");

    }
    else
        echo "Please fill out your name and text";
}
?>

score 1 · Accepted Answer

尝试使用 $_REQUEST - 它包含您发布到脚本的所有数据（来自 $_GET、$_POST 和 $_COOKIE 全局数组）

score 1 · Accepted Answer

第一个建议是，不惜一切代价避免基于查询字符串的直接查询！这是一个巨大的安全问题。

此外，您提供的代码可能存在许多安全漏洞和问题。

每当您通过 $_COOKIE、$_POST 或 $_GET 调用变量并在查询中使用它时，尽可能使用 MySQLI/PDO 准备语句，或至少使用 mysql_real_escape_string。这将尝试清理进入数据库的数据。

此外，您正在从 url/查询字符串获取参数，将 POST 更改为 GET。

此外，您的行说：

if($_GET['post'])

总是会失败，你的 url 中没有一个名为 post 的参数。为此，它需要看起来像：

post.php?post&name=MyName&body=MyText?)

见下文：

<?php

//insert category to database
// makes sure qty is numeric # added by sixeightzero
if(isset($_GET['qty']) && is_numeric($_GET['qty'])) {
// Fetch and clean the <select> value.
// The (int) makes sure the value is really a integer.
$qty = (int)$_GET['qty'];


// Create the INSERT query.
$sql = "INSERT INTO `table`(`quantity`)
        VALUES ({$qty})";

// Connect to a database and execute the query.
$dbLink = mysql_connect('MyServer', 'username', 'password') or die(mysql_error());
          mysql_select_db('database_name', $dbLink) or die(mysql_errno());

$result = mysql_query(mysql_real_escape_string($sql));     
// sanitizes input # added by sixeightzero

// Check the results and print the appropriate message.
if($result) {
    echo "Record successfully inserted!";
}
else {
    echo "Record not inserted! (". mysql_error() .")";
}
}



if (!isset($_GET['name']) && !isset($_GET['body'])){

//get data
$title = $_GET['name'];
$body = $_GET['body'];

//check for existance
if ($title && $body)
{
    mysql_connect("MyServer","username","password") or die(mysql_error());
    mysql_select_db("database_name") or die(mysql_error());

    $date = date("Y-m-d");

    //insert data
    $insert = mysql_query("INSERT INTO news VALUES ('','".mysql_real_escape_string($title)."','".mysql_real_escape_string($body)."','".mysql_real_escape_string($date)."')") or die(mysql_error());
    // sanitizes input # added by sixeightzero

    die("Your text has been posted!");

}
else
    echo "Please fill out your name and text";
}
?>

score 1 · Accepted Answer

这是完整的源代码！！尝试使用这个

  <?php


  //insert category to database
  if(isset($_POST['qty'])) {
    // Fetch and clean the <select> value.
    // The (int) makes sure the value is really a integer.
    $qty = (int)$_POST['qty'];


    // Create the INSERT query.
    $sql = "INSERT INTO `table`(`quantity`)
            VALUES ({$qty})";

    // Connect to a database and execute the query.
    $dbLink = mysql_connect('MyServer', 'username', 'password') or die(mysql_error());
              mysql_select_db('database_name', $dbLink) or die(mysql_errno());

    $result = mysql_query($sql);

    // Check the results and print the appropriate message.
    if($result) {
        echo "Record successfully inserted!";
    }
    else {
        echo "Record not inserted! (". mysql_error() .")";
    }
}



     if ($_SERVER['REQUEST_METHOD'] == "GET") //check whether its a GET method
{
    //get data, since you know that a valid "GET" request was sent
    $title = $_REQUEST['title'];
    $body = $_REQUEST['body'];


    if (isset($title) && isset($body)) //check for existance
    {
        mysql_connect("MyServer","username","password") or die(mysql_error());
        mysql_select_db("database_name") or die(mysql_error());

        $date = date("Y-m-d");

        //insert data
        $insert = mysql_query("INSERT INTO news VALUES ('','$title','$body','$date')") or die(mysql_error());

        die("Your text has been posted!");

    }
    else
        echo "Please fill out your name and text";
}
?>

score 1 · Accepted Answer

您将希望对查询字符串中的数据使用 $_GET 而不是 POST。

//get data
$title = $_GET['title']; // or name if it's name
$body = $_GET['body'];

score 0 · Accepted Answer

$_REQUEST基本上是的结果array_merge($_GET,$_POST,$_COOKIE)，因此您可以使用它来获取可能是 GET 或 POST 变量的值。

php - 在浏览器中启用发帖 (post.php?name=MyName&body=MyText?)

5 回答 5

Related

Reference