我有 2 个 php 页面:editpost.php 只是生成一个表单来编辑用户评论。addcomment.php,在这种情况下应该更新那个帖子的 mysql。它只是测试是否设置了 $_GET['edit'] 和正确的变量。由于某种原因,它从未读过真的。我在 Safari 中检查了 editpost.php 的“查看源代码”,它看起来不错。
编辑帖子.php:
<?php
require_once('checklogin.php');
//require_once('text_encode.php');
//die("Made it past require once");
if(isset($_SESSION['user'])&&isset($_GET['id']))
{
//die("made it past if statement");
$con = mysql_connect('localhost','REDACTED','REDACTED');
mysql_select_db('dancks_db',$con);
$q = mysql_query(sprintf("SELECT userID FROM UserTable WHERE nick='%s'",$_SESSION['user']),$con) or die(mysql_error());
if(mysql_num_rows($q)!=1)
{
//die("1");
redir();
}
else
{
$match = array(); $match2=array();
preg_match("/[0-9]{1,5}/",$_GET['id'],$match);
//preg_match("/[0-1]{1,1}/",$GET['type'],$match2);
if(implode($match)!=$_GET['id'])
{
die("2");
redir();
}
//if($_GET['id']==0)
else
{
$q2 = mysql_query(sprintf("SELECT * FROM Comments WHERE CommentID='%s'",$_GET['id']),$con) or die(mysql_query());
if(mysql_num_rows($q2)==1)
{
$vars = mysql_fetch_assoc($q2);
echo "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">
<html xmlns=\"http://www.w3.org/1999/xhtml\">
<head>
<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />
<title>Edit Post</title>
</head>
<body>";
echo "<form method=\"post\" action=\"addcomment.php?type=1,edit=1\">
<p>Rating:";
//die("rating: ".$q2['rating']);
for($i=1;$i<6;$i++)
{
echo "<label>".$i."</label><input type=\"radio\" name=\"rating\" value=\"".$i."\" ";if($vars['rating']==$i){echo "checked=\"checked\"";}echo " id=\"star".$i."\" />\n";
}
echo"</p>
<p>Title:<input type=\"text\" name=\"title\" value=\"".$vars['title']."\" /></p>
<p>Comment:<textarea rows=\"5\" cols=\"80\" name=\"review\" >".$vars['review']."</textarea></p>
<input type=\"hidden\" name=\"commentid\" value=\"".$_GET['id']."\" />
<input type=\"hidden\" name=\"subject\" value=\"".$vars['subject']."\" />
<input type=\"submit\" value=\"submit review\" />
</form>
</body>
</html>";
}
else
{
die("No comment found: get: ".$_GET['id']);
}
}
mysql_free_result($q);
}
}
else
{
die("3");
redir();
}
?>
添加评论.php:
<?php require_once('checklogin.php');
//die("type=".$_GET['type']." rating=".$_POST['rating']);
require_once('text_encode.php');
require_once('validate.php');
if(safe_isset($_GET['type'])&&safe_isset($_SESSION['user']))
{
if( (safe_isset($_POST['rating']))&&(safe_isset($_POST['title']))&&(safe_isset($_POST['review']))&&($_GET['type']==1))
{
$match = array(); $match2 = array();
preg_match("/[0-5]{1,1}/",$_POST['rating'],$match);
preg_match("/[0-1]{1,1}/",$_GET['type'],$match2);
if((implode($match)!=$_POST['rating'])&&(implode($match2)!=$_GET['type']))
{
die("type=".$_GET['type']." implode=".implode($match)." rating=".$_POST['rating']." implode=".implode($match2));
//die("Invalid input for rating or type");
redir();
}
else if( $_POST['rating']=="" || $_GET['type']=="" )
{
die("Rating or type reads empty string");
redir();
}
else if(safe_isset($_GET['edit']))
{
$con = mysql_connect('localhost','REDACTED','REDACTED');
mysql_select_db('dancks_db',$con);
$query=sprintf("UPDATE Comments SET rating='%s', title='%s', review='%s' WHERE CommentID='%s'",
mysql_real_escape_string($_POST['rating']),
mysql_real_escape_string($_POST['title']),
mysql_real_escape_string($_POST['review']),
mysql_real_escape_string($_POST['commentid']));
$r = mysql_query($query,$con) or die(mysql_error());
mysql_close($con);
die("Successful edit");
header(sprintf("Location:http://example.com/redacted/redacted/seller.php?ID=%s",$_POST['subject']));
}
else
{
if(contains($_SERVER['HTTP_REFERER'],"editpost.php"))
{
die("Wrong spot");
}
$con = mysql_connect('localhost','REDACTED','REDACTED');
mysql_select_db('dancks_db',$con);
$query=sprintf("INSERT INTO Comments(nick,type,subject,rating,title,review) VALUES ('%s','%s','%s','%s','%s','%s')",
mysql_real_escape_string($_SESSION['user']),
mysql_real_escape_string($_GET['type']),
mysql_real_escape_string($_POST['subject']),
mysql_real_escape_string($_POST['rating']),
mysql_real_escape_string($_POST['title']),
mysql_real_escape_string($_POST['review']));
$r = mysql_query($query,$con) or die(mysql_error());
mysql_close($con);
//die("successful insert");
header(sprintf("Location:http://example.com/redacted/redacted/seller.php?ID=%s",$_POST['subject']));
}
}
else
{
die("rating, title or review isnt set");
redir();
}
}
else
{
die("type isnt set or user isnt logged in");
redir();
}
?>
相关的额外代码:
function contains($text,$match)
{
return (preg_match("/".$match."/",$text)==1);
}
function safe_isset($text)
{
$good = false;
if(isset($text))
{
if(strlen($text)>0)
{
$good = true;
}
}
return $good;
}
这可能是我忽略的非常容易的事情。如果是这样的话,我很抱歉。我现在正在死记硬背,所以我很容易错过一些东西。或者也许欢迎我是否应该简单地重写或重组它的想法。