1

我有 2 个 php 页面:editpost.php 只是生成一个表单来编辑用户评论。addcomment.php,在这种情况下应该更新那个帖子的 mysql。它只是测试是否设置了 $_GET['edit'] 和正确的变量。由于某种原因,它从未读过真的。我在 Safari 中检查了 editpost.php 的“查看源代码”,它看起来不错。

编辑帖子.php:

<?php 
require_once('checklogin.php');
//require_once('text_encode.php');
//die("Made it past require once");
if(isset($_SESSION['user'])&&isset($_GET['id']))
{
    //die("made it past if statement");
    $con = mysql_connect('localhost','REDACTED','REDACTED');
    mysql_select_db('dancks_db',$con);
    $q = mysql_query(sprintf("SELECT userID FROM UserTable WHERE nick='%s'",$_SESSION['user']),$con) or die(mysql_error());
    if(mysql_num_rows($q)!=1)
    {
        //die("1");
        redir();
    }
    else
    {
        $match = array(); $match2=array();
        preg_match("/[0-9]{1,5}/",$_GET['id'],$match);
        //preg_match("/[0-1]{1,1}/",$GET['type'],$match2);
        if(implode($match)!=$_GET['id'])
        {
            die("2");
            redir();
        }
        //if($_GET['id']==0)
        else
        {
            $q2 = mysql_query(sprintf("SELECT * FROM Comments WHERE CommentID='%s'",$_GET['id']),$con) or die(mysql_query());
            if(mysql_num_rows($q2)==1)
            {
                $vars = mysql_fetch_assoc($q2);
                echo "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">
                <html xmlns=\"http://www.w3.org/1999/xhtml\">
                <head>
                <meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />
                <title>Edit Post</title>
                </head>
                <body>";
                echo "<form method=\"post\" action=\"addcomment.php?type=1,edit=1\">
                <p>Rating:";
        //die("rating: ".$q2['rating']);
        for($i=1;$i<6;$i++)
        {
            echo "<label>".$i."</label><input type=\"radio\" name=\"rating\" value=\"".$i."\" ";if($vars['rating']==$i){echo "checked=\"checked\"";}echo " id=\"star".$i."\" />\n";
        }
        echo"</p>
                <p>Title:<input type=\"text\" name=\"title\" value=\"".$vars['title']."\" /></p>
                <p>Comment:<textarea rows=\"5\" cols=\"80\" name=\"review\" >".$vars['review']."</textarea></p>
                <input type=\"hidden\" name=\"commentid\" value=\"".$_GET['id']."\" />
                <input type=\"hidden\" name=\"subject\" value=\"".$vars['subject']."\" />
                <input type=\"submit\" value=\"submit review\" />
                </form>
                </body>
                </html>";
            }
            else
            {
                die("No comment found: get: ".$_GET['id']);
            }
        }
        mysql_free_result($q);
    }
}
else
{
    die("3");
    redir();
}
?>

添加评论.php:

<?php require_once('checklogin.php');
//die("type=".$_GET['type']." rating=".$_POST['rating']);
require_once('text_encode.php');
require_once('validate.php');
if(safe_isset($_GET['type'])&&safe_isset($_SESSION['user']))
{
    if( (safe_isset($_POST['rating']))&&(safe_isset($_POST['title']))&&(safe_isset($_POST['review']))&&($_GET['type']==1))
    {
        $match = array(); $match2 = array();
        preg_match("/[0-5]{1,1}/",$_POST['rating'],$match);
        preg_match("/[0-1]{1,1}/",$_GET['type'],$match2);
        if((implode($match)!=$_POST['rating'])&&(implode($match2)!=$_GET['type']))
        {
            die("type=".$_GET['type']." implode=".implode($match)." rating=".$_POST['rating']." implode=".implode($match2));
            //die("Invalid input for rating or type");
            redir();
        }
        else if( $_POST['rating']=="" || $_GET['type']=="" )
        {
            die("Rating or type reads empty string");
            redir();
        }
        else if(safe_isset($_GET['edit']))
        {
            $con = mysql_connect('localhost','REDACTED','REDACTED');
            mysql_select_db('dancks_db',$con);
            $query=sprintf("UPDATE Comments SET rating='%s', title='%s', review='%s' WHERE CommentID='%s'",
            mysql_real_escape_string($_POST['rating']),
            mysql_real_escape_string($_POST['title']),
            mysql_real_escape_string($_POST['review']),
            mysql_real_escape_string($_POST['commentid']));
            $r = mysql_query($query,$con) or die(mysql_error());
            mysql_close($con);
            die("Successful edit");
            header(sprintf("Location:http://example.com/redacted/redacted/seller.php?ID=%s",$_POST['subject']));
        }
        else
        {
            if(contains($_SERVER['HTTP_REFERER'],"editpost.php"))
            {
                die("Wrong spot");
            }
            $con = mysql_connect('localhost','REDACTED','REDACTED');
            mysql_select_db('dancks_db',$con);
            $query=sprintf("INSERT INTO Comments(nick,type,subject,rating,title,review) VALUES ('%s','%s','%s','%s','%s','%s')",
            mysql_real_escape_string($_SESSION['user']),
            mysql_real_escape_string($_GET['type']),
            mysql_real_escape_string($_POST['subject']),
            mysql_real_escape_string($_POST['rating']),
            mysql_real_escape_string($_POST['title']),
            mysql_real_escape_string($_POST['review']));
            $r = mysql_query($query,$con) or die(mysql_error());
            mysql_close($con);
            //die("successful insert");
            header(sprintf("Location:http://example.com/redacted/redacted/seller.php?ID=%s",$_POST['subject']));
        }
    }
    else
    {
        die("rating, title or review isnt set");
        redir();
    }
}
else
{
    die("type isnt set or user isnt logged in");
    redir();
}
?>

相关的额外代码:

function contains($text,$match)
{
    return (preg_match("/".$match."/",$text)==1);
}
function safe_isset($text)
{
    $good = false;
    if(isset($text))
    {
        if(strlen($text)>0)
        {
            $good = true;
        }
    }
    return $good;
}

这可能是我忽略的非常容易的事情。如果是这样的话,我很抱歉。我现在正在死记硬背,所以我很容易错过一些东西。或者也许欢迎我是否应该简单地重写或重组它的想法。

4

3 回答 3

4

你是对的,这很简单。你需要一个&代替,

echo "<form method=\"post\" action=\"addcomment.php?type=1,edit=1\">
<p>Rating:";
// Should be:
echo "<form method=\"post\" action=\"addcomment.php?type=1&edit=1\">
<p>Rating:";
// -----------------------------------------------------^^^^

你有它的方式,edit传递的,但它是作为type值的一部分传递的,所以 PHP 看到

$_POST['type'] == '1,edit=1'

我还注意到,稍后您正在寻找$_GET['id'],但您已ID在查询字符串中定义。数组键区分大小写,因此请务必使用正确的大小写。

header(sprintf("Location:http://example.com/redacted/redacted/seller.php?ID=%s",$_POST['subject']));
//---------------------------------------------------------------------^^^^ upper case here....
// Access as $_GET['ID'], not $_GET['id']
于 2012-12-07T02:36:21.930 回答
2
echo "<form method=\"post\" action=\"addcomment.php?type=1,edit=1\">

应该

echo "<form method=\"post\" action=\"addcomment.php?type=1&edit=1\">
于 2012-12-07T02:40:52.320 回答
1
"<form method=\"post\" action=\"addcomment.php?type=1,edit=1\">
                <p>Rating:";

USE &

 "<form method=\"post\" action=\"addcomment.php?type=1&edit=1\">
                <p>Rating:";
于 2012-12-07T02:38:40.607 回答