0

我有一个带有 mysql 后端的聊天应用程序。我正在尝试添加一行代码,在房间更改功能完成后发布“...已加入房间”。

这是我的代码:

$PHP_PW = $_POST['password'];
$PHP_USER = $_POST['email'];
$PHP_ALIAS = $_POST['alias'];
$PHP_GENDER = $_POST['gender'];
$PHP_LON = $_POST['lon'];
$PHP_LAT = $_POST['lat'];
$PHP_STATUS = $_POST['status'];
$PHP_ROOM = $_POST['room'];
$PHP_ICON = $_POST['iconid'];
//$PHP_IP = $_SERVER['REMOTE_ADDR'];
$PHP_AGE = substr($_POST['age'],0,2);
$PHP_LOC = $_POST['location'];
$PHP_DOB = $_POST['dob'];
$PHP_IP  = $_POST['device_id'];

    if ($_POST['action']=="update")
{
if(!isset($PHP_USER))
{
    echo "ERROR";
} else
{

    if(isset($PHP_ROOM)) 
        $update = mysql_query("UPDATE USER SET room='$PHP_ROOM',lastupdate=NOW() WHERE email='$PHP_USER'")or die("ERROR80");
        $postmsg = mysql_query("INSERT INTO DATA (msgid,userid,date,message,room) VALUES (NULL,1,CURRENT_TIMESTAMP,'"...has joined the room"','$PHP_ROOM')") or die("ERROR1");


    echo "OK 1";
}
mysql_close($db);

}

代码运行良好,没有$postmsg = mysql_query("INSERT INTO DATA (msgid,userid,date,message,room) VALUES (NULL,1,CURRENT_TIMESTAMP,'"...has joined the"','$PHP_ROOM')") or die("ERROR1");

但是,如果我使用 $postmsg 行运行它,我不会收到错误或来自服务器的任何回复。

4

2 回答 2

1

我认为问题出在 $postmsg 中"...has joined the room"。它不是连接字符串的正确方法,它应该是,'"."..has joined the room"."',

于 2013-08-23T02:08:10.920 回答
0

如果省略花括号,则只有下一行被视为if语句主体的一部分。您的代码如下所示:

if (isset($PHP_ROOM)) {
    $update = mysql_query("UPDATE USER SET room='$PHP_ROOM',lastupdate=NOW() WHERE email='$PHP_USER'")or die("ERROR80");
}

$postmsg = mysql_query("INSERT INTO DATA (msgid,userid,date,message,room) VALUES (NULL,1,CURRENT_TIMESTAMP,'"...has joined the room"','$PHP_ROOM')") or die("ERROR1");

你希望它这样做:

if (isset($PHP_ROOM)) {
    $update = mysql_query("UPDATE USER SET room='$PHP_ROOM',lastupdate=NOW() WHERE email='$PHP_USER'")or die("ERROR80");
    $postmsg = mysql_query("INSERT INTO DATA (msgid,userid,date,message,room) VALUES (NULL,1,CURRENT_TIMESTAMP,'"...has joined the room"','$PHP_ROOM')") or die("ERROR1");
}

此外,通过将未经处理的文本直接插入查询中,会使您的应用程序容易受到 SQL 注入的攻击。看看这个问题:如何防止 PHP 中的 SQL 注入?

于 2013-08-23T02:06:31.987 回答