0 
<?php
 header('Access-Control-Allow-Origin: *');
 header("Access-Control-Allow-Headers : Content-Type");
 include_once("db_connect.php");
  if(isset($_GET["u"])){
   $username = $_GET['u'];
    } else {
    echo "No UserName";
    exit();
   }
 if(isset($_GET["v"])){
  $video= $_GET['v'];
  } else {
   echo "No Video ID";
  exit();
 }
  if(isset($_GET["like"])){
   $like = $_GET["like"];
    } else {
    echo "No Like Parameter added.";
   }
 $sql = "SELECT * FROM rating WHERE video='$video' LIMIT 1";
 $video_query = mysqli_query($db_connection, $sql);
 $numrows = mysqli_num_rows($video_query);
 if($numrows < 1){
 $sql = "INSERT INTO rating (video,username)
         VALUES ('$video','$username')";
 $video_query = mysqli_query($db_connection, $sql);
  } 

  if(isset($_GET['like'])){
   $counter = (int)$_GET["like"];
 if($counter > 5 || $counter < 1){
   echo "Rating Seems To Be Off?";
   exit();
   }
 $sql = "UPDATE rating SET like='$counter' WHERE video='$video' AND username='$username'";
 $video_query = mysqli_query($db_connection, $sql);
  echo "Voted";
 }else {
   echo "No Parameter to Vote was applied";
 exit();
 }
?>

基本上我是怎么写GETs

?u=用户名&v=video0009&like=4

我希望 like=4 然后更新INT视频和用户名匹配的位置。虽然它一直保持在0。

还要保留这些,INT以便以后我可以将它们与mysqli_fetch_assoc? 只是好奇

4

2 回答 2

2

likemysql 的保留字,因此您需要使用反引号将它们引用。

替换您的查询:

$sql = "UPDATE rating SET like='$counter' WHERE video='$video' AND username='$username'";

和:

$sql = "UPDATE rating SET `like`='$counter' WHERE video='$video' AND username='$username'";

您的代码还有其他几个建议。首先也是最重要的可能是 SQL 注入。请在此处阅读SQL 注入。看看如何实现mysqli_real_escape_string。您将原始输入直接传递到您的数据库中。

于 2013-08-25T06:48:29.793 回答
0

1likemySql保留关键字

2 你的代码容易受到sql注入

$video= $_GET['v'];
$sql = "SELECT * FROM rating WHERE video='$video' LIMIT 1";

警告:您使用的是 Mysqli,这并不意味着您消除了 Sql 注入的风险您的代码仍然容易受到sql 注入的影响,您需要全部转义get,更好的方法是使用Prepared 语句postrequest

好读

  1. 如何防止 PHP 中的 SQL 注入?
于 2013-08-25T07:00:43.073 回答