0

我有这个代码,它存储在 view_profile.php 页面上。它有一个名为“添加为朋友”的表单。没有语法错误。但是当我提交表单时,它应该刷新并将我发送到发件箱页面时没有任何反应?此外,它应该向请求的用户收件箱发送一条消息。有任何想法吗?

PS:我是 PHP/MySQL 的新手,如果代码不是 100%,我很抱歉。我将在未来将这部分转换为 PDO,只是不想这样做,因为它是练习处理查询等。

<?php 
session_start();
include "db.php";

$sqlCommand = "SELECT userid, username FROM users WHERE username='" . $_SESSION['username'] . "'";
$query = mysql_query($sqlCommand, $connection) or die (mysql_error());
while ($row = mysql_fetch_array($query)) {
    $pid = $row["userid"];
    $from_username = $_SESSION['username'];
}
mysql_free_result($query);

$to_userid = $_POST['to_userid'];

$sqlCommand = "SELECT userid, username FROM users WHERE userid='$to_userid' LIMIT 1";
$query = mysql_query($sqlCommand, $connection) or die (mysql_error());
while ($row = mysql_fetch_array($query)) {
    $TOid = $_SESSION['username'];
}
mysql_free_result($query);
?>

<input name="to_username" type="hidden" id="to_username" value="<?php print $username;?>"/>
<input name="title" type="hidden" id="title" value="<?php print $from_username ?> wants to add you as a friend!"/>
<input name="content" type="hidden" id="content" value="<?php print $from_username; ?> wants to add you as a friend!"/>
<input name="to_userid" type="hidden" id="to_userid" value="<?php print $TOid; ?>"/>
<input name="from_username" type="hidden" id="from_username" value="<?php print $from_username ?>"/>
<input name="userid" type="hidden" id="from_username" value="<?php print $_SESSION['userid'] ?>"/>
<input name="senddate" type="hidden" id="senddate" value="<?php echo date("l, jS F Y, g:i:s a"); ?>"/>

<input type="submit" name="addFriend" id="addFriend" value="Add <?php print $username ?> as a friend!"  />

<?php 


if($_POST['addFriend']){

$to_username = $_POST['to_username'];
$title = $_POST['title'];
$content = $_POST['content'];
$to_userid = $_POST['to_userid'];
$userid =  $_POST['userid'];
$from_username = $_POST['from_username'];
$senddate = $_POST['senddate'];

require_once "db.php";

$query = mysql_query("INSERT INTO pm_outbox (userid, username, to_userid, to_username, title, content, senddate)VALUES('$userid', '$from_username', '$to_userid', '$to_username', '$title', '$content', '$senddate')",$connection) or die (mysql_error($connection)); 

$query = mysql_query( "INSERT INTO pm_inbox (userid,username,from_id, from_username, title,content,recieve_date)VALUES('$to_userid', '$to_username','$userid','$from_username', '$title', '$content','$senddate')",$connection) or die (mysql_error($connection));


echo "<meta http-equiv=\"refresh\" content=\"0; URL=pm_outbox.php\">";
exit();
}
?>
4

1 回答 1

0

您从未启动过表单标签

您需要在输入之前启动它们并在输入之后结束它们,这样它就变成了

<form action='Your_action_page_here.php' method='POST'>    
<input name="to_username" type="hidden" id="to_username" value="<?php print $username;?>"/>
<input name="title" type="hidden" id="title" value="<?php print $from_username ?> wants to add you as a friend!"/>
<input name="content" type="hidden" id="content" value="<?php print $from_username; ?> wants to add you as a friend!"/>
<input name="to_userid" type="hidden" id="to_userid" value="<?php print $TOid; ?>"/>
<input name="from_username" type="hidden" id="from_username" value="<?php print $from_username ?>"/>
<input name="userid" type="hidden" id="from_username" value="<?php print $_SESSION['userid'] ?>"/>
<input name="senddate" type="hidden" id="senddate" value="<?php echo date("l, jS F Y, g:i:s a"); ?>"/>
<input type="submit" name="addFriend" id="addFriend" value="Add <?php print $username ?> as a friend!"  />
</form>

我还注意到,在将变量插入表之前,您既没有验证也没有清理变量

这是您必须关注的一个非常重要的安全问题。我建议使用filter_var()进行验证。您还需要阅读这篇关于如何防止 SQL 注入的文章如何防止 SQL 注入?

于 2013-08-29T20:37:21.807 回答