0

首先,我对 PHP/MySQL 非常陌生,并且我知道正如其他人指出的那样,我的代码容易受到 MySQL 注入的影响,但现在我正在努力学习功能,然后再转向安全性。

好的,所以我正在从头开始构建一个私人消息系统,以帮助我理解编码,我遇到了一个障碍,我试图在回复字符串中发布“to_user”数据,我可以让其他一切成功发布但“to_user”(发送 PM 的人)和主题数据没有结转。

这是我的“view_pm.php”文件。

<?php
include 'core/init.php';
include 'includes/overall/header.php';
?>
<?php include "includes/inbox-menu.php"; ?>

<table>
<?php
$id = $_GET['id'];
$to_user = $user_data['user_id'];
$sql = "SELECT users.user_id, users.username, users.profile, messages.id, messages.to_user, messages.from_user, 
        messages.subject, messages.message, messages.has_read, messages.deleted, messages.date_sent
        FROM `messages`
        JOIN `users` ON messages.from_user = users.user_id 
        WHERE messages.to_user = '$to_user' AND messages.id = '$id' ORDER BY messages.date_sent DESC";
$result = mysql_query($sql);
$rows = mysql_fetch_array($result);
?><tr>
<td width="50px" align="center">
<img src="<?php echo $rows['profile']; ?>" width="40px"><br><?php echo $rows['username']; ?>
</td>
<td valign="top" width="350px">
<b><?php echo $rows['subject']; ?></b><br>
<?php echo $rows['message']; ?>
</td><td><?php echo $rows['date_sent']; ?></td>
</tr>
<tr>
<td colspan="3"><hr></td>
</tr>

<?php
$sql2 = "SELECT users.user_id, users.username, users.profile, messages.id, messages.reply_id, messages.to_user, messages.from_user, 
        messages.subject, messages.message, messages.has_read, messages.deleted, messages.date_sent
        FROM `messages`
        JOIN `users` ON messages.from_user = users.user_id 
        WHERE messages.to_user = '$to_user' AND messages.reply_id = '$id' ORDER BY messages.date_sent DESC";

$result2 = mysql_query($sql2);
while ($rows = mysql_fetch_assoc($result2)) {
?>
<tr>
<td width="50px" align="center">
<img src="<?php echo $rows['profile']; ?>" width="40px"><br><?php echo $rows['username']; ?>
</td>
<td valign="top" width="350px">
<b><?php echo $rows['subject']; ?></b><br>
<?php echo $rows['message'] ?>
</td><td><?php echo $rows['date_sent']; ?></td>
</tr>
<tr>
<td colspan="3"><hr></td>
</tr>

<?php } ?>
</table>

<form method="post" action="parsers/reply_pm.php">
Reply: <textarea name="message"></textarea><br>
<input type="hidden" name="from_user" value="<? echo $to_user; ?>">
<input type="hidden" name="to_user" value="<? echo $rows['from_user']; ?>">
<input type="hidden" name="subject" value="<? echo $rows['subject']; ?>">
<input type="hidden" name="reply_id" value="<? echo $id ?>">
<input type="submit" name="submit" value="Send Message">
</form>

<?php include 'includes/overall/footer.php'; ?>

这是我的“reply_pm.php”文件。

<?php
include '../core/init.php';

$reply_id = $_POST['reply_id'];
$to_user = $_POST['to_user'];
$from_user = $user_data['user_id'];
$subject = $_POST['subject'];
$message = $_POST['message'];

echo $sql = "INSERT INTO `messages`
        (reply_id, to_user, from_user, subject, message, date_sent)
        VALUES
        ('$reply_id','$to_user','$from_user','$subject','$message',now())";
$result = mysql_query($sql);
exit();
if($result){
    header("Location: ../view_pm.php?id=$reply_id");
    } else {
    echo "Error sending message.";
    }
?>

你可能注意到也可能没有注意到我在测试时正在回显结果,它目前正在返回..

INSERT INTO messages( reply_id, to_user, from_user, subject, message, date_sent ) VALUES ( '8','','1','','test reply goes here',now() )

提前致谢。

4

1 回答 1

0

关于 PHP,您应该了解的一件事是您在两个括号内定义的变量{}只能在此处访问,因此在您使用的代码中

while ($rows = mysql_fetch_assoc($result2)) {

所以$rows在左括号中定义,{直到关闭括号<?php } ?>后您无法访问变量。喜欢 :

<input type="hidden" name="to_user" value="<? echo $rows['from_user']; ?>">

您应该在语句之前定义一个变量while并稍后使用它,例如:

$from_user = "";
while ($rows = mysql_fetch_assoc($result2)) {
$from_user = $rows['from_user'];
.....
}
<input type="hidden" name="to_user" value="<? echo $from_user; ?>">

阅读有关此的更多信息:

http://php.net/manual/en/language.variables.scope.php

http://www.w3schools.com/php/php_variables.asp

于 2013-09-02T06:15:39.660 回答