-1

我几乎可以肯定我在这里遗漏了一些非常愚蠢的东西,但我越看越生气。

当我执行 follow.php 时,没有任何东西被插入到数据库中,也没有错误。在任何人说之前。是的,我知道这里有 SQL 注入漏洞。这是未完成的代码!

配置.php:

session_start();
$mysql_hostname = "XXXX";
$mysql_user = "XXXX";
$mysql_password = "XXXX";
$mysql_database = "XXXX";
$bd = mysql_connect($mysql_hostname, $mysql_user, $mysql_password) 
or die("Opps something went wrong");
mysql_select_db($mysql_database, $bd) or die("Opps something went wrong");

跟随.php:

session_start();
include('config.php');
$user_check=$_SESSION['login_user'];

$tagID=$_POST['id'];
$recID="select UserID from useradmin where username='$user_check' ";

$updatesql="INSERT INTO following (RecID, followID) VALUES ($recID, $tagID)";

mysql_select_db($mysql_database, $bd) or die("Opps some thing went wrong");

mysql_query($updatesql, $bd)

更多信息。我的插入语句的输出是:

INSERT INTO following (RecID, followID) VALUES (, 100006)

所以 $recid 没有被填充......

4

4 回答 4

2

我可以看到你定义了 $recID,但是使用了 $rec。

有没有机会,您想在运行 $updatesql 之前运行 $recID 查询并将返回的值保存到 $rec 中?

于 2013-09-19T13:11:18.667 回答
1

将代码的最后一行更改为

    mysql_query($updatesql, $bd) or die(mysql_error());

编辑

你应该改变这个

   $recID="select UserID from useradmin where username='$user_check' ";


  $sql_rec = "select UserID from useradmin where username='$user_check' ";
  $rs_rec = mysql_query($sql_rec);
  $data_rec = mysql_fetch_object($rs_rec);

  $recID = $data_rec->UserID;

$recID 现在将具有一个值,并且 INSERT 将起作用

于 2013-09-19T13:13:18.417 回答
1

尝试这个

$updatesql="INSERT INTO following (RecID, followID) VALUES ('".$rec"', '".$tagID."')";
于 2013-09-19T13:09:56.593 回答
0

尝试使用 mysqli 创建查询

$stmt = $mysqli->prepare("select UserID from useradmin where username=?");
$stmt->bind_param('s',$user_check);

$stmt->execute();
$res = $stmt->get_result();

$stmt = $mysqli->prepare("INSERT INTO following (RecID, followID) VALUES (?,?))";
$stmt->bind_param('si',$rec, $tagID);
$stmt->execute();

请参阅此处的教程http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php http://php.net/manual/en/mysqli-stmt.bind-param.php

于 2013-09-19T13:18:12.923 回答