我有一个脚本,它应该为MySQL值插入一个投票(-1或+1),但它的确如此,但它也应该将刚刚投票的项目的ID插入另一个表格中,并以阵列格式发送给刚刚投票的用户,以便该用户不会再次出现。将2个值插入到MySQL中,然后停止所述值再次出现
1)我不知道如何停止的值再次出现 2)它不发送该网站的ID
代码:
$sql = "SELECT * FROM webmash ORDER BY RAND() LIMIT 1";
$result = mysql_query($sql) or print ("Can't select entry from table webmash.<br />" . $sql . "<br />" . mysql_error());
while($row = mysql_fetch_array($result)) {
$name = stripslashes($row['name']);
$description = stripslashes($row['description']);
$link =($row['link']);
$votes = ($row['votes']);
$id = $row['id'];
}
$sql2 = "SELECT * FROM webmashusers";
$result2 = mysql_query($sql) or print ("Can't select entry from table webmashusers.<br />" . $sql . "<br />" . mysql_error());
while($row = mysql_fetch_array($result2)) {
$username = stripslashes($row['username']);
$likes = ($row['likes']);
$dislikes = ($row['dislikes']);
}
if(isset($_POST['like'])) {
$votes += 1;
$sql = "UPDATE webmash SET votes = $votes WHERE id = ".$_POST['id'];
mysql_query($sql);
$sqllikes = array (serialize($id));
$sql2 = "INSERT '$sqllikes' INTO webmashusers (likes) WHERE 'username' = '$376770'";
mysql_query($sql2);
}
if(isset($_POST['dislike'])) {
$votes -= 1;
$sql = "UPDATE webmash SET votes = $votes WHERE id = ".$_POST['id'];
mysql_query($sql);
$sqldislikes = array (serialize($id));
$sql2 = "INSERT '$sqldislikes' INTO webmashusers (dislikes) WHERE 'username' = '$376770'";
mysql_query($sql2);
}
编辑:$三十七万六千七百七十○是我的用户名Cookie 。
-1因为SQL注入漏洞。 – Johan 2011-06-02 10:56:13
我可以建议你考虑PDO的准备报表。或者mysqli或只是'mysql_real_escape_string'会比没有好!目前你的代码有一个SQL注入攻击的漏洞。 – lethalMango 2011-06-02 11:01:44