【发布时间】:2019-05-18 19:49:34
【问题描述】:
这是测试代码,我知道 sql 注入以及如何修复它们。这是一个很长的问题要解释,所以我会尽力而为。
这些是我数据库中的列
contentid (auto increments with every post, comment, and reply)
hostid (gets the value of the person who uploaded the original post)
postid (gets the value of the post, auto increments with every post)
userid (gets the value of the person who commented or replied)
date (gets the current time)
title (gets the title of the post entered by the host)
description (gets the description of the post entered by the host)
fileid (describes the type of post ex. video, picture, or blog)
commentid (auto increments with every comment)
comment (the actual comment entered by a user)
replyid (auto increments with every reply)
reply (the actual reply entered by a user)
我正在开发一个帖子系统,该系统允许用户发布内容,然后对帖子发表评论或从帖子中回复 cmets。我有一个名为 posts 的数据库,其中包含所有帖子 cmets 和回复。当数据库中没有与帖子具有相同 postid 值的评论时,不应回显任何内容。当数据库中没有与之前的评论具有相同 postid 和 commentid 的回复时,不应回显任何内容。
换句话说,如果没有评论或回复,则不会弹出任何内容。我得到了要显示的实际帖子,但是我的数据库中有没有显示的 cmets 和回复,有什么想法吗?
我的代码
function getPost($conn) {
$userName = $_GET["user"];
$postid = $_GET["post"];
$usersql = "SELECT * FROM users WHERE userName = '$userName'";
$userresult = mysqli_query($conn, $usersql);
while ($userrow = mysqli_fetch_assoc($userresult)) {
$hostid = $userrow['userid'];
$postsql = "SELECT * FROM posts WHERE hostid = '$hostid' AND postid = '$postid' AND commentid = 0";
$postresult = mysqli_query($conn, $postsql);
while ($postrow = mysqli_fetch_assoc($postresult)) {
if (mysqli_num_rows($postresult)==0) {
echo '
<p>Error. Post does not exist.</p>
';
}
else {
$title = $postrow['title'];
$description = $postrow['description'];
$filename = "posts/".$hostid."/".$postid.".*";
$fileinfo = glob($filename);
$fileext = explode(".", $fileinfo[0]);
$fileactualext = $fileext[1];
echo '
<div class="PostPage">
<p>
'.$postrow['title'].'<br>
<img src="posts/'.$hostid.'/'.$postid.'.'.$fileactualext.'"><br>
'.$postrow['date'].'<br>
'.$postrow['description'].'
</p>
</div>
';
// this part of the code I can't get to show up on the website
$commentsql = "SELECT * FROM posts WHERE hostid = '$hostid' AND postid = 'postid' AND commentid > 0 AND replyid = 0";
$commentresult = mysqli_query($conn, $commentsql);
while ($commentrow = mysqli_fetch_assoc($commentresult)) {
if (mysqli_num_rows($commentresult)==0) {
echo '
<p>There are no Comments.</p>
';
}
else {
echo '
<div class="PostComments">
<p>
'.$commentrow['comment'].'
</p>
</div>
';
$currentcommentid = $commentrow['commentid'];
$replysql = "SELECT * FROM posts WHERE hostid = '$hostid' AND postid = '$postid' AND commentid = '$currentcommentid' AND replyid > 0";
$replyresult = mysqli_query($conn, $repysql);
while ($replyrow = myslqi_fetch_assoc($replyresult)) {
if (mysqli_num_rows($replyresult)==0) {
echo '';
}
else {
echo '
<div class="PostReplies">
<p>
'.$replyrow['reply'].'
</p>
</div>
';
}
}
}
}
}
}
}
}
如果您有任何其他问题,我将非常乐意回答。
【问题讨论】: