我有一個腳本,它應該爲MySQL值插入一個投票(-1或+1),但它的確如此,但它也應該將剛剛投票的項目的ID插入另一個表格中,並以陣列格式發送給剛剛投票的用戶,以便該用戶不會再次出現。將2個值插入到MySQL中,然後停止所述值再次出現
1)我不知道如何停止的值再次出現 2)它不發送該網站的ID
代碼:
$sql = "SELECT * FROM webmash ORDER BY RAND() LIMIT 1";
$result = mysql_query($sql) or print ("Can't select entry from table webmash.<br />" . $sql . "<br />" . mysql_error());
while($row = mysql_fetch_array($result)) {
$name = stripslashes($row['name']);
$description = stripslashes($row['description']);
$link =($row['link']);
$votes = ($row['votes']);
$id = $row['id'];
}
$sql2 = "SELECT * FROM webmashusers";
$result2 = mysql_query($sql) or print ("Can't select entry from table webmashusers.<br />" . $sql . "<br />" . mysql_error());
while($row = mysql_fetch_array($result2)) {
$username = stripslashes($row['username']);
$likes = ($row['likes']);
$dislikes = ($row['dislikes']);
}
if(isset($_POST['like'])) {
$votes += 1;
$sql = "UPDATE webmash SET votes = $votes WHERE id = ".$_POST['id'];
mysql_query($sql);
$sqllikes = array (serialize($id));
$sql2 = "INSERT '$sqllikes' INTO webmashusers (likes) WHERE 'username' = '$376770'";
mysql_query($sql2);
}
if(isset($_POST['dislike'])) {
$votes -= 1;
$sql = "UPDATE webmash SET votes = $votes WHERE id = ".$_POST['id'];
mysql_query($sql);
$sqldislikes = array (serialize($id));
$sql2 = "INSERT '$sqldislikes' INTO webmashusers (dislikes) WHERE 'username' = '$376770'";
mysql_query($sql2);
}
編輯:$三十七萬六千七百七十○是我的用戶名Cookie 。
-1因爲SQL注入漏洞。 – Johan 2011-06-02 10:56:13
我可以建議你考慮PDO的準備報表。或者mysqli或只是'mysql_real_escape_string'會比沒有好!目前你的代碼有一個SQL注入攻擊的漏洞。 – lethalMango 2011-06-02 11:01:44