Php &引用;'中的未知列;字段列表'&引用;
我的php代码中有一个wierd bug,每次我输入一个值,它都会抛出一个错误,说第一个值不存在。。。 我插入数据库的第一个值($from)是错误中的值。 我试图用其他值更改位置,但每次第一个值都有错误。 我的代码有问题吗Php &引用;'中的未知列;字段列表'&引用;,php,mysql,Php,Mysql,我的php代码中有一个wierd bug,每次我输入一个值,它都会抛出一个错误,说第一个值不存在。。。 我插入数据库的第一个值($from)是错误中的值。 我试图用其他值更改位置,但每次第一个值都有错误。 我的代码有问题吗 <?php $from = $_GET['from']; $to = $_GET['to']; $message = $_GET['message']; $time = new DateTime(); $time = date('Y-m-d H:i:s'); $con
<?php
$from = $_GET['from'];
$to = $_GET['to'];
$message = $_GET['message'];
$time = new DateTime();
$time = date('Y-m-d H:i:s');
$con = mysqli_connect("localhost","root","","encrypchat");
if(mysqli_connect_errno($con))
{
echo "Failed to connect to MySql: " . mysqli_connect_error();
}
$check="SELECT * FROM `users` WHERE `username` = '$to'";
$rs = mysqli_query($con,$check);
$data = mysqli_fetch_array($rs, MYSQLI_NUM);
echo $data[0];
echo "<br />";
if($data[0] >= 1) {
echo "<br />"."USER EXISTS";
$sql="INSERT INTO ".$to."_msgs (`from_user`, `to_user`, `message`,`time`)
VALUES (`$from`, `$to`, `$message`,`$time`)";
if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
}
if(!$data[0]){
echo "<br />"."USER DOESNT EXIST";
}
mysqli_close($con);
?>
尝试删除backtics并在值列表中使用单引号,如
$sql="INSERT INTO ".$to."_msgs (`from_user`, `to_user`, `message`,`time`)
VALUES ('$from', '$to', '$message','$time')";
它们应该是撇号,而不是表示表名或列名的回号。确保GET变量中有值
在insert查询内的变量中使用反勾号(`),它应该是单引号(')
在查询中使用变量值之前,先对变量值的字符串进行转义,以避免某些SQL注入
我还建议您使用POST方法,如果您有太多的变量要传递,则不要使用GET方法
<?php
/* ESTABLISH CONNECTION */
$con = mysqli_connect("localhost","root","","encrypchat");
if(mysqli_connect_errno($con))
{
echo "Failed to connect to MySql: " . mysqli_connect_error();
}
/* USE MYSQLI_REAL_ESCAPE_STRING IN YOUR VARIABLES */
$from = mysqli_real_escape_string($con,$_GET['from']);
$to = mysqli_real_escape_string($con,$_GET['to']);
$message = mysqli_real_escape_string($con,$_GET['message']);
$time = new DateTime();
$time = date('Y-m-d H:i:s');
$check="SELECT * FROM `users` WHERE `username` = '$to'";
$rs = mysqli_query($con,$check); /* EXECUTE QUERY */
/* YOU CAN ALSO DIRECTLY USE IT TO $data=mysqli_num_rows($rs); AND USE $data IN YOUR CONDITIONS INSTEAD OF $data[0] */
$data = mysqli_fetch_array($rs,MYSQLI_NUM);
echo $data[0];
echo "<br />";
if($data[0] >= 1) { /* IF A RECORD HAS BEEN FOUND */
echo "<br />"."USER EXISTS";
$sql="INSERT INTO ".$to."_msgs (`from_user`, `to_user`, `message`,`time`)
VALUES ('$from', '$to', '$message','$time')"; /* YOU CAN USE BACKTICKS ON THE COLUMN NAME, BUT NOT FOR THE VARIABLES TO BE INSERTED */
if (!mysqli_query($con,$sql)) { /* IF QUERY FAILED */
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
}
else if(!$data[0]){ /* MADE IT INTO ELSE IF INSTEAD OF IF ONLY */
echo "<br />"."USER DOESNT EXIST";
}
mysqli_close($con);
?>
您很容易受到mysql注入攻击。。。使用准备好的语句plz。哦,每个用户都有自己的表?认真地只需使用关系“消息”表请提供数据库创建。您的代码极易受到SQL注入攻击,请学习如何使用准备好的语句。您的URL中是否真的有from和to?@LoganWayne不仅如此,URL中还包含整个消息
<?php
/* ESTABLISH CONNECTION */
$con = mysqli_connect("localhost","root","","encrypchat");
if(mysqli_connect_errno($con))
{
echo "Failed to connect to MySql: " . mysqli_connect_error();
}
/* USE MYSQLI_REAL_ESCAPE_STRING IN YOUR VARIABLES */
$from = mysqli_real_escape_string($con,$_GET['from']);
$to = mysqli_real_escape_string($con,$_GET['to']);
$message = mysqli_real_escape_string($con,$_GET['message']);
$time = new DateTime();
$time = date('Y-m-d H:i:s');
$check="SELECT * FROM `users` WHERE `username` = '$to'";
$rs = mysqli_query($con,$check); /* EXECUTE QUERY */
/* YOU CAN ALSO DIRECTLY USE IT TO $data=mysqli_num_rows($rs); AND USE $data IN YOUR CONDITIONS INSTEAD OF $data[0] */
$data = mysqli_fetch_array($rs,MYSQLI_NUM);
echo $data[0];
echo "<br />";
if($data[0] >= 1) { /* IF A RECORD HAS BEEN FOUND */
echo "<br />"."USER EXISTS";
$sql="INSERT INTO ".$to."_msgs (`from_user`, `to_user`, `message`,`time`)
VALUES ('$from', '$to', '$message','$time')"; /* YOU CAN USE BACKTICKS ON THE COLUMN NAME, BUT NOT FOR THE VARIABLES TO BE INSERTED */
if (!mysqli_query($con,$sql)) { /* IF QUERY FAILED */
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
}
else if(!$data[0]){ /* MADE IT INTO ELSE IF INSTEAD OF IF ONLY */
echo "<br />"."USER DOESNT EXIST";
}
mysqli_close($con);
?>