I started studying PHP on my own a week ago.
Therefore, I am trying to create a service like Twitter as one goal, but there are some things that I can't solve by myself, so I would like to ask you a question.
Currently, I am writing a program to register, log in, and reply to other users on my timeline.Therefore, when replying, we have provided reply_post_id to store the ID of the reply destination.In the id14 part of the image, the member_id10 user is replying to the member_id8 user, but it is not reflected in reply_post_id.I put the code below, but is there something wrong?I look forward to your kind cooperation.
php
// Record Posts
if(!empty($_POST)){
if($_POST['message']!='){
$sql=sprintf('INSERT INTO posts SET member_id=%d,
message="%s", reply_post_id=%d, created=NOW(),
mysqli_real_escape_string($mysqli, $member['id']),
mysqli_real_escape_string($mysqli,$_POST['message']),
mysqli_real_escape_string($mysqli,$_POST['reply_post_id'])
);
mysqli_query($mysqli,$sql) or die($mysqli_error());
header('Location:index.php');
exit();
}
}
html
I don't know where the $_REQUEST['res']
comes from, but I think the reply_post_id
field is empty or stringed.Check the source while viewing the form in your browser.
(It's not good to have space, but it should work…)
Also, if SQL is assembled in sprintf, there is a risk of SQL injection.
$sql='INSERT INTO posts(member_id, message, reply_post_id, created)VALUES(?,?,?, NOW())';
$stmt = mysqli_prepare($sql);
mysqli_stmt_bind_param($stmt, "i", $member['id']);
mysqli_stmt_bind_param($stmt, "s", $_POST['message']);
mysqli_stmt_bind_param($stmt, "i", $_POST['reply_post_id']);
mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
Use the binding mechanism as shown in
Also, if you don't pay attention to the web application, you will easily create a security hole.At least read IPA's How to create a secure website.It is recommended that you study with trusted books such as "How to Create a Secure Web Application to Learn Systematically" (ISBN 4797361190).
© 2024 OneMinuteCode. All rights reserved.