php变量在else函数中不起作用

问题描述：

So I'm using sql with php but one variable doesn't work. The variable $pagina works in the $sql but not within the else {} ($sql2 and header). The other variables do work ($naam and $bericht). Can anyone spot the mistake?
(Sorry for any possible mistakes in my English.)

<?php
$bericht = $_POST ['bericht'];
$pagina = $_GET ['id'];
$naam = $_SESSION['login'];
$con = mysqli_connect("host","sql","pw","sql");

if (empty($bericht)) {
}
    else
    {
$sql2="INSERT INTO Comments (bericht_id, naam, bericht) VALUES ('$pagina', '$naam', '$bericht')";
mysqli_query($con,$sql2);
header("location:directbericht.php?id=$pagina");
    }

$sql="SELECT * FROM Berichten WHERE id = $pagina";

if ($result=mysqli_query($con,$sql))
  {
  while ($obj=mysqli_fetch_object($result))
    {
    echo $obj->naam;
    echo "<br><br>";
    echo $obj->bericht;
    echo "<br><br>";
    echo $obj->datum;
    echo "<br><br>";
    }
}

$sql="SELECT * FROM Comments WHERE bericht_id = $pagina ORDER BY id ASC";

if ($result=mysqli_query($con,$sql))
  {
  while ($obj=mysqli_fetch_object($result))
    {
        echo "<tr><td><font color='white'>";
    echo $obj->naam;
    echo "<br><br>";
    echo $obj->bericht;
    echo "<br><br>";
    echo $obj->datum;
    echo "<br><br>";
        echo "</font></tr></td>";
    }
}

?>

所以我在php中使用sql但是一个变量不起作用。变量 $ pagina i>在 $ sql i>中工作，但不在 else {}（$ sql2和header） i>中。其他变量可以工作（$ naam和$ bericht） i>。任何人都可以发现错误吗？
（对不起我的英文错误。） p>

 ＆lt;？php 
 $ bericht = $ _POST ['bericht']  ; 
 $ pagina = $ _GET ['id']; 
 $ naam = $ _SESSION ['login']; 
 $ con = mysqli_connect（“host”，“sql”，“pw”，“sql”）  ; 
 
if（空（$ bericht））{
} 
其他
 {
 $ sql2 =“INSERT INTO评论（bericht_id，naam，bericht）VALUES（'$ pagina'，'$ naam'，  '$ bericht'）“; 
mysqli_query（$ con，$ sql2）; 
header（”location：directbericht.php？id = $ pagina“）; 
} 
 
 $ sql =”SELECT * FROM Berichten WHERE  id = $ pagina“; 
 
if（$ result = mysqli_query（$ con，$ sql））
 {
 while（$ obj = mysqli_fetch_object（$ result））
 {
 echo $ obj-＆gt;  naam; 
 echo“＆lt; br＆gt;＆lt; br＆gt;”; 
 echo $ obj-＆gt; bericht; 
 echo“＆lt; br＆gt;＆lt; br＆gt;”; 
 echo $ obj-＆gt; datum;  
 echo“＆lt; br＆gt;＆lt; br＆gt;”; 
} 
} 
 
 $ sql =“SELECT * FROM Comments WHERE bericht_id = $ pagina ORDER BY id ASC”; 
 
if（$ result  = mysqli_query（$ con，$ sql））
 {
 while（$ obj = mysqli_fetch_object（$ result））
 {
 
 ech  o“＆lt; tr＆gt;＆lt; td＆gt;＆lt; font color ='white'＆gt;”; 
 echo $ obj-＆gt; naam; 
 echo“＆lt; br＆gt;＆lt; br＆gt;”; 
 echo $  obj-＆gt; bericht; 
 echo“＆lt; br＆gt;＆lt; br＆gt;”; 
 echo $ obj-＆gt; datum; 
 echo“＆lt; br＆gt;＆lt; br＆gt;”; 
 echo“＆lt;  / font＆gt;＆lt; / tr＆gt;＆lt; / td＆gt;“; 
} 
} 
 
？＆gt; 
  code>  pre> 
  div>

答

There are a couple major things wrong with your code.

The first, and most important to deal with is how you're inserting data into the database. As it is currently written, you are vulnerable to a SQL injection attack. Please read on how to use mysqli's bind parameters, or better yet, upgrade to PDO.

Secondly, you're trying to pull data using both $_POST[] and $_GET[] in the same logic path. An http connection will be either a post, get, or some other kind of request. It will never be both. This is likely why it works when you put a number in, but not when you try to use $_GET[].

php变量在else函数中不起作用

相关推荐