在PHP中解析和回显SQL结果

I'm trying to write a simple PHP guestbook after following a few tutorials online. I am able to write to the database without any issues; however, when I try to parse through the existing comments and "echo" them back to the page, I am not seeing anything being displayed.

我正在尝试在线阅读一些教程之后编写一个简单的PHP留言簿。我能够毫无问题地写入数据库;但是,当我尝试解析现有的注释并将它们“回显”回页面时,我没有看到任何显示的内容。

Is there an obvious reason for this?

这有明显的原因吗?

(The code in question starts under "Existing Comments:")

(相关代码从“现有注释:”开始)

<?php
require_once('includes/config.inc.php');
define('DB_GUEST','guestbook_db');

// Connect
$mysqli = @new mysqli(DB_HOSTNAME,DB_USERNAME,DB_PASSWORD,DB_GUEST);

// Check connection 
if (mysqli_connect_errno()) { 
printf("Unable to connect to database: %s", mysqli_connect_error()); 
exit(); 
} 

// POST
if($_SERVER['REQUEST_METHOD'] == 'POST') {
    $now = time();
    $name=($_POST['name']);
    $message =($_POST['message']);

$sql = "insert into comments (name,message,timestamp) values  ('$name','$message','$now')";

    $result = $mysqli->query($sql) or die($mysqli->error.__LINE__);
}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>Guest Book</title>
</head>
<body>

<h3>Post A Comment:</h3>
<form action="index.php" method="post">
   <strong>Name:</strong><br/> <input type="text" name="name" /><br/>
   <strong>Comment:</strong><br/> <textarea name="message" rows="5" cols="25">           
<textarea><br/>
<input type="submit" value="Go">
</form>

<h3>Exisiting Comments:</h3>

<?php
$sql1 = "select * from guestbook_db.comments";
$allPostsQuery = $mysqli->query($sql1) or die($mysqli->error.__LINE__);

if(!mysql_fetch_rows($allPostsQuery)) {
    echo "No comments were found!";
} else {
while($row = mysql_fetch_assoc($allPostsQuery)) {
echo "<b>Name:</b> {$comment[1]} <br/>";
echo "<b>Message:</b> {$comment[2]} <br/>";
echo "<b>Posted at:</b> " .date("Y-d-m H:i:s",$comment[3]). " <br/><hr/>";
    }
}
?>
</body>
</html>

1 个解决方案

#1

Well, first off I have to make an obligatory warning about using $_POST variables directly. Your user could have put anything there, SQL injection strings included. Sanitize your data by using a PDO or parameterizing with mysqli.

好吧,首先我必须直接使用$ _POST变量发出强制性警告。您的用户可以放置任何内容,包括SQL注入字符串。使用PDO或使用mysqli参数化来清理数据。

With that out of the way, you are using the variable

除此之外,您正在使用变量

$comment

when you should be using

什么时候你应该使用

$row

as that is what you named the record variable in your while loop. Further, you've called mysql_fetch_assoc (should be mysqli's fetch_assoc() as well, you are mixing up mysql with mysqli - use the mysqli ones) which returns an associative array, not a index numbered one as you are assuming when you call $comment[1] for example.

因为这就是你在while循环中命名记录变量的原因。此外,你已经调用了mysql_fetch_assoc(也应该是mysqli的fetch_assoc(),你将mysql与mysqli混合使用 - 使用mysqli)返回一个关联数组,而不是一个编号为1的索引,就像你在调用$ comment时所假设的那样[1]例如。

In short, just some silly mistakes, but also go and read the docs on PHP's mysqli and about SQL injection.

简而言之,只是一些愚蠢的错误,而且还去阅读有关PHP的mysqli和SQL注入的文档。

#1