插入cookie和输入值mysqli [重复]

Question

您好，我正在尝试将 6 个值插入一个名为 post 的表中，但它不起作用并且出现错误。我的php代码哪里出错了？

错误：

解析错误：语法错误，意外的'"'，在第 22 行的 C:\xampp\htdocs\next.php 中需要标识符 (T_STRING) 或变量 (T_VARIABLE) 或数字 (T_NUM_STRING)

    <?php
    $cookie_name = 'longitude';
    //check if cookies available
    if(!isset($_Post["submit"])) {
      print 'error';
    } else {

if (
            empty($_POST['title']),
            empty($_POST['text'])

        ) {
            $message['error'] = 'Es wurden nicht alle Felder ausgefüllt.';
        } 
      $id = 'userid';
      $_COOKIE["$id"];
      $longitude = 'longitude';
      $_COOKIE["$longitude"];
      $latitude = 'latitude';
      $_COOKIE["$latitude"];
       $date = date('Y-m-d H:i:s');
            $mysqli = @new mysqli('localhost', 'root', '', 'local');
                if ($mysqli->connect_error) {
                    $message['error'] = 'Datenbankverbindung fehlgeschlagen: ' . $mysqli->connect_error;
                }
                $query = sprintf(
                    "INSERT INTO post (autorid, date, longitude, latitude, title, text)
                    SELECT * FROM (SELECT '%s') as new_post
                    WHERE NOT EXISTS (
                        SELECT autorid FROM post WHERE autorid = '$_COOKIE["$id"]' // line22
                    ) LIMIT 1;",
                    $mysqli->real_escape_string(@$_POST[$_COOKIE["$id"]]),
                    $mysqli->real_escape_string($_POST['$date']),           
                    $mysqli->real_escape_string($_POST['title']),
                    $mysqli->real_escape_string($_POST['text']),
                    $mysqli->real_escape_string(@$_POST[$_COOKIE["$longitude"]]),
                    $mysqli->real_escape_string(@$_POST[$_COOKIE["$latitude"]]),
                    $mysqli->real_escape_string(@$_POST[$_COOKIE["$id"]])

                );


                $mysqli->query($query);
                if ($mysqli->affected_rows == 1) {

                    header('Location: http://' . $_SERVER['HTTP_HOST'] . '/loc/main.php');

                } else {

                }

                $mysqli->close();
            }

    ?>
    <html>
    <head>
        <meta charset="UTF-8" /> 
        <title>
            HTML Document Structure
        </title>
        <link rel="stylesheet" type="text/css" href="style.css" />

        <link rel="stylesheet" href="http://code.jquery.com/mobile/1.3.0/jquery.mobile-1.3.0.min.css" />
        <script src="http://code.jquery.com/jquery-1.8.2.min.js"></script>
        <script src="http://code.jquery.com/mobile/1.3.0/jquery.mobile-1.3.0.min.js"></script>

        <!-- Einstellungen zur Defintion als WebApp -->
        <meta name="apple-mobile-web-app-capable" content="yes" />
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">

    </head>
    <body>



    <div id="wrapper1" data-role="fieldcontain">
        <form name="login-form" class="login-form" action="./next.php" method="post">

            <div class="header">
            </div>

            <div class="content">
            <label for="username"></label>
            <input name="title" type="text" class="input title" placeholder="title" id="title"/>
            <input name="text" type="text" class="input text" placeholder="text" id="text"/>        
            </div>

            <div class="footer">
            <input type="submit" name="submit" value="Login" class="button" data-theme="b"/>
            </div>

        </form>


    <div class="gradient"></div>


    </body>
    </html>

Answer 1

您必须使用双引号将变量 $_COOKIE["$id"] 括起来并连接字符串：

SELECT autorid FROM post WHERE autorid = '".$_COOKIE["$id"]."'

但更好的是使用准备好的语句。

Answer 2

  SELECT autorid FROM post WHERE autorid = '$_COOKIE["$id"]'

到

  SELECT autorid FROM post WHERE autorid = ".$_COOKIE["$id"]."

就sql注入而言仍然不安全。

Answer 3

引号$_COOKIE["$id"] => $_COOKIE[$id]