可以从QUERY_STRING中插入，但不能从MySQL中选择相同的值！

Question

As you can see, there's probably no reason why it shouldn't be working. I don't know what else I can do, any ideas? Any help is appreciated!

All I am trying to do, is view check if the value entered at the end of the url, matches one that is in the database (and yes , it IS in the database. :) Thank you

---

The code:

 <?php $keyword = substr($_SERVER['REQUEST_URI'],11); if($_REQUEST['action'] == "link") { $keyword = $_POST['keyword']; $link = $_POST['link']; $connection = mysql_connect("my01..com","h","h") or die(mysql_error()); if($connection) { mysql_select_db("mysql_17902_h", $connection); mysql_query( "INSERT INTO mysql_17902_h.links ( link, keyword) VALUES ( '".$link."', '".$keyword."')") or die(mysql_error()); $state = true; } } else { if(!empty($_POST)) { print_r($keyword); $connection = mysql_connect("my01.h.com","h","h") or die(mysql_error()); if($connection) { mysql_select_db("mysql_17902_h") or die(mysql_error()); $result = mysql_query("SELECT link FROM links WHERE keyword = $keyword") or die(mysql_error()); $row = mysql_fetch_array($result); $outsy = $row['link']; } $state = true; } } ?> 

Answer 1

Try rewriting your code so it's more legible:

$link = mysql_real_escape_string($_POST['link']);
$keyword = mysql_real_escape_string($_POST['keyword']);

$sql = <<<EOL;
INSERT INTO mysql_17902_h.links (link, keyword)
VALUES ('$link', '$keyword')
EOL;

mysql_query($sql) or die(mysql_error());

Note the use of mysql_real_escape_string() to prevent SQL injection attacks, and surrounding the variables with single quotes within the SQL string. You've neglected to do so here:

$result = mysql_query("SELECT link FROM links WHERE keyword = $keyword") or ...
                                                              ^^^^^^^^ 

No quotes around a text-type field is a syntax error. As well, at that point in the code, $keyword contains whatever the substr() call at the top of the script returned, so make sure that substr call actually does what you're intending.