我编写了php脚本,从mysql数据库向用户发送报告电子邮件。每个用户必须只接收他们自己的数据(带有他们的id)。脚本tabela.php使用用户内容生成html表。
<?php
//select data
$sql = "SELECT oports.id, oports.handlowiec, oports.data_rozp, oports.data_przed, oports.nazwa, oports.city, oports.nip, oports.inic, db_users.email FROM oports, db_users WHERE db_users.id = oports.user_id and db_users.id = '{$sqlid}'";
//execute query
$wynik = $polaczenie->query($sql);
//make table schema
echo "<p style=\"font-size:14px;\">There is your report:<br></p>";
echo "<p>";
echo "<table boder=\"1\"><tr>";
echo "<td bgcolor=\"#f4df8b\"><strong>ID</strong></td>";
echo "<td bgcolor=\"#f9d74d\"><strong>name</strong></td>";
echo "<td bgcolor=\"#f4df8b\"><strong>Date started</strong></td>";
echo "<td bgcolor=\"#f9d74d\"><strong>Date deadline</strong></td>";
echo "<td bgcolor=\"#f4df8b\"><strong>Company name</strong></td>";
echo "<td bgcolor=\"#f9d74d\"><strong>City</strong></td>";
echo "<td bgcolor=\"#f4df8b\"><strong>NIP</strong></td>";
echo "<td bgcolor=\"#f9d74d\"><strong>Initials</strong></td>";
echo "</tr>";
//loop for show data in table
while ( $row = mysqli_fetch_row($wynik) ) {
echo "</tr>";
echo "<td bgcolor=\"#f7e8ab\">" . $row[0] . "</td>";
echo "<td bgcolor=\"#fbe383\">" . $row[1] . "</td>";
echo "<td bgcolor=\"#f7e8ab\">" . $row[2] . "</td>";
echo "<td bgcolor=\"#fbe383\">" . $row[3] . "</td>";
echo "<td bgcolor=\"#f7e8ab\">" . $row[4] . "</td>";
echo "<td bgcolor=\"#fbe383\">" . $row[5] . "</td>";
echo "<td bgcolor=\"#f7e8ab\">" . $row[6] . "</td>";
echo "<td bgcolor=\"#fbe383\">" . $row[7] . "</td>";
echo "</tr>";
}
echo "</table>";
echo "<br>";
echo "<p style=\"font-size:10px;\">Jest to e-mail wygenerowany z systemu CRM. Prosimy na niego nie odpowiadać</p>";
?>脚本sender.php将数据发送给用户:
<?php
include 'connect.php';
//connect with database
$polaczenie = @new mysqli($host, $db_user, $db_password, $db_name);
//set charset to show polish letters
$polaczenie->set_charset("utf8");
//check connection
if ($polaczenie->connect_errno!=0)
{
echo "Error: ".$polaczenie->connect_errno." Opis: ". $polaczenie->connect_error;
}
else
{
//define id variable
$sqlid = 1;
//select emails for user with id = sqlid
$zap = "SELECT email from db_users where id = '{$sqlid}'";
//make query (for while loop)
$zapt = $polaczenie->query($zap);
//while there are some data, make instructions in loop
while (($zapt -> fetch_assoc()) !== null)
{
//there are results
//execute query again (without this loop do not work properly)
$zap = "SELECT email from db_users where id = '{$sqlid}'";
//show email and save to variable rowxx
$zapx = mysqli_query($polaczenie,$zap);
while ($rowx = mysqli_fetch_assoc($zapx)) {
print_r ($rowx);
$rowxx = $rowx["email"];
}
//include content of tabela.php
ob_start();
include "tabela.php";
$content = ob_get_clean();
//define mail headers, subject and message
$od = "From: itest@mail.pl \r\n";
$od .= 'MIME-Version: 1.0'."\r\n";
$od .= 'Content-type: text/html; charset=utf-8'."\r\n";
$to = $rowxx;
$subject = "Raport szans";
$message = $content;
if(mail($to, $subject, $message, $od))
{
echo "Mail sent!";
}
else
{
echo "Error with sending!";
}
$sqlid++;
$zapt = $polaczenie->query($zap);
}
//else
echo 'No results';
$polaczenie->close();
}
?>脚本工作正常,但对于最后一个id的用户发送一封邮件太多。如果有4个用户,最后一个将接收两封邮件,一封是数据正确的邮件,另一封是没有数据的邮件(空表)。sender.php脚本的输出为:
Array ( [email] => ika1@mail.pl ) Mail sent!Array ( [email] => pb1@mail.pl ) Mail sent!Array ( [email] => rr1@mail.pl ) Mail sent!Array ( [email] => pr1@mail.pl ) Mail sent!Mail sent!No results所以我看到在上一个“邮件发送”中没有电子邮件地址,但我是在pr1@mail.pl. 为什么?
1条答案
按热度按时间px9o7tmv1#
所以我修改了代码(简化while,删除嵌套whiles,修改while循环中查询的顺序,这是发送一封邮件太多的原因),现在它工作得很好,但是我仍然不知道sql注入怎么可能,因为没有post或get。