Insert contact error
This is giving error. (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@myemail.net' at line 1)
$user_id = $_SESSION['user_id'];
$emails = $_REQUEST['emails'];
$subject = "Invitation from $email";
$headers = 'From: '.$email;
$emails = $_REQUEST['emails'];
foreach ($emails as $to) {
list($to,$name) = split(':::',$to,2);
$message = "Hi $name, $email would like you to take a look at this site! http://www.lunarsys.com\r\n\r\n";
mail($to, $subject, $message, $headers);
echo "Mail sent to $name ($to)<br/>\r\n";
$query = "SELECT j_user_id FROM jt_members_external_contacts WHERE j_user_id = $user_id AND contact_email = $to;";
$result = mysql_query($query) or die(mysql_error());
$conrows = mysql_num_rows($result);
if($conrows > 0)
{
echo "Exist";
}else
{
//
//Insert News into Articles Database
$sql_insert = "INSERT into `jt_members_external_contacts`
(`j_user_id`,`contact_email`,`firstname`
开发者_如何学Python )
VALUES
('$user_id','$to','$name'
)
";
mysql_query($sql_insert) or die(header("Location: /error_page?error_msg=1"));
}
replace this line:
$query = "SELECT j_user_id FROM jt_members_external_contacts WHERE j_user_id = $user_id AND contact_email = $to;";
with this:
$query = "SELECT j_user_id FROM jt_members_external_contacts WHERE j_user_id = $user_id AND contact_email = '$to'";
There should be quotes around $to:
$query = "SELECT j_user_id FROM jt_members_external_contacts WHERE j_user_id = $user_id AND contact_email = '$to';";
By the way - if this is your actual source code, don't forget to properly escape the user input $_REQUEST['emails'];, because as it stands this script has a serious SQL injection vulnerability where a specially crafted request parameter can compromise your database.
For example:
foreach ($emails as $to) {
list($to,$name) = split(':::',$to,2);
$to = mysql_escape_string($to);
...
This will also prevent valid email addresses like tim.o'brein@example.com breaking your script.
加载中,请稍侯......
精彩评论