我试图使用在单独的函数中创建的字符串插入,但它似乎没有工作。
我知道我应该使用switch语句或其他东西,但它目前纯粹是为了测试。
<?php
function newItem($link){
$itemname = mysqli_real_escape_string($link, $_POST['itemname']);
if (strpos($itemname,'<') || strpos($itemname,'>') || strpos($itemname,'?') || strpos($itemname,'/') || strpos($itemname,'='))
{
echo "<script type='text/javascript'>alert('yeah....no');</script>";
} else {
$sql = "SELECT * FROM items WHERE itemname = '$itemname'";
$result = mysqli_query($link,$sql);
if(mysqli_num_rows($result) !== 1){
$sql = "INSERT INTO items(itemname,itemtype,attack,defence,energy)VALUES('$itemname'".RandomStats($link).")";
mysqli_query($link,$sql);
header("location: index.php");
}else{
echo "<script type='text/javascript'>alert('Item name already exists');</script>";
}
}
}
function RandomStats($link){
$rand = rand ( 1 , 100 );
$itemtype = rand (1,3);
$itemtypeString;
if($itemtype = 1){
$itemtypeString = 'Armour';
}
if($itemtype = 2){
$itemtypeString = 'Sword';
}
if($itemtype = 3){
$itemtypeString = 'Shield';
}
if($rand <= 50){
//common
$attack = rand (1 , 50);
$defence = rand (1 , 50);
$energy = rand (1 , 50);
$ItemStats = "','".$itemtypeString."','".$attack."','".$defence."','".$energy."'";
}
if ($rand >50 and $rand <= 80){
//rare
$attack = rand (1 , 100);
$defence = rand (1 , 100);
$energy = rand (1 , 100);
$ItemStats = "','".$itemtypeString."','".$attack."','".$defence."','".$energy."'";
}
if ($rand >80 and $rand <= 98){
//exotic
$attack = rand (1 , 150);
$defence = rand (1 , 150);
$energy = rand (1 , 150);
$ItemStats = "','".$itemtypeString."','".$attack."','".$defence."','".$energy."'";
}
if ($rand >98 and $rand <= 100){
//ledgendary
$attack = rand (1 , 200);
$defence = rand (1 , 200);
$energy = rand (1 , 200);
$ItemStats = "','".$itemtypeString."','".$attack."','".$defence."','".$energy."'";
}
return $ItemStats;
}
?>
仅仅是因为我创建字符串的方式不正确还是其他原因?
我在开始的时候有一个额外的',在做了调试之后,u_mulder帮助我