我有这个代码:
$email_message = $_GET['langmess'];
$email_subject = $_GET['langsub'];
if ($payment == 'gateway1') {
//Admin Email DATA
$admin_mail = mysqli_query($link, "SELECT * FROM email_template WHERE email_type = 'email_me' ");
$admin_mailData = mysqli_fetch_array($admin_mail);
//Variables
$string = $admin_mailData['$email_message'];
$subjectmail = $admin_mailData['$email_subject'];
$pattern = '/{(\w+)}/i';
$replacement = "$$1";
$msnAdminbody = preg_replace($pattern, $replacement, $string);
eval("\$msnAdminbody = \"<html><body> " . $msnAdminbody . " </body></html>\";");
这只是代码的一部分,但是我不确定是否可以使用变量从mySQL获取数据,其想法是url包含:http://mydomain/file.php?langmess = email_message_es_es&langsub = email_subject_es
orhttp://mydomain/file.php?langmess = email_message&langsub =email_subject
因此,将来可以用正确的语言将电子邮件发送给管理员和用户。
提前感谢您的帮助,我为我的英语感到抱歉。
它与mysql没有太大关系,但问题是:
$string = $admin_mailData['$email_message'];
$subjectmail = $admin_mailData['$email_subject'];
单语引号,PHP寻找一个名为“ $ email_message”的索引。您需要删除单个引号,以检索以变量值命名的列。
顺便说一句,这并不能解决您的代码中的所有安全问题。这样做的一种更安全的方法就是这样:
$language_code = $_GET['lang'];
if ($payment == 'gateway1') {
//Admin Email DATA
$admin_mail = mysqli_query($link, "SELECT * FROM email_template WHERE email_type = 'email_me' ");
$admin_mailData = mysqli_fetch_array($admin_mail);
//Variables
switch($language_code)
{
case 'es':
$string = $admin_mailData['email_message_es'];
$subjectmail = $admin_mailData['email_subject_es'];
break;
default:
$string = $admin_mailData['email_message'];
$subjectmail = $admin_mailData['email_subject'];
break;
}
$pattern = '/{(\w+)}/i';
$replacement = "$$1";
$msnAdminbody = preg_replace($pattern, $replacement, $string);
eval()确实在这里确实是不确定的,可以替换为:
$msnAdminbody = "<html><body> " . $msnAdminbody . " </body></html>";