1
我有三個單獨的頁面:modify.php允許用戶選擇一個發佈者併爲該發佈者創建一個會話變量。HTTP_REFERER行爲 - 需要協助
modify.php
<?php
session_start();
require ("../login.php");
if (!isset($_SESSION['user']))
header('Location: ../index.php');
if (isset($_POST['submit'])) {
$_SESSION['publisher'] = $_POST['publishers'];
header('Location: modify2.php');
}
$user_id = $_SESSION['user'];
$success = true;
include ("header.php");
include ("subnav.php");
$stmt = $db->prepare
("SELECT DISTINCT p.name
FROM subscriptions s
JOIN titles t
ON s.title = t.id
JOIN publishers p
ON t.publisher = p.name
WHERE s.user=:user
ORDER by p.name");
$stmt->bindValue(':user', $user_id, PDO::PARAM_INT);
$stmt->execute();
$rows = $stmt->fetchAll();
$num_rows = count($rows);
if ($num_rows == 0) {
$success = false;
$errors[] = 'You currently have no subscriptions.';
}
?>
<h2>Modify Subscriptions</h2>
<?php
if (!empty($errors))
foreach($errors as $error)
echo $error;
?>
<?php
if ($success == true) { ?>
<form action="" method="post">
<ul>
<li>
Select Publisher:<br>
<select name="publishers">
<?php
foreach($rows as $row) {
echo '<option value ="'. $row['name'] . '">' . $row['name'] . '</option>';
} ?>
</select>
</li>
<li>
<input type="submit" value="Select Publisher" name ="submit" id="submit">
</li>
</ul>
</form>
<?php } ?>
<?php
include ("footer.php");
?>
modify2.php從modify.php接收會話變量 「出版者」 和檢索是由該發行者的標題。然後,它會取消發行會話變量有兩個原因:1)它是不再需要2)如果該變量爲空,則mofify2.php知道該引用者是從錯誤的頁面
modify2.php未來
<?php
session_start();
require ("../login.php");
if (!isset($_SESSION['user']))
header('Location: ../index.php');
if (!isset($_SESSION['publisher']))
header('Location: modify.php');
$referer = $_SERVER['HTTP_REFERER'];
if (basename($referer) <> 'modify.php')
header('Location: modify.php');
if (isset($_POST['submit'])) {
$_SESSION['title'] = $_POST['title'];
unset($_SESSION['publisher']);
header('Location: modify3.php');
}
$user_id = $_SESSION['user'];
$publisher = $_SESSION['publisher'];
include ("header.php");
include ("subnav.php");
$stmt = $db->prepare
("SELECT t.title
FROM titles t
JOIN publishers p
ON t.publisher = p.name
JOIN subscriptions s
ON t.id = s.title
WHERE s.user=:user AND t.publisher=:publisher
ORDER by t.title");
$stmt->bindValue(':user', $user_id, PDO::PARAM_INT);
$stmt->bindValue(':publisher', $publisher, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll();
$num_rows = count($rows);
if ($num_rows == 0)
$errors[] = 'There are currently no titles for that publisher.';
?>
<h2>Modify Subscriptions</h2>
<?php
if (!empty($errors))
foreach($errors as $error)
echo $error;
?>
<form action="" method="post">
<ul>
<li>
Select Title:<br>
<select name="title">
<?php
foreach($rows as $row) {
echo '<option value ="'. $row['id'] . '">' . $row['title'] . '</option>';
} ?>
</select>
</li>
<li>
<input type="submit" value="Select Title" name ="submit" id="submit">
</li>
</ul>
</form>
<?php
include ("footer.php");
?>
這個文件是其中存在的問題。無論出於什麼原因,我的http_referer代碼塊都阻止訪問該頁面。任何幫助,將不勝感激。
modify3.php
<?php
session_start();
require ("../login.php");
if (!isset($_SESSION['user']))
header('Location: ../index.php');
if (!isset($_SESSION['title']))
header('Location: modify2.php');
$referer = $_SERVER['HTTP_REFERER'];
if (basename($referer) <> 'modify2.php');
header('Location: modify2.php');
$user_id = $_SESSION['user'];
$title = $_SESSION['title'];
$success = false;
if (isset($_POST['submit'])) {
$covers = (isset($_POST['covers'])) ? 1 : 0;
if (empty($_POST['quantity']))
$errors[] = 'You must enter a quantity!';
else if (!is_numeric($_POST['quantity']))
$errors[] = 'You must enter a number for the quantity field!';
else if (is_numeric($_POST['quantity']) && $_POST['quantity'] > 5)
$errors[] = 'If you want to subscribe to more than 5 of the same issue, please contact us';
else {
$stmt = $db->prepare("UPDATE subscriptions SET quantity=:quantity, covers=:covers WHERE user=:id AND title=:title");
$stmt->bindValue(':quantity', $_POST['quantity'], PDO::PARAM_INT);
$stmt->bindValue(':covers', $covers, PDO::PARAM_INT);
$stmt->bindValue(':id', $user_id, PDO::PARAM_INT);
$stmt->bindValue(':title', $title, PDO::PARAM_INT);
$stmt->execute();
$success = true;
unset($_SESSION['title']);
}
}
include ("header.php");
include ("subnav.php");
?>
<h2>Modify Subscriptions</h2>
<?php
if (!empty($errors))
foreach($errors as $error)
echo $error;
?>
<?php
if ($success == false) { ?>
<form action="" method="post">
<ul>
<li>
<b>Title To Modify:</b><br>
<?php
$stmt = $db->prepare("SELECT title FROM titles WHERE id=:title");
$stmt->bindValue(':title', $title, PDO::PARAM_STR);
$stmt->execute();$rows = $stmt->fetchAll();
foreach ($rows as $row) {
echo $row['title'];
}
?>
</li>
<li>
<br><input type="checkbox" name="covers" value="covers"
<?php
$stmt = $db->prepare("SELECT covers FROM subscriptions WHERE user=:id AND title=:title");
$stmt->bindValue(':id', $user_id, PDO::PARAM_INT);
$stmt->bindValue(':title', $title, PDO::PARAM_INT);
$stmt->execute();
$rows = $stmt->fetchAll();
foreach ($rows as $row)
if ($row['covers'] == 1)
echo 'checked';
?>
>Check to opt-in for all regular priced covers.
</li>
<li>
<br><b>Quantity Requested:</b> <br>
<input type="text" name="quantity" value="<?php $stmt = $db->prepare("SELECT quantity FROM subscriptions WHERE user=:user AND title=:title"); $stmt->bindValue(':user', $user_id, PDO::PARAM_INT); $stmt->bindValue(':title', $title, PDO::PARAM_INT); $stmt->execute(); $rows = $stmt->fetchAll(); foreach ($rows as $row) echo $row['quantity']; ?>">
</li>
<li>
<input type="submit" value="Save Changes" name="submit" id="submit">
</li>
</ul>
</form>
<?php }
else { ?>
<p>You have succesfully updated your title!</p>
<?php } ?>
<?php
include ("footer.php");
?>
如果我把下面的代碼塊出來:
$referer = $_SERVER['HTTP_REFERER'];
if (basename($referer) <> 'modify2.php');
header('Location: modify2.php');
然後我的網頁可以正常工作,但它不會阻止人們手動輸入,進入他們的瀏覽器並以錯誤的方式訪問它。
這不會破壞任何東西,但是你應該在你的'Location:'標題中使用完整的URL。雖然相對路徑可行,但它違反了現行標準。 – Brad