目前我有一個PHP編輯腳本,它允許用戶編輯他們發佈的廣告,但我已經意識到用戶可以修改?id = number來調出另一組數據然後編輯其他數據並將其保存在數據庫中。如何從用戶表格安全地編輯數據庫中的信息PHP
有沒有什麼辦法可以讓用戶點擊他們發佈的廣告進行修改,他們只能訪問他們自己的廣告,以至於他們無法通過調整來編輯其他人的廣告id?=和一種保護表單不被操縱的方法?
非常感謝任何人的幫助!
這裏是我當前的代碼:
<?php
/*
EDIT.PHP
Allows user to edit specific entry in database
*/
// creates the edit record form
// since this form is used multiple times in this file, I have made it a function that is easily reusable
function renderForm($id, $fname, $lname, $contact, $price, $error)
{
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Edit Record</title>
<link rel="stylesheet" type="text/css" href="stylesheet.css">
<style type="text/css">
#page-wrap {
position:absolute;
top: 206px;
left: 288px;
width: 50%;
text-align:left;
background-color:#FFF;
padding: 10px;
border-radius: 10px;
box-shadow: 1px 2px 2px #888888;
}
</style>
<script type = "text/javascript">
function myfunction(url)
{
window.location.href = url;
}
</script>
</head>
<body>
<div class="container">
<div id="imagelogo" onclick = "window.location.href = 'index.html'" >
<p> Buy and sell stuff around University</p>
</div>
<ul id="navigation" name="navigation">
<li id="nav-home"><a href="index.html">Home</a></li>
<li id="nav-search"><a href="search.php">Search</a></li>
<li id="nav-selling"><a href="#">Selling</a></li>
<li id="nav-buying"><a href="#">Buying</a></li>
<li id="nav-FAQ"><a href="#">FAQ</a></li>
<li id="nav-contact"><a href="#">Contact</a></li>
<p> </p>
<p> </p>
<p> </p>
<p>Sponsors</p>
</ul>
<div id="account">
<?php
if(isset($_SESSION['username'])){
echo "<a href='securedpage1.php'>My Account</a><img src='images/uni-icon.png' width='30' height='18' style='vertical-align: middle;'/>";
}else{
echo "<a href='login.php' >Login</a><img src='images/uni-icon.png' width='30' height='18' style='vertical-align: middle;'/>";
}
?>
</div>
<div id="registerlogout">
<?php
if(isset($_SESSION['username'])){
echo "<a href='logout.php'>Logout</a>";
}else{
echo "<a href='register.php'> Register</a>";
}
?>
</div>
<div id="social">
<img src="images/fb-logo.png" width="22" height="20" />
<img src="images/twitter-logo.png" width="24" height="25" />
</div>
<div id="page-wrap">
<?php
// if there are any errors, display them
if ($error != '')
{
echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
}
?>
<form action="" method="post">
<input type="hidden" name="id" value="<?php echo $id; ?>"/>
<div>
<strong>Ad Title: *</strong> <input type="text" name="fname" style="width: 60%; box- sizing: border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box;"value="<?php echo $fname; ?>"/><br/>
<strong>Description: *</strong> <textarea name="lname" cols="45" rows="5"><?php echo $lname; ?></textarea><br/>
<strong>Contact*</strong> <input type="text" name="contact" style="width: 60%; box- sizing: border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box;" value="<?php echo $contact; ?>"/><br/>
<strong>Price*</strong> <input type="text" name="price" style="width: 60%; box-sizing: border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box;" value="<?php echo $price; ?>"/><br/>
<p>* Required</p>
<input type="submit" name="submit" value="Submit">
</div>
</form>
</div>
</div>
</body>
</html>
<?php
}
// Inialize session
session_start();
// connect to the database
include('conn.php');
// check if the form has been submitted. If it has, process the form and save it to the database
if (isset($_POST['submit']))
{
// confirm that the 'id' value is a valid integer before getting the form data
if (is_numeric($_POST['id']))
{
// get form data, making sure it is valid
$id = $_POST['id'];
$fname = mysql_real_escape_string(htmlspecialchars($_POST['fname']));
$lname = mysql_real_escape_string(htmlspecialchars($_POST['lname']));
$contact = mysql_real_escape_string(htmlspecialchars($_POST['contact']));
$price = mysql_real_escape_string(htmlspecialchars($_POST['price']));
// check that firstname/lastname fields are both filled in
if ($fname == '' || $lname == '' || $contact == '' || $price == '')
{
// generate error message
$error = 'ERROR: Please fill in all required fields!';
//error, display form
renderForm($id, $fname, $lname, $contact, $price, $error);
}
else
{
// save the data to the database
mysql_query("UPDATE people SET price='$price', contact='$contact', fname='$fname', lname='$lname' WHERE id='$id'")
or die(mysql_error());
// once saved, redirect back to the view page
header("Location: view.php");
}
}
else
{
// if the 'id' isn't valid, display an error
echo 'Error!';
}
}
else
// if the form hasn't been submitted, get the data from the db and display the form
{
// get the 'id' value from the URL (if it exists), making sure that it is valid (checing that it is numeric/larger than 0)
if (isset($_GET['id']) && is_numeric($_GET['id']) && $_GET['id'] > 0)
{
// query db
$id = $_GET['id'];
$result = mysql_query("SELECT * FROM people WHERE id=$id")
or die(mysql_error());
$row = mysql_fetch_array($result);
// check that the 'id' matches up with a row in the databse
if($row)
{
// get data from db
$fname = $row['fname'];
$lname = $row['lname'];
$contact = $row['contact'];
$price = $row['price'];
// show form
renderForm($id, $fname, $lname, $contact, $price, '');
}
else
// if no match, display result
{
echo "No results!";
}
}
else
// if the 'id' in the URL isn't valid, or if there is no 'id' value, display an error
{
echo 'Error!';
}
}
?>
謝謝你的快速回復! 我已將此添加到我的查詢中,但它似乎不起作用 $ username = $ _SESSION ['username']; (更新人SET價格='$ price',contact ='$ contact',fname ='$ fname',lname ='$ lname'WHERE id ='$ id'和username ='$ username'「) 或die(mysql_error()); – neeko
抱歉已經得到它現在的工作!謝謝!! – neeko
與此相關的問題是您必須使用會話。 – Osman