1. 首頁
  2. 問答
  3. PHP刪除評論按鈕

PHP刪除評論按鈕

2014-01-10 256 views
-1

我對PHP很新穎(目前正在做一個大學項目)。我的網站是一個管理網站,約有3位管理員用戶可以登錄和更改網站等。目前,我對我的評論(用戶可以發佈到網站的評論)有刪除功能,但任何進入網站的人都可以看到刪除功能,並可以刪除任何機構的評論?PHP刪除評論按鈕

我想讓它只有我的管理員登錄後才能看到刪除功能,並且隨後成爲唯一可以刪除評論的人。我有一個用戶數據庫,其中包含名稱,密碼,用戶名和電子郵件列。我想知道如果有人可以請看看我的代碼,並告訴我如何改變這一點,只有當管理員登錄時,他們才能看到按鈕並刪除評論。

$str_message = ""; 
    if (!$db_server){ 
     die("Unable to connect to MySQL: " . mysqli_connect_error()); 
    }else{ 

     //if ($_SESSION['admin'] == 'yes') { 


     if(isset($_GET['delete'])){ 
      $deleteq="DELETE FROM comments WHERE ID={$_GET['delete']} LIMIT 1"; 

      $deleter=mysqli_query($db_server, $deleteq); 
      IF($deleter){ 
       echo"<p>That message was deleted!</p>";}} 


     //} 

     //Test whether form has been submitted 
     if(trim($_POST['submit']) == "Submit"){ 
      //Handle submission 
      $resp = recaptcha_check_answer ($privatekey, 
              $_SERVER["REMOTE_ADDR"], 
              $_POST["recaptcha_challenge_field"], 
              $_POST["recaptcha_response_field"]); 
      if (!$resp->is_valid) { 
       // What happens when the CAPTCHA was entered incorrectly 
       $str_message = "The reCAPTCHA wasn't entered correctly. Go back and try it  
    again. 
           (reCAPTCHA said: " . $resp->error . ")"; 
      } else { 

       // Your code here to handle a successful verification 
       $comment = $_POST['comment']; 
       if($comment != ""){ 
        $query = "INSERT INTO comments (comment) VALUES ('$comment')"; 
        mysqli_query($db_server, $query) or die("Comment insert failed: " .  
    mysqli_error($db_server)); 
        $str_message = "Thanks for your comment!"; 
       }else{ 
        $str_message = "Invalid form submission"; 
       } 
      } 
     } 
     //Create page with or without submission 
     $query = "SELECT * FROM comments"; 
     $result = mysqli_query($db_server, $query); 
     if (!$result) die("Database access failed: " . mysqli_error($db_server)); 
     { 

     while($row = mysqli_fetch_array($result)){ 
     $ID= $row['ID']; 



      $str_result .= "<p><em>Comment $j (" . $row['commDate'] . 
        ")</em><br /> " .$row['comment'] . "</p> 
        <a href ='commentnow.php?delete=$ID 
        '>Delete</a><hr />"; 
     } 
     mysqli_free_result($result); 
    } } 

    ?>

來源

2014-01-10 user3178755

+0

無關,但我相當確定這是通常的做法,不刪除數據,而只是有一個刪除標誌。我會建議考慮這種方法。 – 2014-01-10 21:09:14

+0

取消註釋在執行刪除操作之前檢查用戶是否爲管理員的代碼。 – Barmar

+0

^然後在底部還添加一個if語句,根據用戶是否是管理員擁有兩個可能的'$ str_result'分配語句(如果用戶是管理員,顯然沒有刪除按鈕) – 2014-01-10 21:13:05

回答

0 
if ($_SESSION['admin'] == 'yes') { 
<insert code to generate a delete button here> 
}

來源

2014-01-10 21:13:33 donsiuch

+0

應該有在上面的代碼中也是一個檢查服務器端,不允許刪除 – cmorrissey

0

首先,你需要在你的登錄頁面來改變。當用戶登錄時,然後檢查他是否是管理員用戶。如果是,則將會話變量($_SESSION['admin'])設置爲yes或將其設置爲no。嘗試像這樣:

//login.php 
if (!$db_server){ 
      die("Unable to connect to MySQL: " . mysqli_connect_error()); 
     }else{ 

    session_start(); 
    $sql="Select * FROM users WHERE user_name = 'your_username' and LIMIT 1"; 
    $result=mysqli_query($db_server, $sql); 
    $objUser = $result->fetch_object(); 
    if($objUser->user_type =="admin") 
     $_SESSION['admin'] = 'yes'; 
     else 
     $_SESSION['admin'] = 'no'; 
    //rest of your code for login the user 
}

然後在您的刪除頁面檢查當前用戶是否是admin。如果是,則執行查詢,否則回顯消息。像這樣:

session_start(); 
$str_message = ""; 
    if (!$db_server){ 
     die("Unable to connect to MySQL: " . mysqli_connect_error()); 
    }else{ 


     if(isset($_GET['delete'])){ 
      if ($_SESSION['admin'] == 'yes') { 
       $deleteq="DELETE FROM comments WHERE ID={$_GET['delete']} LIMIT 1"; 

       $deleter=mysqli_query($db_server, $deleteq); 
       if($deleter){ 
       echo"<p>That message was deleted!</p>";} 
      } 
      else 
      { 
      echo "you are not admin"; 
      } 

     } 

     //Test whether form has been submitted 
     if(trim($_POST['submit']) == "Submit"){ 
      //Handle submission 
      $resp = recaptcha_check_answer ($privatekey, 
              $_SERVER["REMOTE_ADDR"], 
              $_POST["recaptcha_challenge_field"], 
              $_POST["recaptcha_response_field"]); 
      if (!$resp->is_valid) { 
       // What happens when the CAPTCHA was entered incorrectly 
       $str_message = "The reCAPTCHA wasn't entered correctly. Go back and try it  
    again. 
           (reCAPTCHA said: " . $resp->error . ")"; 
      } else { 

       // Your code here to handle a successful verification 
       $comment = $_POST['comment']; 
       if($comment != ""){ 
        $query = "INSERT INTO comments (comment) VALUES ('$comment')"; 
        mysqli_query($db_server, $query) or die("Comment insert failed: " .  
    mysqli_error($db_server)); 
        $str_message = "Thanks for your comment!"; 
       }else{ 
        $str_message = "Invalid form submission"; 
       } 
      } 
     } 
     //Create page with or without submission 
     $query = "SELECT * FROM comments"; 
     $result = mysqli_query($db_server, $query); 
     if (!$result) die("Database access failed: " . mysqli_error($db_server)); 
     { 

     while($row = mysqli_fetch_array($result)){ 
     $ID= $row['ID']; 



      $str_result .= "<p><em>Comment $j (" . $row['commDate'] . 
        ")</em><br /> " .$row['comment'] . "</p> 
        <a href ='commentnow.php?delete=$ID 
        '>Delete</a><hr />"; 
     } 
     mysqli_free_result($result); 
    } } 

    ?>

我認爲它是有道理的!

來源

2014-01-10 21:27:15

1

如果我們假設你的註釋語句來檢查用戶是否是管理員(if ($_SESSION['admin'] == 'yes')),那麼下面的代碼應該給你一個關於如何去做的好主意。有兩個地方需要添加if語句。我一直無法測試這個,但看看這個代碼中你看到的地方// ADMIN IF STATEMENT,我希望你明白你的代碼需要做什麼修改才能正常工作。

<? 

$str_message = ""; 

if (!$db_server) { 

    die("Unable to connect to MySQL: " . mysqli_connect_error()); 

} else { 

    if ($_SESSION['admin'] == 'yes') { // ADMIN IF STATEMENT 

     if (isset($_GET['delete'])) { 

      $deleteq = "DELETE FROM comments WHERE ID={$_GET['delete']} LIMIT 1"; 
      $deleter = mysqli_query($db_server, $deleteq); 

      if ($deleter) { 

       echo "<p>That message was deleted!</p>"; 

      } 

     } 

    } 

    //Test whether form has been submitted 
    if (trim($_POST['submit']) == "Submit") { 

     //Handle submission 
     $resp = recaptcha_check_answer(
      $privatekey, 
      $_SERVER["REMOTE_ADDR"], 
      $_POST["recaptcha_challenge_field"], 
      $_POST["recaptcha_response_field"] 
     ); 

     if (!$resp->is_valid) { 

      // What happens when the CAPTCHA was entered incorrectly 
      $str_message = "The reCAPTCHA wasn't entered correctly. Go back and try it again. (reCAPTCHA said: " . $resp->error . ")"; 

     } else { 

      // Your code here to handle a successful verification 
      $comment = $_POST['comment']; 

      if ($comment != "") { 

       $query = "INSERT INTO comments (comment) VALUES ('$comment')"; 
       mysqli_query($db_server, $query) or die("Comment insert failed: " . mysqli_error($db_server)); 
       $str_message = "Thanks for your comment!"; 

      } else { 

       $str_message = "Invalid form submission"; 

      } 

     } 
    } 

    //Create page with or without submission 
    $query = "SELECT * FROM comments"; 
    $result = mysqli_query($db_server, $query); 

    if (!$result) die("Database access failed: " . mysqli_error($db_server)); { 

     while ($row = mysqli_fetch_array($result)) { 

      $ID = $row['ID']; 

      if ($_SESSION['admin'] == 'yes') { // ADMIN IF STATEMENT 

       $str_result .= "<p><em>Comment $j (" . $row['commDate'] . ")</em><br /> " .$row['comment'] . "</p><a href ='commentnow.php?delete=$ID'>Delete</a><hr />"; 

      } else { 

       $str_result .= "<p><em>Comment $j (" . $row['commDate'] . ")</em><br /> " .$row['comment'] . "</p>"; 

      } 
     } 

     mysqli_free_result($result); 

    } 

} 

?>

來源

2014-01-10 21:33:56

+0

'$ deleteq =「DELETE FROM comments WHERE ID = {$ _ GET ['delete']} LIMIT 1」;'我認爲這個查詢容易受到sql注射。 也見 http://stackoverflow.com/questions/5370426/how-does-affect-a-mysql-query-in-php –

+0

@RomanPickl很多的海報代碼是錯誤的,但我個人不喜歡燒傷人們的漏洞 – 2014-01-10 21:50:55

+0

@Sinmai我明白這一點。有時代碼中的部分代碼似乎無法修復,但可能會降低學習編碼人員的興趣。不過,無論如何,我猜這是好事。 –

相關問題

 相關問題