據我所知,我可以使用POST方法的URL參數來顯示數據根據特定的變量,我知道如何使用GET方法 - 但我被告知, POST方法可以用來隱藏像這樣的URL部分。使用POST方法來隱藏URL參數
/data.php?parameter=1234
這兩種方法在URL參數方面的實際區別是什麼?
下面是一些代碼,根據特定的鏈接
<?php
//This includes the variables, adjusted within the 'config.php file' and the functions from the 'functions.php' - the config variables are adjusted prior to anything else.
require('configs/config.php');
require('configs/functions.php');
//This is the actual interaction with the database, according to the id.
$query = mysql_query("SELECT * FROM table WHERE id=" .$_GET['id'] . ";") or die("An error has occurred");
//This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
if(mysql_num_rows($query) < 1)
{
header('Location: 404.php');
exit;
}
//Here each cell in the database is fetched and assigned a variable.
while($row = mysql_fetch_array($query))
{
$id = $row['id'];
$title = $row['title'];
$month = $row['month'];
$day = $row['day'];
$photo = $row['photo'];
$text = $row['text'];
}
?>
的ID在一個單獨的頁面我根據像這樣的ID生成鏈接到data.php文件從數據庫中提取數據:
<a href="post.php?id=<?php echo $content['id']; ?>"><?php echo $content['title']; ?></a>
忘記,有可以通過上面的代碼中出現潛在的SQL注入,我將如何去利用POST方法,以隱藏URL參數,或者至少不會像這樣顯示出來:
http://example.com/data.php?id=1
一個小側面說明'''的mysql_query(只是增加POST到窗體中被移除的參數 「SELECT * FROM表WHERE ID =」。$ _ GET [ '身份證'] 「;」)'''很容易受到SQL注入的影響,所以如果你把它放在線上並且你的數據庫包含重要的數據,那麼請小心。 – Mason