使用$ _GET重定向URL輸入錯誤

Question

我有一種表單，用戶可以選擇日期以獲取特定的存檔頁面。但是，當他們到達該頁面時，他們可以手動輸入URL中的值並從數據庫中獲取不同的結果。到目前爲止，我已經設法重定向幾乎所有的錯誤，除了一個之外，URL看起來像這樣content.php?day=mon&year=2015&month=jan&week=wk1。如果用戶輸入不允許的日/年/月/周的值，則會將其重定向到errors/wrong_url.php。但是，如果他們自己更改變量名稱，即日/年/月/周/。我的重定向失敗，頁面正常加載但出錯。 如果月份和星期變量名稱被改變，重定向就起作用。但是，如果年份和日期變量名稱被更改，則頁面無需var日的內容加載，var年的內容加載。

if(isset($_GET['year'])){ 
 

 
    $year = preg_replace('/[^a-zA-Z0-9]/', '', $_GET['year']); 
 
    $month = preg_replace('/[^a-zA-Z0-9]/', '', $_GET['month']); 
 
    $week = preg_replace('/[^a-zA-Z0-9]/', '', $_GET['week']); 
 
    $datefdr = $year."-".$month."-".$week; 
 

 
    $page_url = $_SERVER['REQUEST_URI']; 
 
    $day_pattern = '/id=[a-z]*/'; 
 
    $year_pattern = '/id=[0-9]*/'; 
 
    $month_pattern = '/id=[a-z]*/'; 
 
    $week_pattern = '/id=[a-z0-9]*/'; 
 

 
    if(isset($_GET['day'])){ 
 
     $category = preg_replace('/[^a-zA-Z0-9]/', '', $_GET['day']); 
 
     $days_list = array("mon", "tue", "wed", "thur", "fri", "sat", "sun"); 
 
     $year_list = array("2015", "2016", "2017", "2018", "2019", "2020", "2021"); 
 
     $month_list = array("jan", "feb", "mar", "apr", "may", "jun", "jul", "aug", "sep", "oct", "nov", "dec"); 
 
     $week_list = array("wk1", "wk2", "wk3", "wk4"); 
 

 
     if (preg_match($day_pattern, $page_url) && preg_match($year_pattern, $page_url) && preg_match($month_pattern, $page_url) && preg_match($week_pattern, $page_url)){ 
 
      if (in_array($year, $year_list) && in_array($month, $month_list) && in_array($week, $week_list) && in_array($category, $days_list)){ 
 
       switch ($category) { 
 
        case "monday": 
 
         $query = "SELECT * FROM vidz WHERE day='monday' AND datefdr='$datefdr'"; 
 
         break; 
 
       } 
 
      }else{ 
 
        header("Location:errors/wrong_url.php"); 
 
      } 
 
     }else{ 
 
      header("Location:errors/wrong_url.php"); 
 
     } 
 
     
 
    } 
 
}else { 
 
    $url_name = $_SERVER['PHP_SELF']; 
 
    $file_name = basename($url_name); 
 
    $file_name = basename($url_name, ".php"); 
 

 
    switch ($file_name) { 
 
     case "content": 
 
      $query = "SELECT * FROM vidz WHERE day='content' AND datefdr='content'"; 
 
      break; 
 
    } 
 
    
 
}

我已經有一個JavaScript函數，防止用戶提交一個空的形式。謝謝。

Answer 1

想通了，我的安排都錯了。

if(isset($_GET['day'])){ 
 
    $category = $_GET['day']; 
 
    $year = $_GET['year']; 
 
    $month = $_GET['month']; 
 
    $week = $_GET['week']; 
 
\t $datefdr = $year."-".$month."-".$week; 
 
    $days_list = array("mon", "tue", "wed", "thur", "fri", "sat", "sun"); 
 
    $year_list = array("2015", "2016", "2017", "2018", "2019", "2020", "2021"); 
 
    $month_list = array("jan", "feb", "mar", "apr", "may", "jun", "jul", "aug", "sep", "oct", "nov", "dec"); 
 
    $week_list = array("wk1", "wk2", "wk3", "wk4"); 
 

 
    if (in_array($year, $year_list) && in_array($month, $month_list) && in_array($week, $week_list) && in_array($category, $days_list)){ 
 
     switch ($category) { 
 
      case "mon": 
 
       $query = "SELECT * FROM blog WHERE day='mon' AND datefdr='$datefdr'"; 
 
       break; 
 
     } 
 
    }else{ 
 
      header("Location:http://dundaah.com/errors/wrong_url.php"); 
 
    } 
 
    
 
}else { 
 
    if (isset($_GET['year']) || isset($_GET['month']) || isset($_GET['week'])) { 
 
     header("Location:http://dundaah.com/errors/wrong_url.php"); 
 
    }else{ 
 
     $url_name = $_SERVER['PHP_SELF']; 
 
\t  $file_name = basename($url_name); 
 
\t  $file_name = basename($url_name, ".php"); 
 

 
\t  switch ($file_name) { 
 
\t   case "content": 
 
\t    $query = "SELECT * FROM blog WHERE day='content' AND datefdr='content'"; 
 
\t    break; 
 
\t  } 
 
\t  
 
    } 
 

 
}