下面的代码都在我的网站上一个名为'useraccount.php'的文件上。由于该页面目前存在,因此它有一个供登录管理员添加新用户帐户的表单,下面还有一个表,显示数据库中已经存在的帐户。我想为每个现有帐户添加一个"删除"按钮,并尝试了各种方法纳入这一点,但还没有找到一个解决方案,工作。如果有人能与我分享一些专业知识,我将不胜感激。我需要知道如何设置按钮来携带数据库行号变量,以便php能够识别要删除的行,以及在哪里以及如何安全地执行php中的删除查询。代码中的注释显示了我的部分尝试。
当前PHP代码
<?php
require("connect.php");
if(empty($_SESSION['user']) || empty($_SESSION['adminaccess']))
{
header("Location: login.php");
die("Redirecting to login.php");
}
//BEGIN DATA FETCHING TO DISPLAY CURRENT USERS
$query = "
SELECT
id,
username,
display_name,
email,
admin
FROM users
";
try
{
$stmt = $db->prepare($query);
$stmt->execute();
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$rows = $stmt->fetchAll();
//END DATA FETCHING TO DISPLAY CURRENT USERS
//BEGIN USER DELETE FUNCTION
//IM NOT SURE HOW TO SET THIS UP, OR IF IT'S EVEN IN THE RIGHT PLACE
$id = isset($_POST['id'])?intval($_POST['id']):0;
if($id>0) { $query = "DELETE FROM users WHERE id = '$id'";
}
//END USER DELETE FUNCTION
//BEGIN FOR ADD NEW USER
if(!empty($_POST))
{
if(empty($_POST['username']))
{
header("Location: useraccounts.php");
die("Redirecting to: useraccounts.php");
$error = "Please enter a username.";
}
if(empty($_POST['password']))
{
header("Location: useraccounts.php");
die("Redirecting to: useraccounts.php");
$error = "Please enter a password.";
}
if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
{
header("Location: useraccounts.php");
die("Redirecting to: useraccounts.php");
$error = "Invalid E-Mail Address";
}
$query = "
SELECT
1
FROM users
WHERE
username = :username
";
$query_params = array(
':username' => $_POST['username']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$row = $stmt->fetch();
if($row)
{
header("Location: useraccounts.php");
die("Redirecting to: useraccounts.php");
$error = "This username is already in use";
}
$query = "
SELECT
1
FROM users
WHERE
email = :email
";
$query_params = array(
':email' => $_POST['email']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$row = $stmt->fetch();
if($row)
{
header("Location: useraccounts.php");
die("Redirecting to: useraccounts.php");
$error = "This email address is already registered";
}
$query = "
INSERT INTO users (
username,
display_name,
password,
salt,
email,
admin
) VALUES (
:username,
:display_name,
:password,
:salt,
:email,
:admin
)
";
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $_POST['password'] . $salt);
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
$query_params = array(
':username' => $_POST['username'],
':display_name' => $_POST['display_name'],
':password' => $password,
':salt' => $salt,
':email' => $_POST['email'],
':admin' => $_POST['admin']
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
header("Location: useraccounts.php");
die("Redirecting to useraccounts.php");
}
?>
显示'Add New Account'表单的表
<h3>Add an Account</h3>
<form action="useraccounts.php" method="post">
<p class="label">Username:</p>
<input class="text" type="text" name="username" value="" />
<p class="label">Display Name(s):</p>
<input class="text" type="text" name="display_name" value="" />
<p class="label">E-Mail:</p>
<input class="text" type="text" name="email" value="" />
<p class="label">Password:</p>
<input class="text" type="password" name="password" value="" />
<p class="label">Admin Account?</p>
<input type="radio" id="r1" name="admin" value="0" checked="checked" /><label for="r1"><span></span>No</label>
<input type="radio" id="r2" name="admin" value="1" /><label for="r2"><span></span>Yes</label></br>
<p class="error"><?php echo $error; ?></p>
<button class="contact" type="submit" name="submit">Create Account</button>
</form>
显示现有用户帐户
的表<h3>Current Accounts List</h3>
<table class="parent-accounts">
<tr>
<th><h4>ID</h4></th>
<th><h4>Username</h4></th>
<th><h4>Display Name(s)</h4></th>
<th><h4>E-Mail Address</h4></th>
<th><h4>Admin</h4></th>
</tr>
<?php foreach($rows as $row): ?>
<form action="useraccounts.php?id=<?php echo $id['id'];?>" method="post">
<tr>
<td><?php echo $row['id']; ?></td>
<td><?php echo htmlentities($row['username'], ENT_QUOTES, 'UTF-8'); ?></td>
<td><?php echo htmlentities($row['display_name'], ENT_QUOTES, 'UTF-8'); ?></td>
<td><?php echo htmlentities($row['email'], ENT_QUOTES, 'UTF-8'); ?></td>
<td><?php echo htmlentities($row['admin'], ENT_QUOTES, 'UTF-8'); ?></td>
<td><input type="submit" name="submit" value="Delete User" /></td>
</tr>
</form>
<?php endforeach; ?>
</table>
'id'是由表单发布的,并且您的删除用户查询看起来很好。您需要执行查询。确保在获取当前用户之前处理删除请求。
<?php
require("connect.php");
if(empty($_SESSION['user']) || empty($_SESSION['adminaccess']))
{
header("Location: login.php");
die("Redirecting to login.php");
}
//BEGIN USER DELETE FUNCTION
//IM NOT SURE HOW TO SET THIS UP, OR IF IT'S EVEN IN THE RIGHT PLACE
if(isset($_SESSION['adminaccess'])) //if user has admin privilege
{
$id = isset($_POST['id'])?intval($_POST['id']):0;
if($id>0) //if valid id for deleting is posted
{
$query = 'DELETE FROM users WHERE id = '.$id;
echo '<script>alert("Query: '.$query.'");</script>'; //debug line, remove this later
try
{
$stmt = $db->prepare($query);
$stmt->execute();
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
}
else
{
echo '<script>alert("Invalid ID: '.$id.'");</script>'; //debug line, remove this later
}
}
else
{
echo '<script>alert("No admin access privilege.");</script>'; //debug line, remove this later
}
//END USER DELETE FUNCTION
//BEGIN DATA FETCHING TO DISPLAY CURRENT USERS
$query = "
SELECT
id,
username,
display_name,
email,
admin
FROM users
";
try
{
$stmt = $db->prepare($query);
$stmt->execute();
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$rows = $stmt->fetchAll();
//END DATA FETCHING TO DISPLAY CURRENT USERS
..........
?>