我正在制作一个更新页面,用户可以在其中编辑名片的信息,如电话、地址。。问题是,我以这种方式获取他们的卡id:
<a href="update.php?id=<?php echo $record['id']; ?>" class="btn btn-succes" role="button">Edit</a>
因此,他们可以在搜索栏中看到自己的卡id,如果他们只是简单地更改id,他们可以编辑任何人的卡信息。我想检查用户的id是否等于他的卡userid-(这是数据库中的外键(,如果不是,则将他重定向到索引页面。问题是,我仍然可以编辑任何人的卡,因为用户ID不会更改。
我的更新代码:
session_start();
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', '');
define('DB_NAME', 'reg');
/* Attempt to connect to MySQL database */
$mysqli = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
// Check connection
if($mysqli === false){
die("HIBA: Nem sikerült csatlakozni. " . mysqli_connect_error());
}
$id = $_GET['id'];
var_dump($_SESSION);
if (isset($_POST['submit'])) {
$name = $_POST['name'];
$phone = $_POST['phone'];
$phone2 = $_POST['phone2'];
$email = $_POST['email'];
$zipcode = $_POST['zipcode'];
$address = $_POST['address'];
$job = $_POST['job'];
$description = $_POST['description'];
$userid = $_SESSION['id'];
if( $_SESSION['id'] != $userid){
header("Location: index.php");
}
$stmt = $mysqli -> prepare('UPDATE cards SET name=?, phone=?, phone2=?, email=?, zipcode=?, address=?, job=?, description=?, visibility=?, confirmed=? WHERE id = ?');
if (
$stmt &&
$stmt->bind_param('ssssisssii', $name, $phone, $phone2, $email, $zipcode, $address, $job, $description, $visibility, $confirmed) &&
$stmt -> execute()
) {
echo 'Updated';
} else {
echo $mysqli -> error;
}
}
$getstmt = $mysqli->prepare("SELECT * FROM cards WHERE id= ?");
if ($getstmt and
$getstmt->bind_param('i', $id) and
$getstmt->execute() and
$result = $getstmt->get_result() and
$row = $result->fetch_assoc()
) {
$name = $row['name'];
$phone = $row['phone'];
$phone2 = $row['phone2'];
$email = $row['email'];
$zipcode = $row['zipcode'];
$address = $row['address'];
$job = $row['job'];
$description = $row['description'];
我的数据库:(用户(
id- username- password- created- admin-
----------------------------------------------
1 John 112 2020-12-23 2435
卡片:
id- name- phone- phone2- email- zipcode- address- job- description- visibility- userid-
-----------------------------------------------------------------------------------------------------
1 John 112 233 a@a.com 2435 dfdf 34. test uzlh 0 1
类似的东西
$getstmt = $mysqli->prepare("SELECT * FROM cards WHERE id= ?");
if ($getstmt and
$getstmt->bind_param('i', $id) and
$getstmt->execute() and
$result = $getstmt->get_result() and
$row = $result->fetch_assoc()
) {
if($row['userid'] == $_SESSION['id']){
$name = $row['name'];
$phone = $row['phone'];
$phone2 = $row['phone2'];
$email = $row['email'];
$zipcode = $row['zipcode'];
$address = $row['address'];
$job = $row['job'];
$description = $row['description'];
}else{
header("Location: index.php");
}
}
您正在尝试将$userid与$_SESSION['id']匹配,这两个指向相同值的变量都使用$_GET['id']而不是$userid
if( $_SESSION['id'] != $_GET['id']){
header("Location: index.php");
exit();
}