1

因此,直到一个小时前,这一直是完美的,从那时起,我绞尽脑汁修复它,却一无所获,也许我错过了明显的东西(通常是这种情况)。

该代码会打印出一个用户列表和一个在表格中禁止他们的按钮,但是问题是如果您单击禁止说.. 第 34 个用户它会禁止第一个用户,然后如果您单击第 56 个用户的禁止它会禁止第二个用户。如果您看到我的代码,您应该会发现情况并非如此(请注意,除了 uID 之外,所有其他细节都是完全正确的):

  $query = mysql_query("SELECT id, full_name, banned, username from `tblUsers`");
        while($row = mysql_fetch_array($query)){
            $uID = $row['id'];
            if($row['banned'] == '0'){ 
                $banBool =  '<form id="ban" method="post" action="ban.php?uid='.$uID.'">
            <input type="hidden" name="ban" value="" /> 
            <a onclick="document.getElementById(\'ban\').submit();">Ban</a>
        </form>'; }else{   
            $banBool = '<form id="unban" method="post" action="unban.php?uid='.$uID.'">
            <input type="hidden" name="name" value="" /> 
            <a onclick="document.getElementById(\'unban\').submit();">UnBan</a>
            </form>' ;
        }
            if($row['banned'] == '1'){
                $status = 'Banned';
            }else{
                $status = 'Active';
            }
            echo "<tr><td>" . $row['username'] . " " . $uID . "</td><td>" . $banBool . "</td><td>" . $status . "</td><td>" . $row['full_name'] . "</td></tr>";
        }

问题出在 action="unban.php?uid='.$uID.' 当我跟踪路径时,id 总是最小的数字(最高结果)

禁止.php

<?php
include '../../includes/dataBase.class.php';
sql::connect();
if(!sql::checkAdmin() == 1){
    header("Location: ../myaccount.php");
}
if(!isset($_GET['uid'])){
    header("Location: users.php?action=1");
}
$uid = $_GET['uid'];
$ip = $_SERVER['REMOTE_ADDR'];  
mysql_query("INSERT INTO `uipBan` (`ip`) VALUES ('$ip')")or die(mysql_error()); 
mysql_query("UPDATE tblUsers SET banned = '1' WHERE id = '$uid'")or die(mysql_error());
//header("Location: users.php?action=1");
echo $uid;
?>
4

2 回答 2

2

您为每个用户提供一个禁止/取消禁止该用户的表单。问题出在您的表格中id,因为它们不是唯一的。当您单击任何Ban/UnBan链接时,JavaScript 会搜索ban/unban元素,找到第一个并提交该元素。

解决方案非常简单:

  $query = mysql_query("SELECT id, full_name, banned, username from `tblUsers`");
        while($row = mysql_fetch_array($query)){
            $uID = $row['id'];
            if($row['banned'] == '0'){ 
                $banBool =  '<form id="ban' . $uID . '" method="post" action="ban.php?uid='.$uID.'">
            <input type="hidden" name="ban" value="" /> 
            <a onclick="document.getElementById(\'ban' . $uID . '\').submit();">Ban</a>
        </form>'; }else{   
            $banBool = '<form id="unban' . $uID . '" method="post" action="unban.php?uid='.$uID.'">
            <input type="hidden" name="unban" value="" /> 
            <a onclick="document.getElementById(\'unban' . $uID . '\').submit();">UnBan</a>
            </form>' ;
        }
            if($row['banned'] == '1'){
                $status = 'Banned';
            }else{
                $status = 'Active';
            }
            echo "<tr><td>" . $row['username'] . " " . $uID . "</td><td>" . $banBool . "</td><td>" . $status . "</td><td>" . $row['full_name'] . "</td></tr>";
        }

我只是在每个表单和 JS 调用中都包含了用户 ID,以便它们是唯一的。(另外,您的第二个隐藏字段的名称为name

于 2012-04-09T20:48:37.263 回答
0

是的,@MrFusion 成功了(+1)。但我仍然不明白你为什么不简单地做这样的事情:

 <?php
 $query = mysql_query("SELECT id, full_name, banned, username from `tblUsers`");

 while($row = mysql_fetch_array($query)) {

      echo "<tr><td>{$row['username']}</td><td>{$row['id']}</td>";

      if($row['banned'] == '0') { 
           echo "<td><a href=\"admin.php?ban={$row['id']}\">Ban</a></td>";
      }
      elseif($row['banned'] == '1') { 
            echo "<td>Banned (<a href=\"admin.php?unban={$row['id']}\">Unban</a>)</td>";
      }
      else { 
           echo "<td>Active</td>"; # Not sure what this is for in your original code
      }
      echo "<td>{$row['full_name']}</td></tr>";
}
?>

然后只需制作 admin.php

<?php
include "../../includes/dataBase.class.php";
sql::connect();
if(!sql::checkAdmin() == 1){
    header("Location: ../myaccount.php");
}
if(!isset($_GET['ban']) AND !isset($_GET['unban'])){
    header("Location: users.php?action=1");
}

if(isset($_GET['ban'])) { 
    $uid = mysql_real_escape_string($_GET['ban']);
    mysql_query("UPDATE tblUsers SET banned = '1' WHERE id = '{$uid}'") or die(mysql_error());    
    //I don't know what the following two lines are for
    //but they seem to IP-ban the admin himself: you're banning the IP address 
    //of the user doing the ban, not the IP address of the user you are banning. 

    $ip = $_SERVER['REMOTE_ADDR'];  
    mysql_query("INSERT INTO `uipBan` (`ip`) VALUES ('{$ip}')") or die(mysql_error()); 
}
elseif(isset($_GET['unban'])) { 
    $uid = mysql_real_escape_string($_GET['unban']);
    mysql_query("UPDATE tblUsers SET banned = '0' WHERE id = '{$uid}'") or die(mysql_error());        
} 

header("Location: users.php?action=1");
?>

请注意使用 mysql_real_escape_string 转义用户输入的重要性,即使它来自受信任的用户:这可以防止 SQL 注入,这可能导致您丢失整个数据库:)

于 2012-04-10T06:50:08.227 回答