0

你好,我有一些关于如何保护这个脚本免受直接 URL 的问题?

会员可以去'pages/map/hospital.php?status=healed',瞧,他们不需要任何等待时间。我该如何解决?!

<?php
$status = $_GET['status'];

if(isset($status)){
 session_start();
 include('../../includes/core/member.php');
 include('../../includes/core/config.php');
 $member_id = $_SESSION['member_id'];
  if($status == 'healed'){
   mysql_query("UPDATE `members` SET `now_health` = '".$m_max_health."' WHERE `member_id` = '".$member_id."'");
  }

}else{
 include('includes/core/member.php');
}

$health = $m_max_health - $m_now_health;
$wait_time = $health * 5;
?>

<p id='health'>Healing (<?=$wait_time?>)</p>

<script>
$('#health').one('click', function() {
  var count = <?=$wait_time?>;
  countdown = setInterval(function(){
    $("p#health").html(count + " seconds remaining!");
    if (count == 0) {
      $.ajax({
       url: 'pages/map/hospital.php?status=healed',
       success: function(data) {
        clearInterval(countdown);
        $("p#health").html('you have healed');
       }
      });
    }
    count--;
  }, 1000);
});
</script>
4

1 回答 1

0

需要服务器端验证。

我看到您已经在变量中有初始 $wait_time 。因此,您可能希望利用这一点并使用 datetime 函数执行一些基本数学运算,以确保计数 <= 0。

于 2012-09-16T02:00:21.627 回答