0

我似乎找不到我的代码有什么问题。

我只是想有一个不偏不倚的意见,因为对我来说它是完美的,它不是 xD。 

<?php
    require("common.php");
    if(empty($_SESSION['user']))
    {
        header("Location: login.php");
        die("Redirecting to login.php");
    }
    if(!empty($_POST))
    {

        if($_POST['eID'] != $_SESSION['user']['eID'])
        {
           $query = "
            SELECT
                1
            FROM users
            WHERE
                eID = :eID
        ";

        $query_params = array(
            ':eID' => $_POST['eID']
        );
              try
        {
            $stmt = $db->prepare($query);
            $result = $stmt->execute($query_params);
        }
        catch(PDOException $ex)
        {
            die("Failed to run query: " . $ex->getMessage());
        }

        $row = $stmt->fetch();

        if($row)
        {
            die("This employee ID is already registered");
        }
        }
        if(!empty($_POST['password']))
        {
            $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
            $password = hash('sha256', $_POST['password'] . $salt);
            for($round = 0; $round < 65536; $round++)
            {
                $password = hash('sha256', $password . $salt);
            }
        }
        else
        {
            $password = null;
            $salt = null;
        }
        $query_params = array(
            ':eID' => $_POST['eID'],
            ':user_id' => $_SESSION['user']['id'],
        );
        if($password !== null)
        {
            $query_params[':password'] = $password;
            $query_params[':salt'] = $salt;
        }
        $query = "
            UPDATE users
            SET
                eID = :eID
        ";
        if($password !== null)
        {
            $query .= "
                , password = :password
                , salt = :salt
            ";
        }
        $query .= "
            WHERE
                id = :user_id
        ";

        try
        {
            $stmt = $db->prepare($query);
            $result = $stmt->execute($query_params);
        }
        catch(PDOException $ex)
        {
            die("Failed to run query: " . $ex->getMessage());
        }
        $_SESSION['user']['eID'] = $_POST['eID'];
        header("Location: private.php");
        die("Redirecting to private.php");
    }

?>
<h1>Edit Account</h1>
<form action="edit_account.php" method="post">
    Username:<br />
    <b><?php echo htmlentities($_SESSION['user']['username'], ENT_QUOTES, 'UTF-8'); ?></b>
    <br /><br />
    EmployeeID:<br />
    <input type="text" name="eID" value="<?php echo htmlentities($_POST['eID'], ENT_QUOTES, 'UTF-8'); ?>" />
    <br /><br />
    Password:<br />
    <input type="password" name="password" value="" /><br />
    <i>(leave blank if you do not want to change your password)</i>
    <br /><br />
    <input type="submit" value="Update Account" />
</form>

它是一个代码,它将改变我数据库中的数据。似乎我的“eID”有错误

4

1 回答 1

-1

这应该消除错误:

  if($_POST['eID'] != $_SESSION['user']['eID'])
        {
           $query = "
            SELECT
                1
            FROM users
            WHERE
                eID = ".$_POST['eID'];
   }

如果 eID 是字符串值,则替换:

eID = ".$_POST['eID']; 


eID = '".$_POST['eID']."'";
于 2013-03-25T10:20:11.550 回答