0

我有以下表格。一个用于登录和用户注册,另一个用于存储带有许多问题的调查的答案。就目前而言,我有 2 个文本框来测试它。我的目标是每个用户只提交一次调查。所以我有以下内容。一张表用于登录和注册

CREATE TABLE IF NOT EXISTS `users` (
  `userid` int(11) NOT NULL AUTO_INCREMENT,
  `name` varchar(25) NOT NULL,
  `username` varchar(25) NOT NULL,
  `password` varchar(25) NOT NULL,
  PRIMARY KEY (`userid`),
  KEY `userid` (`userid`),
  KEY `userid_2` (`userid`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=18 ;

这个是保留名字和姓氏

CREATE TABLE IF NOT EXISTS `survey` (
  `surveyid` int(11) NOT NULL AUTO_INCREMENT,
  `firstname` varchar(25) NOT NULL,
  `lastname` varchar(25) NOT NULL,
  PRIMARY KEY (`surveyid`),
  KEY `firstname` (`firstname`),
  KEY `firstname_2` (`firstname`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;

我的 login.php 页面是

<?php 
session_start();

@$username = $_POST['username'];
@$password = $_POST['pass'];

if(@$_POST['Submit']){
if($username&&$password)
{
$connect = mysql_connect("localhost","****","****") or die("Cannot Connect");
mysql_select_db("project") or die("Cannot find the database");

$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
if($numrows!=0)
{
    while ($row = mysql_fetch_assoc($query))
    {
        $dbusername = $row['username'];
        $dbpassword = $row['password'];
    }
    if($username==$dbusername&&$password==$dbpassword)
    {
        echo "You are login!!!!! Continue now with the survey <a href='mainpage.php'>here</a>";
        $_SESSION['username']=$username;
    }
    else
    {
        echo "<b>Incorrect Password!!!!</b>";
    }
}
else
    //die("That user does not exist");
    echo "<b>That user does not exist</b>";
}
else
echo "<b>You must enter a username and a password</b>";
}
?>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>   
<title>Login Page</title>
</head>
<body>

<h2>Login Page</h2>
<form name="loginform" method='POST'>

<fieldset>
<legend>Form</legend>
    <label>Username: <input type="text" name="username"/><span>*</span></label><br/>
    <label>Password: <input type="password" name="pass"/><span>*</span></label>
    <input class="placeButtons" type="reset" value='Reset'/>
    <input class="placeButtons" type="submit" name="Submit" value='Login'/>
    <a href='registration.php'>Register</a>
</fieldset>

</form>
</body>
</html>

我插入数据的页面是

<?php 
session_start();

if ($_SESSION['username'])
{
echo "Welcome, ".$_SESSION['username']."! <a href='logout.php'>Logout</a>";
}
else
die("You must be logged in!!");
?>

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<script src="question.js"></script>
<title>Questionnaire</title>
<style type="text/css"> 
    span {color: #FF00CC}
</style>
</head>
<body  background="images/good.jpg">
<h1>Please complete the following Survey</h1>
<form name="quiz" method="post" action="submitsurvey.php">

First Name: <input type="text" name="firstname" id="fname"/>
<p></p>
Last Name: <input type="text" name="lastname" id="lname"/>
<input type="submit" name="submitbutton" value="Go"></input>
<input type="reset" value="clear all"></input>
</form>
</body>
</html>

最后 submitsurvey.php 是在数据库中存储数据的页面

<?php
session_start();

if ($_SESSION['username'])
{
echo "Welcome, ".$_SESSION['username']."! <a href='logout.php'>Logout</a>";
}
else
die("You must be logged in!!");
$con=mysql_connect ("localhost","****","****");
mysql_select_db("project",$con);
@$firstname=$_POST['firstname'];
@$lastname=$_POST['lastname'];

$s="INSERT INTO survey(`firstname`,`lastname`) VALUES ('$firstname','$lastname')";
echo "You have successfully submit your questions";
 mysql_query ($s);
?>

我想知道你对我该如何继续的想法。首先想到的是在用户表中创建一个外键surveyid。我试过了,但无法注册,我认为原因是调查表是空的。也许我完全错了,但这只是一个想法

更新 我创建了一个查找表,但它没有获取用户 ID 和调查 ID

CREATE TABLE IF NOT EXISTS `lookup` (
`lookupid` int(11) NOT NULL AUTO_INCREMENT,
`surveyid` int(11) NOT NULL,
`userid` int(11) NOT NULL,
PRIMARY KEY (`lookupid`),
KEY `surveyid` (`surveyid`,`userid`),
KEY `userid` (`userid`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

ALTER TABLE `lookup`
  ADD CONSTRAINT `lookup_ibfk_2` FOREIGN KEY (`userid`) REFERENCES `users` (`userid`) ON DELETE CASCADE ON UPDATE NO ACTION,
  ADD CONSTRAINT `lookup_ibfk_1` FOREIGN KEY (`surveyid`) REFERENCES `survey` (`surveyid`) ON DELETE CASCADE ON UPDATE NO ACTION;
4

2 回答 2

2

一个有 3 个字段的查找表怎么样,lookupID、surveyID 和 userID

当他们填写调查表时,将记录添加到查找表中。

在加载调查的页面上,查询查找表以获取用户 ID。如果存在,则回显消息“谢谢,但您已经完成了调查”。

哦,顺便说一句,您的登录脚本是如何成为 SQL 注入受害者的完美示例。

于 2013-08-08T22:05:54.897 回答
0

不要使用 MySQL,而是使用 PDO 或 MySQLi。MySQL 已过时、已弃用且易受攻击

于 2013-08-08T22:37:53.713 回答