2

我想做的是使用登录会话找出谁提交了表单。我想在登录后从 USERS 表中检索“user_id”。然后,当他们写完评论并提交表单时,user_id 将被发送到电影表,

任何帮助将不胜感激。

-- Table structure for table `films`
--

CREATE TABLE IF NOT EXISTS `films` (
  `movie_id` int(4) NOT NULL AUTO_INCREMENT,
  `movie_title` varchar(100) NOT NULL,
  `actor` varchar(100) NOT NULL,
  `rating` varchar(20) NOT NULL,
  `user_id` int(100) NOT NULL,
  PRIMARY KEY (`movie_id`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=38 ;

--
-- Table structure for table `users`
--

CREATE TABLE IF NOT EXISTS `users` (
  `user_id` int(4) NOT NULL AUTO_INCREMENT,
  `email` varchar(40) NOT NULL,
  `password` varchar(40) NOT NULL,
  `name` varchar(30) NOT NULL,
  PRIMARY KEY (`user_id`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;


INSERT INTO `users` (`user_id`, `email`, `password`, `name`) VALUES
(1, 'ben@talktalk.net', 'password', 'Ben');

--
-- Constraints for table `reviewed`
--
ALTER TABLE `reviewed`
  ADD CONSTRAINT `reviewed_ibfk_1` FOREIGN KEY (`movie_id`) REFERENCES `films` (`movie_id`),
  ADD CONSTRAINT `reviewed_ibfk_2` FOREIGN KEY (`movie_id`) REFERENCES `films` (`movie_id`) ON DELETE CASCADE;

这是创建会话的登录表单,我假设我没有正确创建它。

<?php
  include('./includes/header.php');

  if (isset($_POST['submit'])) {
      $error = array(); // Initialize error array.

      // Check for a email.
      if (empty($_POST['email'])) {
          $error[] = "Please neter a email";
      } else {
          $email = $_POST['email'];
      }

      // Check for a password.
      if (empty($_POST['password'])) {
          $error[] = "Please enter a password";
      } else {
          $password = $_POST['password'];
      }

      if (empty($error)) { // No errors found
          require_once('./includes/mysql_connect.php');
          $match = "SELECT * FROM users WHERE email='$email' AND password='$password'";
          $qry = mysql_query($match);
          $num_rows = mysql_num_rows($qry);

          if ($num_rows == true) {
              $_SESSION['user_id']=$_POST['email'];
               header("location:index.php");
          } else {
               echo "No user name or id ";
          }
      } else {
          foreach ($error as $msg) {
              echo $msg;
          }
      }
  }
?>

<html>
<form method="post" action="login.php">
    <fieldset><legend>Login</legend>
      <label for="email">Email</label>
      <input type="text" name="email" id="email" />
      <br/>
      <label for="password">Password</label>
      <input type="password" name="password" id="password" />
      <br/>
    <input type="submit" name="submit" value="login" />
    </fieldset>
</form>
</html>


<?php
  include('./includes/footer.php');
?>

以及我想将会话 user_id 发送到 MySql 数据库的审核表

<?php
  include('./includes/header.php');
  echo "<h1>Add A film</h1>";
      if(isset($_POST['submitted'])){
      $errors = array(); // Initialize error array.
      $user = $_SESSION['user_id'];

      // Check for title.
      if (empty($_POST['movie_title'])){
          $errors[] = "You forgot to enter a title.";
      } else {
          $mt = (trim($_POST['movie_title']));
      }
      // Check for leading actor
      if (empty($_POST['leading_actor'])){
          $errors[] = "You forgot to enter a actor";
      } else {
          $la = (trim($_POST['leading_actor']));
      }
      // Check for a rating
      if (empty($_POST['rating'])){
          $errors[] = "Please select a rating.";
      } else {
          $rating = ($_POST['rating']);
      }
      // Check for a review
      if (empty($_POST['review'])){
          $errors[] = "Please write a review";
      } else {
          $review = (trim($_POST['review']));
      }
      if (empty($errors)) { // If no errors were found.
          require_once('./includes/mysql_connect.php');

          // Make the insert query.
          $query = "INSERT INTO films (movie_title, actor, rating, user_id)
          Values ('$mt', '$la', '$rating', '$user')";
          $result = mysql_query($query);
          $id = mysql_insert_id();
          $query = "INSERT INTO reviewed (review, movie_id)
          values ('$review', '$id')";
          $result = mysql_query($query);

          //Report errors.
      } else {
          foreach ($errors as $msg){
              echo " - $msg <br/> ";
          }
      }
  };
?>

<html>
<form action="review_a_film.php" method="post" id="review_a_film">
    <fieldset>
        <label for="title">Movie Title</label>
        <input type="text" name="movie_title" id="movie_title" />
        <br/>
        <br/>
        <label for="actor">Leading Actor</label>
        <input type="text" name="leading_actor" id="leading_name" />
        <br/>
        <br/>
        <label for="rating">Rating</label>
        <select id="rating" name="rating"/>
            <option selected="selected" value=0 disabled="disabled">Select a Rating</option>
            <option value="Terrible">Terrible</option>
            <option value="Fair">Fair</option>
            <option value="Ok">Ok</option>
            <option value="Good">Good</option>
            <option value="Excellent">Excellent</option>
        </select>
        <br/>
        <br/>
        <label for="review">Your Review</label>
        <br/>
        <textarea name="review" id="review" rows="15" cols="60"></textarea>
        <br/>
        <br/>
        <input type="submit" name="submit" id="submit" value="submit" />
        <input type="hidden" name="submitted" value="TRUE" />
    </fieldset>
</form>
</html>

<?php
  include('./includes/footer.php');
?>
4

1 回答 1

2

回答您的问题:将他们的 user_id 存储在变量 $_SESSION['user_id'] 中,然后在他们注销时清除 $_SESSION['user_id']。

但是,您还需要解决其他问题。

您不能以纯文本形式存储密码。这不是好的做法。如果您被黑客入侵(这可能是由于您的 SQL 漏洞,请稍后解决)并且以纯文本形式存储密码,人们会生您的气。您需要研究密码哈希。这里有几个链接可以帮助您入门:使用 mcrypt、PHP 和 MySQL 进行加密 如何安全地存储用户的密码?

您也容易受到 SQL 注入的攻击。您必须使用参数化查询,否则用户可以将 sql 注入您的代码。

php 中的参数化查询如下所示:

$var = $unsafevar;
$stmt = mysqli_prepare($connection, "SELECT * FROM users WHERE username = ?");
mysqli_stmt_bind_param($stmt, 's', $var);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
$row = mysqli_fetch_assoc($result);

? 代表由 bind_param 绑定和插入的变量。

查看 owasp 的 sql injection page 及其前十名:

Owasp SQL 注入

黄蜂前十

在考虑在线发布带有用户数据库的网站之前,您必须了解这些内容。

于 2013-10-09T01:46:32.150 回答