Php 使用会话数据找出提交表单的人
我想做的是使用登录会话找出是谁提交了表单。 我想在用户登录后从表中检索“user\u id”。然后,当他们撰写评论并提交表单时,用户id将被发送到电影表 任何帮助都将不胜感激Php 使用会话数据找出提交表单的人,php,mysql,sql,forms,Php,Mysql,Sql,Forms,我想做的是使用登录会话找出是谁提交了表单。 我想在用户登录后从表中检索“user\u id”。然后,当他们撰写评论并提交表单时,用户id将被发送到电影表 任何帮助都将不胜感激 -- Table structure for table `films` -- CREATE TABLE IF NOT EXISTS `films` ( `movie_id` int(4) NOT NULL AUTO_INCREMENT, `movie_title` varchar(100) NOT NULL,
-- Table structure for table `films`
--
CREATE TABLE IF NOT EXISTS `films` (
`movie_id` int(4) NOT NULL AUTO_INCREMENT,
`movie_title` varchar(100) NOT NULL,
`actor` varchar(100) NOT NULL,
`rating` varchar(20) NOT NULL,
`user_id` int(100) NOT NULL,
PRIMARY KEY (`movie_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=38 ;
--
-- Table structure for table `users`
--
CREATE TABLE IF NOT EXISTS `users` (
`user_id` int(4) NOT NULL AUTO_INCREMENT,
`email` varchar(40) NOT NULL,
`password` varchar(40) NOT NULL,
`name` varchar(30) NOT NULL,
PRIMARY KEY (`user_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;
INSERT INTO `users` (`user_id`, `email`, `password`, `name`) VALUES
(1, 'ben@talktalk.net', 'password', 'Ben');
--
-- Constraints for table `reviewed`
--
ALTER TABLE `reviewed`
ADD CONSTRAINT `reviewed_ibfk_1` FOREIGN KEY (`movie_id`) REFERENCES `films` (`movie_id`),
ADD CONSTRAINT `reviewed_ibfk_2` FOREIGN KEY (`movie_id`) REFERENCES `films` (`movie_id`) ON DELETE CASCADE;
这是创建会话的登录表单。我假设我没有正确创建会话。
<?php
include('./includes/header.php');
if (isset($_POST['submit'])) {
$error = array(); // Initialize error array.
// Check for a email.
if (empty($_POST['email'])) {
$error[] = "Please neter a email";
} else {
$email = $_POST['email'];
}
// Check for a password.
if (empty($_POST['password'])) {
$error[] = "Please enter a password";
} else {
$password = $_POST['password'];
}
if (empty($error)) { // No errors found
require_once('./includes/mysql_connect.php');
$match = "SELECT * FROM users WHERE email='$email' AND password='$password'";
$qry = mysql_query($match);
$num_rows = mysql_num_rows($qry);
if ($num_rows == true) {
$_SESSION['user_id']=$_POST['email'];
header("location:index.php");
} else {
echo "No user name or id ";
}
} else {
foreach ($error as $msg) {
echo $msg;
}
}
}
?>
<html>
<form method="post" action="login.php">
<fieldset><legend>Login</legend>
<label for="email">Email</label>
<input type="text" name="email" id="email" />
<br/>
<label for="password">Password</label>
<input type="password" name="password" id="password" />
<br/>
<input type="submit" name="submit" value="login" />
</fieldset>
</form>
</html>
<?php
include('./includes/footer.php');
?>
登录
电子邮件
密码
以及我想将会话用户id发送到MySql数据库的审阅表单
<?php
include('./includes/header.php');
echo "<h1>Add A film</h1>";
if(isset($_POST['submitted'])){
$errors = array(); // Initialize error array.
$user = $_SESSION['user_id'];
// Check for title.
if (empty($_POST['movie_title'])){
$errors[] = "You forgot to enter a title.";
} else {
$mt = (trim($_POST['movie_title']));
}
// Check for leading actor
if (empty($_POST['leading_actor'])){
$errors[] = "You forgot to enter a actor";
} else {
$la = (trim($_POST['leading_actor']));
}
// Check for a rating
if (empty($_POST['rating'])){
$errors[] = "Please select a rating.";
} else {
$rating = ($_POST['rating']);
}
// Check for a review
if (empty($_POST['review'])){
$errors[] = "Please write a review";
} else {
$review = (trim($_POST['review']));
}
if (empty($errors)) { // If no errors were found.
require_once('./includes/mysql_connect.php');
// Make the insert query.
$query = "INSERT INTO films (movie_title, actor, rating, user_id)
Values ('$mt', '$la', '$rating', '$user')";
$result = mysql_query($query);
$id = mysql_insert_id();
$query = "INSERT INTO reviewed (review, movie_id)
values ('$review', '$id')";
$result = mysql_query($query);
//Report errors.
} else {
foreach ($errors as $msg){
echo " - $msg <br/> ";
}
}
};
?>
<html>
<form action="review_a_film.php" method="post" id="review_a_film">
<fieldset>
<label for="title">Movie Title</label>
<input type="text" name="movie_title" id="movie_title" />
<br/>
<br/>
<label for="actor">Leading Actor</label>
<input type="text" name="leading_actor" id="leading_name" />
<br/>
<br/>
<label for="rating">Rating</label>
<select id="rating" name="rating"/>
<option selected="selected" value=0 disabled="disabled">Select a Rating</option>
<option value="Terrible">Terrible</option>
<option value="Fair">Fair</option>
<option value="Ok">Ok</option>
<option value="Good">Good</option>
<option value="Excellent">Excellent</option>
</select>
<br/>
<br/>
<label for="review">Your Review</label>
<br/>
<textarea name="review" id="review" rows="15" cols="60"></textarea>
<br/>
<br/>
<input type="submit" name="submit" id="submit" value="submit" />
<input type="hidden" name="submitted" value="TRUE" />
</fieldset>
</form>
</html>
<?php
include('./includes/footer.php');
?>
要回答您的问题:
将其用户id存储在变量$\u SESSION['user\u id']中,然后在注销时清除$\u SESSION['user\u id']
但是,还有其他问题需要解决
您不能以纯文本形式存储密码。这不是好的做法。如果你被黑客攻击(很可能是因为你的SQL漏洞,马上就去做),并且用明文存储密码,人们会对你生气的。你需要研究密码散列。这里有几个链接可以帮助您开始:
您还容易受到SQL注入的攻击。必须使用参数化查询,否则用户可以将sql注入代码中
php中的参数化查询如下所示:
$var = $unsafevar;
$stmt = mysqli_prepare($connection, "SELECT * FROM users WHERE username = ?");
mysqli_stmt_bind_param($stmt, 's', $var);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
$row = mysqli_fetch_assoc($result);
?表示变量,这些变量由bind_param绑定和插入
查看owasp的sql注入页面及其前十名:
你必须学会这些东西,然后你甚至可以考虑用一个用户数据库在线发布一个网站。如果凭据匹配,则表示您已经拥有您的用户。现在获取
用户id
并将其保存到$\u会话['user\u id']
。当用户提交电影评论时,从$\u会话['user\u id']
中检索用户id,并将其传递给SQL INSERT语句。您可能不应该使用此用户系统。至少现在不是。花大量的时间学习安全知识,然后尝试一下,因为你正在危及你的用户的安全,而不仅仅是你的网站的安全。如果您想了解更多:使用安全哈希算法]()。此外,存在一些明显的SQL注入漏洞。