如何从用户表单PHP安全地编辑数据库中的信息

时间:2012-09-06 21:50:20

标签: php mysql forms security edit

目前我使用PHP编辑脚本,允许用户编辑他们发布的广告,但我已经意识到用户可以修改?id =数字以显示另一组数据,然后编辑其他人数据并将其保存在数据库。

我有什么方法可以做到这一点,以便当用户点击他们发布的广告进行编辑时,他们只能访问自己的广告,他们无法通过调整广告来修改其他人的广告id?=和一种保护形式免受操纵的方法?

非常感谢能帮助的任何人!

这是我目前的代码:

<?php
/* 
EDIT.PHP
Allows user to edit specific entry in database
*/

// creates the edit record form
// since this form is used multiple times in this file, I have made it a function that is      easily reusable
function renderForm($id, $fname, $lname, $contact, $price, $error)
{
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Edit Record</title>
 <link rel="stylesheet" type="text/css" href="stylesheet.css">

 <style type="text/css">

#page-wrap                  {
position:absolute;
top: 206px;
left: 288px;
width: 50%;
text-align:left;
background-color:#FFF;
padding: 10px;
border-radius: 10px;
box-shadow: 1px 2px 2px #888888;
     }

    </style>
    <script type = "text/javascript">

    function myfunction(url)
    {
    window.location.href = url;
    }
   </script>


</head>
<body>

  <div class="container">

  <div id="imagelogo" onclick = "window.location.href = 'index.html'" > 

  <p> Buy and sell stuff around University</p>
   </div>

   <ul id="navigation" name="navigation">
  <li id="nav-home"><a href="index.html">Home</a></li>
  <li id="nav-search"><a href="search.php">Search</a></li>
  <li id="nav-selling"><a href="#">Selling</a></li>
  <li id="nav-buying"><a href="#">Buying</a></li>
   <li id="nav-FAQ"><a href="#">FAQ</a></li>
  <li id="nav-contact"><a href="#">Contact</a></li>

  <p>&nbsp;</p>
  <p>&nbsp;</p>
  <p>&nbsp;</p>
  <p>Sponsors</p>
  </ul>
  <div id="account">

  <?php
  if( isset( $_SESSION['username'] ) ){

  echo "<a href='securedpage1.php'>My Account</a><img src='images/uni-icon.png' width='30'        height='18' style='vertical-align: middle;'/>";

  }else{

 echo "<a href='login.php' >Login</a><img src='images/uni-icon.png' width='30' height='18'    style='vertical-align: middle;'/>";
}
?>

</div>

<div id="registerlogout">
<?php
if( isset( $_SESSION['username'] ) ){
echo "<a href='logout.php'>Logout</a>";

}else{

echo "<a href='register.php'> Register</a>";
}
?>
</div>

<div id="social">
<img src="images/fb-logo.png" width="22" height="20" />     

 <img src="images/twitter-logo.png" width="24" height="25" />
  </div>

 <div id="page-wrap">
 <?php 
 // if there are any errors, display them
 if ($error != '')
 {
 echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
 }
 ?> 

 <form action="" method="post">
 <input type="hidden" name="id" value="<?php echo $id; ?>"/>
 <div>
 <strong>Ad Title: *</strong> <input type="text" name="fname" style="width: 60%; box-    sizing: border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box;"value="<?php      echo $fname; ?>"/><br/>
  <strong>Description: *</strong> <textarea name="lname" cols="45" rows="5"><?php echo     $lname; ?></textarea><br/>
 <strong>Contact*</strong> <input type="text" name="contact"  style="width: 60%; box-    sizing: border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box;" value="<?php     echo $contact; ?>"/><br/>
<strong>Price*</strong> <input type="text" name="price"  style="width: 60%; box-sizing:    border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box;" value="<?php echo    $price; ?>"/><br/>
 <p>* Required</p>
 <input type="submit" name="submit" value="Submit">
 </div>
 </form>
 </div>
 </div>
 </body>
 </html> 
 <?php
  }

// Inialize session
    session_start();


 // connect to the database
 include('conn.php');

 // check if the form has been submitted. If it has, process the form and save it to the    database
 if (isset($_POST['submit']))
  { 
 // confirm that the 'id' value is a valid integer before getting the form data
 if (is_numeric($_POST['id']))
 {
 // get form data, making sure it is valid
 $id = $_POST['id'];
 $fname = mysql_real_escape_string(htmlspecialchars($_POST['fname']));
 $lname = mysql_real_escape_string(htmlspecialchars($_POST['lname']));
 $contact = mysql_real_escape_string(htmlspecialchars($_POST['contact']));
 $price = mysql_real_escape_string(htmlspecialchars($_POST['price']));

 // check that firstname/lastname fields are both filled in
 if ($fname == '' || $lname == '' || $contact == '' || $price == '' )
 {
 // generate error message
 $error = 'ERROR: Please fill in all required fields!';

 //error, display form
 renderForm($id, $fname, $lname, $contact, $price, $error);
 }
else
 {
 // save the data to the database
 mysql_query("UPDATE people SET price='$price', contact='$contact', fname='$fname',      lname='$lname' WHERE id='$id'")
 or die(mysql_error()); 

 // once saved, redirect back to the view page
 header("Location: view.php"); 
 }
 }
 else
 {
 // if the 'id' isn't valid, display an error
 echo 'Error!';
 }
 }
 else
 // if the form hasn't been submitted, get the data from the db and display the form
 {

 // get the 'id' value from the URL (if it exists), making sure that it is valid (checing   that it is numeric/larger than 0)
 if (isset($_GET['id']) && is_numeric($_GET['id']) && $_GET['id'] > 0)
 {
 // query db
 $id = $_GET['id'];
 $result = mysql_query("SELECT * FROM people WHERE id=$id")
 or die(mysql_error()); 
$row = mysql_fetch_array($result);

 // check that the 'id' matches up with a row in the databse
 if($row)
 {

 // get data from db
 $fname = $row['fname'];
 $lname = $row['lname'];
 $contact = $row['contact'];
 $price = $row['price'];

 // show form
 renderForm($id, $fname, $lname, $contact, $price, '');
 }
 else
 // if no match, display result
 {
 echo "No results!";
 }
 }
 else
 // if the 'id' in the URL isn't valid, or if there is no 'id' value, display an error
 {
 echo 'Error!';
 }
 }
 ?>

5 个答案:

答案 0 :(得分:3)

您需要在数据库中记录每个广告的海报。这只是另一栏。

当尝试编辑广告时(显示表单或保存结果),您需要检查广告的所有者是否与当前登录的用户匹配。

e.g。 UPDATE adverts SET text=? WHERE id=? AND user=?

答案 1 :(得分:1)

在登录时设置会话。检查session-username是否与链接到要编辑的帖子的用户名相同。如果是,他们可以编辑。

答案 2 :(得分:0)

我建议您查询数据库以检查用户请求的ID是否允许他/她访问。

答案 3 :(得分:0)

保持服务器端,将id存储在数据库中,并调用该号码,这将阻止他们编辑它。

答案 4 :(得分:0)

md5每个帐户的ID号代码并将其添加到查询中。确保代码与帐户关联的代码匹配(因此md5为id并确保它与数据库中的匹配)然后添加内容。这样,没有人可以更改号码并编辑其他帐户帖子。 md5算法特定于您的服务器而不可预测。

$hash = md5( $id );

使用它来创建代码并将其与帐户相关联,并将其用作id以外的id。这意味着当您创建帐户时,您需要在id旁边的数据库中创建id的md5版本作为字段。

更改为:

mysql_query("UPDATE people SET price='$price', contact='$contact', fname='$fname', lname='$lname' WHERE id='$id'") or die(mysql_error());

mysql_query("UPDATE people SET price='$price', contact='$contact', fname='$fname', lname='$lname' WHERE id='$id' and idCode='$hash'") or die(mysql_error());

只需确保数据库中有一个名为idCode的字段,因为md5是一种不可逆的加密。

相关问题
最新问题