我已就此网站上的这段代码问了几个问题。
基本上,当我使用时,我的数据库没有更新 - $ id = $ GET _ [' id']; (在下面代码的顶部)。该ID将从上一页传递到此页面 - 该页面的网址为' http:// www.21orange.com/CCC/changepassword.php?id=1'。有一个' id'我的数据库中的字段。
当我将上面的代码行更改为 - $ id =' 1' - 代码运行完美,数据库更新。它只在我使用$ GET _ [' id']时停止工作。这是为什么?
// First we execute our common code to connection to the database and start the session
require("common.php");
$id = $_GET['id'];
// This if statement checks to determine whether the registration form has been submitted
// If it has, then the registration code is run, otherwise the form is displayed
if(!empty($_POST))
{
// Ensure that the user has entered a non-empty password
if(empty($_POST['password']))
{
die("Please enter a password.");
}
// Ensure that the user has entered a non-empty username
if(empty($_POST['confirmpassword']))
{
// Note that die() is generally a terrible way of handling user errors
// like this. It is much better to display the error with the form
// and allow the user to correct their mistake. However, that is an
// exercise for you to implement yourself.
die("Please confirm your password.");
}
if ($_POST['password'] == $_POST['confirmpassword']) {
// An INSERT query is used to add new rows to a database table.
// Again, we are using special tokens (technically called parameters) to
// protect against SQL injection attacks.
$query = "UPDATE Staff SET password=:password, salt=:salt WHERE id=:id";
// A salt is randomly generated here to protect again brute force attacks
// and rainbow table attacks. The following statement generates a hex
// representation of an 8 byte salt. Representing this in hex provides
// no additional security, but makes it easier for humans to read.
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
// This hashes the password with the salt so that it can be stored securely
// in your database. The output of this next statement is a 64 byte hex
// string representing the 32 byte sha256 hash of the password. The original
// password cannot be recovered from the hash.
$password = hash('sha256', $_POST['password'] . $salt);
// Next we hash the hash value 65536 more times. The purpose of this is to
// protect against brute force attacks. Now an attacker must compute the hash 65537
// times for each guess they make against a password, whereas if the password
// were hashed only once the attacker would have been able to make 65537 different
// guesses in the same amount of time instead of only one.
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
try
{
// Execute the query to create the user
$stmt = $db->prepare($query);
$stmt->execute(array(
'password' => $password,
'salt' => $salt,
'id' => $id));
}
catch(PDOException $ex)
{
// Note: On a production website, you should not output $ex->getMessage().
// It may provide an attacker with helpful information about your code.
die("Failed to run query: " . $ex->getMessage());
}
// This redirects the user back to the login page after they register
header("Location: stafflist.php");
// Calling die or exit after performing a redirect using the header function
// is critical. The rest of your PHP script will continue to execute and
// will be sent to the user if you do not die or exit.
die("Redirecting to stafflist.php");
}
die("Passwords do not match.");
}
我是php的新手,请原谅我的天真。附:我知道我使用的方法相当古老,但这只是一个考验。
谢谢, 乔
答案 0 :(得分:1)
您不能在一个HTTP Request中同时执行GET和POST。
但是,您可以使用隐藏的输入字段来解决此限制:
在HTML标记中,您可以添加以下内容:
<input type="hidden" name="id"
value="<?php echo htmlspecialchars($_GET['id'], ENT_QUOTES); ?>" />
您的$_GET['id']应该可以正常使用。
答案 1 :(得分:0)
避免此错误
Undefined index: id in /home/content/47/11368447/html/CCC/changepassword.php on line 6
首先测试index是否存在:
if(isset($_GET['id'])) {
$id = $_GET['id'];
} else {
// here you can set a value for the id
}
否则,您可以在if测试中添加$id var:
if(!empty($_POST) && $id)
{
//...
}
答案 2 :(得分:0)
看起来您正在将'id'传递给操作URL,但由于某种原因,$ _GET变量没有它。请仔细检查:
您是否真的将'id'传递给了网址?请确认。
请检查common.php中的代码,看看是否修改了$ _GET变量。
该脚本是否在重写设置后面(例如.htaccess)?如果是,$ _GET参数可能由于不适当的重写设置而消失。您可以通过输入print_r($ _ GET)进一步测试它;在开始时直接访问该脚本(GET而不是POST)
答案 3 :(得分:0)
$ id = $ _GET ['id']; 首先检查$ id中是否有值通过echo
打印$ id