我想要做的是找出使用登录会话提交表单的人。 我想在登录后从USERS表中检索'user_id'。然后当他们写完评论并提交表格时,user_id将被发送到电影表,
非常感谢任何帮助。
-- Table structure for table `films`
--
CREATE TABLE IF NOT EXISTS `films` (
`movie_id` int(4) NOT NULL AUTO_INCREMENT,
`movie_title` varchar(100) NOT NULL,
`actor` varchar(100) NOT NULL,
`rating` varchar(20) NOT NULL,
`user_id` int(100) NOT NULL,
PRIMARY KEY (`movie_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=38 ;
--
-- Table structure for table `users`
--
CREATE TABLE IF NOT EXISTS `users` (
`user_id` int(4) NOT NULL AUTO_INCREMENT,
`email` varchar(40) NOT NULL,
`password` varchar(40) NOT NULL,
`name` varchar(30) NOT NULL,
PRIMARY KEY (`user_id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;
INSERT INTO `users` (`user_id`, `email`, `password`, `name`) VALUES
(1, 'ben@talktalk.net', 'password', 'Ben');
--
-- Constraints for table `reviewed`
--
ALTER TABLE `reviewed`
ADD CONSTRAINT `reviewed_ibfk_1` FOREIGN KEY (`movie_id`) REFERENCES `films` (`movie_id`),
ADD CONSTRAINT `reviewed_ibfk_2` FOREIGN KEY (`movie_id`) REFERENCES `films` (`movie_id`) ON DELETE CASCADE;
以下是创建会话的登录表单我假设我没有正确创建它。
<?php
include('./includes/header.php');
if (isset($_POST['submit'])) {
$error = array(); // Initialize error array.
// Check for a email.
if (empty($_POST['email'])) {
$error[] = "Please neter a email";
} else {
$email = $_POST['email'];
}
// Check for a password.
if (empty($_POST['password'])) {
$error[] = "Please enter a password";
} else {
$password = $_POST['password'];
}
if (empty($error)) { // No errors found
require_once('./includes/mysql_connect.php');
$match = "SELECT * FROM users WHERE email='$email' AND password='$password'";
$qry = mysql_query($match);
$num_rows = mysql_num_rows($qry);
if ($num_rows == true) {
$_SESSION['user_id']=$_POST['email'];
header("location:index.php");
} else {
echo "No user name or id ";
}
} else {
foreach ($error as $msg) {
echo $msg;
}
}
}
?>
<html>
<form method="post" action="login.php">
<fieldset><legend>Login</legend>
<label for="email">Email</label>
<input type="text" name="email" id="email" />
<br/>
<label for="password">Password</label>
<input type="password" name="password" id="password" />
<br/>
<input type="submit" name="submit" value="login" />
</fieldset>
</form>
</html>
<?php
include('./includes/footer.php');
?>
我希望将会话user_id发送到MySql数据库的审核表单
<?php
include('./includes/header.php');
echo "<h1>Add A film</h1>";
if(isset($_POST['submitted'])){
$errors = array(); // Initialize error array.
$user = $_SESSION['user_id'];
// Check for title.
if (empty($_POST['movie_title'])){
$errors[] = "You forgot to enter a title.";
} else {
$mt = (trim($_POST['movie_title']));
}
// Check for leading actor
if (empty($_POST['leading_actor'])){
$errors[] = "You forgot to enter a actor";
} else {
$la = (trim($_POST['leading_actor']));
}
// Check for a rating
if (empty($_POST['rating'])){
$errors[] = "Please select a rating.";
} else {
$rating = ($_POST['rating']);
}
// Check for a review
if (empty($_POST['review'])){
$errors[] = "Please write a review";
} else {
$review = (trim($_POST['review']));
}
if (empty($errors)) { // If no errors were found.
require_once('./includes/mysql_connect.php');
// Make the insert query.
$query = "INSERT INTO films (movie_title, actor, rating, user_id)
Values ('$mt', '$la', '$rating', '$user')";
$result = mysql_query($query);
$id = mysql_insert_id();
$query = "INSERT INTO reviewed (review, movie_id)
values ('$review', '$id')";
$result = mysql_query($query);
//Report errors.
} else {
foreach ($errors as $msg){
echo " - $msg <br/> ";
}
}
};
?>
<html>
<form action="review_a_film.php" method="post" id="review_a_film">
<fieldset>
<label for="title">Movie Title</label>
<input type="text" name="movie_title" id="movie_title" />
<br/>
<br/>
<label for="actor">Leading Actor</label>
<input type="text" name="leading_actor" id="leading_name" />
<br/>
<br/>
<label for="rating">Rating</label>
<select id="rating" name="rating"/>
<option selected="selected" value=0 disabled="disabled">Select a Rating</option>
<option value="Terrible">Terrible</option>
<option value="Fair">Fair</option>
<option value="Ok">Ok</option>
<option value="Good">Good</option>
<option value="Excellent">Excellent</option>
</select>
<br/>
<br/>
<label for="review">Your Review</label>
<br/>
<textarea name="review" id="review" rows="15" cols="60"></textarea>
<br/>
<br/>
<input type="submit" name="submit" id="submit" value="submit" />
<input type="hidden" name="submitted" value="TRUE" />
</fieldset>
</form>
</html>
<?php
include('./includes/footer.php');
?>
答案 0 :(得分:2)
回答你的问题: 将他们的user_id存储在变量$ _SESSION ['user_id']中,然后在他们注销时清除$ _SESSION ['user_id']。
但是,您还需要解决其他问题。
您无法以纯文本格式存储密码。这不是好习惯。如果你被黑客入侵(这似乎可能是由于你的SQL漏洞,在一秒钟内达到这个漏洞)并且以纯文本形式存储密码,人们会对你生气。你需要研究密码哈希。这里有几个链接可以帮助您入门:Encryption using mcrypt, PHP, and MySQL How can I store my users' passwords safely?
您也容易受到SQL注入攻击。您必须使用参数化查询,否则用户可以将sql注入您的代码中。
php中的paramaterized查询如下所示:
$var = $unsafevar;
$stmt = mysqli_prepare($connection, "SELECT * FROM users WHERE username = ?");
mysqli_stmt_bind_param($stmt, 's', $var);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
$row = mysqli_fetch_assoc($result);
?代表变量,由bind_param绑定并插入。
查看owasp的sql注入页面及其前十名:
在您考虑在线发布带有用户数据库的网站之前,您必须先了解这些内容。