我已创建此表单以更新各种用户配置文件的数据。更新有效,但我需要一些技巧和帮助。表格非常简洁,简化为必需品,我想知道如何改进它,也许放置控件使其尽可能安全,我该怎么办?
此外,我无法通过SESSION获取用户的ID,其他数据将其作为位置获取,但电子邮件ID号码。所以我需要的只是因为表单必须基于用户的ID。 我想知道是否投入SESSIONS,创建一个收集用户数据的课程并不是更好,例如:$ user [' email'];
但是,我粘贴了类user.php
include('password.php');
class User extends Password{
private $_db;
function __construct($db){
parent::__construct();
$this->_db = $db;
}
private function get_user_hash($username){
try {
$stmt = $this->_db->prepare('SELECT password FROM members WHERE username = :username AND active="Yes" ');
$stmt->execute(array('username' => $username));
$row = $stmt->fetch();
return $row['password'];
} catch(PDOException $e) {
echo '<p class="bg-danger">'.$e->getMessage().'</p>';
}
}
public function login($username, $password){
$hashed = $this->get_user_hash($username);
if($this->password_verify($password,$hashed) == 1){
$_SESSION['loggedin'] = true;
return true;
}
}
public function logout(){
session_destroy();
}
public function is_logged_in(){
if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true) {
return true;
}
}
public function is_logged_admin(){
if(isset($_SESSION['level']) && $_SESSION['level'] == 2 ) {
return true;
}
return false;
}
public function get_user_info($username){
try {
$stmt = $this->_db->prepare('SELECT memberID,email,location,gender,level,active FROM members WHERE username = ?');
$stmt->execute(array($username));
return $stmt->fetch();
} catch(PDOException $e) {
echo '<p class="bg-danger">'.$e->getMessage().'</p>';
}
}
}
以及我称之为account.php的表单
<form role="form" method="POST">
<div class="form-group">
<label class="control-label">Email</label>
<input type="text" name="email" class="form-control" value="<?= $_SESSION['email']; ?>">
</div>
<div class="form-group">
<label class="control-label">Location</label>
<input type="text" name="location" class="form-control" value="<?= $_SESSION['location']; ?>">
</div>
<div class="form-group">
<label class="control-label">Gender</label>
<input type="text" name="gender" class="form-control" value="<?= $_SESSION['gender']; ?>">
</div>
<div class="margiv-top-10">
<input type="submit" name="submit" class="btn" value="Update">
</div>
</form>
和
if (isset($_POST['email'], $_POST['location'], $_POST['gender'])) {
$stmt = $db->prepare("UPDATE members SET email = ?, location = ?, gender = ? WHERE memberID = 1");
$stmt->execute([$_POST['email'], $_POST['location'], $_POST['gender']]);
}