检查配置文件更新是否存在配置文件数据

时间:2016-04-18 16:07:53

标签: php mysqli pdo

我有一个个人资料页面,编辑功能和编辑检查功能。

个人资料页面:

if (isset($_POST['edit']) && $_POST['edit'] === 'Edit') {

    $errorMsgs = $user->validateUpdate($_POST);
    if (empty($errorMsgs)) {
    $id = $_POST['id'];
        $username = $_POST['username'];
        $email = $_POST['email'];
    $user->updateProfile($username,$email,$id);
    echo 'edited';
    exit;
    }
    foreach ($errorMsgs as $msg) {
        echo '<li>'. $msg. '</li>';
    }
}


      while ($row = mysqli_fetch_assoc($result)) {
    ?>  
<form action="<?php $_SERVER['PHP_SELF'];?>" method="POST">
<input type="hidden" name="id" value="<?php echo $row['id']; ?>" />
Username<br>
<input type="text" name="username" value="<?php echo $row['username']; ?>" /><br>
Email<br>
<input type="text" name="email" value="<?php echo $row['email']; ?>" /><br>
<input name="edit" type="submit" value="Edit"/>
</form>
 <?php }
        ?>

更新功能:

 function updateProfile($username,$email,$id){
        $con = new Core();
        $con->connect();
        $username = trim(strtolower($username));
        $username = str_replace(' ', '', $username);
        $sql = 'UPDATE users SET username = ?, email = ? where id = ?';
        if ($stmt = $con->myconn->prepare($sql))
        {
            $stmt->bind_param('ssi', $username, $email, $id);
            $stmt->execute();
            $stmt->close();
        }
        else{
            die("errormessage: " . $con->myconn->error);
        }

    }

检查功能:

function validateUpdate(array $userDetails)
    {
        $con = new Core();
        $con->connect();
        $errmsg_arr = array();
        foreach($userDetails as $key => $value) {
            if (empty($value)) {
                $errmsg_arr[] = ucwords($key) . " field is required";
            }
        }

        if (!empty($userDetails['edit'])) {
            if (!empty($userDetails['email']) && !filter_var($userDetails['email'], FILTER_VALIDATE_EMAIL)) {
                $errmsg_arr[] = "the provided email is not a valid email address";
            }

            $sqlu = "SELECT username FROM users WHERE username = ?";
            if($stmt = $con->myconn->prepare($sqlu)){
                $stmt->bind_param('s', $_POST['username']);
                $stmt->execute();

            }
            if($stmt->fetch() > 0){
                $errmsg_arr[] = "Username already exists!";
                $stmt->close();
            }

            $sqle = "SELECT email FROM users WHERE email = ?";
            if($stmt = $con->myconn->prepare($sqle)){
                $stmt->bind_param('s', $_POST['email']);
                $stmt->execute();
            }
            if($stmt->fetch() > 0){
                $errmsg_arr[] = "Email already exists!";
                $stmt->close();
            }
        }
        return $errmsg_arr;
    }

一切都很完美。但这次检查存在缺陷。

有人转到他们的个人资料。 此人试图编辑细节,编辑所有内容:代码回声&#34;成功编辑&#34;。

但是,如果此人尝试仅编辑电子邮件而不是所有细节,则会收到错误消息“&#34;用户名值”&#34;已经存在。

现在我的问题是:如果没有编辑,我怎么能不检查用户名值呢?或电子邮件价值?

提前致谢!

1 个答案:

答案 0 :(得分:0)

您将排除从该查询登录的用户。在进行登录时,您会将用户ID保存在会话变量中。您可以使用此变量来阻止查询检查用户本身

$sqlu = "SELECT username FROM users WHERE username = ? AND id != '".$_SESSION['user_id']."'";
$sqle = "SELECT email FROM users WHERE email = ? AND id != '".$_SESSION['user_id']."'";

那应该解决你的问题! More info on session variables

相关问题
最新问题