我有一个表单,用户可以选择日期以获取特定的存档页面。但是,当他们到达该页面时,他们可以手动输入URL中的值并从db获得不同的结果。到目前为止,我已设法重定向几乎所有错误,除了一个,URL看起来像这个content.php?day=mon&year=2015&month=jan&week=wk1。如果用户输入不允许的日/年/月/周值,则会将其重定向到errors/wrong_url.php。但如果他们改变变量名称本身,即日/年/月/周/。我的重定向失败,页面正常加载但有错误。
如果更改了月份和周的变量名称,则重定向会起作用。但是,如果年份和日期的var名称被更改,则页面加载的内容不包含var day和内容为var year。
if(isset($_GET['year'])){
$year = preg_replace('/[^a-zA-Z0-9]/', '', $_GET['year']);
$month = preg_replace('/[^a-zA-Z0-9]/', '', $_GET['month']);
$week = preg_replace('/[^a-zA-Z0-9]/', '', $_GET['week']);
$datefdr = $year."-".$month."-".$week;
$page_url = $_SERVER['REQUEST_URI'];
$day_pattern = '/id=[a-z]*/';
$year_pattern = '/id=[0-9]*/';
$month_pattern = '/id=[a-z]*/';
$week_pattern = '/id=[a-z0-9]*/';
if(isset($_GET['day'])){
$category = preg_replace('/[^a-zA-Z0-9]/', '', $_GET['day']);
$days_list = array("mon", "tue", "wed", "thur", "fri", "sat", "sun");
$year_list = array("2015", "2016", "2017", "2018", "2019", "2020", "2021");
$month_list = array("jan", "feb", "mar", "apr", "may", "jun", "jul", "aug", "sep", "oct", "nov", "dec");
$week_list = array("wk1", "wk2", "wk3", "wk4");
if (preg_match($day_pattern, $page_url) && preg_match($year_pattern, $page_url) && preg_match($month_pattern, $page_url) && preg_match($week_pattern, $page_url)){
if (in_array($year, $year_list) && in_array($month, $month_list) && in_array($week, $week_list) && in_array($category, $days_list)){
switch ($category) {
case "monday":
$query = "SELECT * FROM vidz WHERE day='monday' AND datefdr='$datefdr'";
break;
}
}else{
header("Location:errors/wrong_url.php");
}
}else{
header("Location:errors/wrong_url.php");
}
}
}else {
$url_name = $_SERVER['PHP_SELF'];
$file_name = basename($url_name);
$file_name = basename($url_name, ".php");
switch ($file_name) {
case "content":
$query = "SELECT * FROM vidz WHERE day='content' AND datefdr='content'";
break;
}
}
我已经有一个JavaScript函数阻止用户提交空表单。感谢。
答案 0 :(得分:0)
想出来,我的安排都错了。
if(isset($_GET['day'])){
$category = $_GET['day'];
$year = $_GET['year'];
$month = $_GET['month'];
$week = $_GET['week'];
$datefdr = $year."-".$month."-".$week;
$days_list = array("mon", "tue", "wed", "thur", "fri", "sat", "sun");
$year_list = array("2015", "2016", "2017", "2018", "2019", "2020", "2021");
$month_list = array("jan", "feb", "mar", "apr", "may", "jun", "jul", "aug", "sep", "oct", "nov", "dec");
$week_list = array("wk1", "wk2", "wk3", "wk4");
if (in_array($year, $year_list) && in_array($month, $month_list) && in_array($week, $week_list) && in_array($category, $days_list)){
switch ($category) {
case "mon":
$query = "SELECT * FROM blog WHERE day='mon' AND datefdr='$datefdr'";
break;
}
}else{
header("Location:http://dundaah.com/errors/wrong_url.php");
}
}else {
if (isset($_GET['year']) || isset($_GET['month']) || isset($_GET['week'])) {
header("Location:http://dundaah.com/errors/wrong_url.php");
}else{
$url_name = $_SERVER['PHP_SELF'];
$file_name = basename($url_name);
$file_name = basename($url_name, ".php");
switch ($file_name) {
case "content":
$query = "SELECT * FROM blog WHERE day='content' AND datefdr='content'";
break;
}
}
}