PHP将POST数据发送到重写的URL

时间:2017-04-27 03:49:09

标签: php .htaccess url post url-rewriting

我有一个位于mysite.com/page

的网页

在此页面上,用户可以输入用户名和密码:

<form method="post">
    <div class='form-group'>
        <label for='username'>Username</label>
        <input class='form-control' id='spreadsheet-form-username' name='username' placeholder='Username'>
    </div>
    <div class='form-group'>
        <label for='password'>Password (optional - required to edit)</label>
        <input type='password' class='form-control' name='password' id='spreadsheet-form-password' placeholder='Password'>
    </div>
    <button type='submit' class='btn btn-default'>Submit</button>
</form>

当用户点击提交时,它会对数据进行POST,并将网址重写为mysite.com/page/exampleUser或相当于mysite.com/page?username=exampleUser

如果用户只提交用户名进行查询,我希望他们只能在mysite.com/page/exampleUser查看数据,如果他们也提交了正确的密码,他们就可以编辑数据。

我可以获得正确的网址,但我很难找到如何检查mysite.com/page/exampleUser页面上是否同时发送了用户名和密码(及其值是什么)。我希望能够判断是否允许他们编辑该页面上的数据。

我试过这段代码:

$mode = "view";

if (isset($_POST["password"])) {
    if (hashOfPassword matches password submitted) {
        $mode = "edit";
    }
}
if (isset($_POST["username"])) {
    $username = $_POST["username"];
    header("Location: /spreadsheet/" . $username);
}

但我似乎无法在重写的网址上获得$ _POST [&#34;密码&#34;]数据。它只在重写URL之前可用。

我不一定需要能够发送密码,但我希望能够发送一些信息,让我知道该页面是可以查看还是可编辑。我也无法通过网址发送(例如:mysite.com/page/exampleUser/edit),因为我不希望用户能够编辑其他用户&#39;数据只需更改网址即可。

以下是我如何处理网址重写:

// Trim leading slashes
$path = ltrim($_SERVER['REQUEST_URI'], '/');

// Split url on slashes
$elements = explode('/', $path);

if ($elements[0] == "page" && sizeof($elements) == 1) {
    // do nothing, there wasn't a username submitted    
} 
else {

    switch(array_shift($elements))
    {
        case 'page':
            echo "username: " . $elements[1];
            echo "password: " /* not sure what to put here*/;
            break;
        default:
            header("/404.php");
            break;
    }   
}

和我的.htaccess

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ 404.php [L]

任何帮助都将受到高度赞赏!

1 个答案:

答案 0 :(得分:0)

您可以在会话中存储密码和某种标识符。在下面的示例中,我使用uniqid()生成密钥。您可以安全地将此ID放在重定向网址中。

稍后您可以检查ID并使用会话中存储的密码(如果匹配)。

// Remove if session is already started at this point
session_start();
$mode = "view";

if (isset($_POST["password"])) {
    if (hashOfPassword matches password submitted) {
        $mode = "edit";
    }
}
if (isset($_POST["username"])) {
    $username = $_POST["username"];

    $passwordId = uniqid();
    $_SESSION['spreadsheetPasswordId'] = $passwordId;
    // Password should be hashed before writing it to session.
    $_SESSION['spreadsheetPassword'] = $_POST["password"]; 

    header("Location: /spreadsheet/" . $username . "/" . $passwordId);
}

以后

// Remove if session is already started at this point
session_start();
// Trim leading slashes
$path = ltrim($_SERVER['REQUEST_URI'], '/');

// Split url on slashes
$elements = explode('/', $path);

// we need at least three elements
if ($elements[0] == "page" && sizeof($elements) < 3) {
    // do nothing, there wasn't a username submitted    
} 
else {

    switch(array_shift($elements))
    {
        case 'page':
            echo "username: " . $elements[1];
            echo "password: " . (
                $_SESSION['spreadsheetPasswordId'] == $elements[2] ?
                $_SESSION['spreadsheetPassword'] : 
                'Access key is invalid or has expired.');
            break;
        default:
            header("/404.php");
            break;
    }   
}
相关问题
最新问题