php - 如何从用户表单 PHP 安全地编辑数据库中的信息

Question

目前我有一个可用的 PHP 编辑脚本，它允许用户编辑他们发布的广告，但我意识到用户可以修改 ?id= 数字来调出另一组数据编辑别人的数据并将其保存在数据库中。

有什么方法可以让用户点击他们发布的广告进行编辑时，他们只能访问自己的广告，而无法通过调整广告来编辑其他人的广告id?= 以及保护表单免遭操纵的方法？

这是我当前的代码:

<?php
/* 
EDIT.PHP
Allows user to edit specific entry in database
*/

// creates the edit record form
// since this form is used multiple times in this file, I have made it a function that is      easily reusable
function renderForm($id, $fname, $lname, $contact, $price, $error)
{
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Edit Record</title>
 <link rel="stylesheet" type="text/css" href="stylesheet.css">

 <style type="text/css">

#page-wrap                  {
position:absolute;
top: 206px;
left: 288px;
width: 50%;
text-align:left;
background-color:#FFF;
padding: 10px;
border-radius: 10px;
box-shadow: 1px 2px 2px #888888;
     }
     
    </style>
    <script type = "text/javascript">

    function myfunction(url)
    {
    window.location.href = url;
    }
   </script>


</head>
<body>

  <div class="container">

  <div id="imagelogo" onclick = "window.location.href = 'index.html'" > 

  <p> Buy and sell stuff around University</p>
   </div>

   <ul id="navigation" name="navigation">
  <li id="nav-home"><a href="index.html">Home</a></li>
  <li id="nav-search"><a href="search.php">Search</a></li>
  <li id="nav-selling"><a href="#">Selling</a></li>
  <li id="nav-buying"><a href="#">Buying</a></li>
   <li id="nav-FAQ"><a href="#">FAQ</a></li>
  <li id="nav-contact"><a href="#">Contact</a></li>

  <p>&nbsp;</p>
  <p>&nbsp;</p>
  <p>&nbsp;</p>
  <p>Sponsors</p>
  </ul>
  <div id="account">

  <?php
  if( isset( $_SESSION['username'] ) ){

  echo "<a href='securedpage1.php'>My Account</a><img src='images/uni-icon.png' width='30'        height='18' style='vertical-align: middle;'/>";

  }else{

 echo "<a href='login.php' >Login</a><img src='images/uni-icon.png' width='30' height='18'    style='vertical-align: middle;'/>";
}
?>

</div>

<div id="registerlogout">
<?php
if( isset( $_SESSION['username'] ) ){
echo "<a href='logout.php'>Logout</a>";

}else{

echo "<a href='register.php'> Register</a>";
}
?>
</div>

<div id="social">
<img src="images/fb-logo.png" width="22" height="20" />     

 <img src="images/twitter-logo.png" width="24" height="25" />
  </div>

 <div id="page-wrap">
 <?php 
 // if there are any errors, display them
 if ($error != '')
 {
 echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
 }
 ?> 

 <form action="" method="post">
 <input type="hidden" name="id" value="<?php echo $id; ?>"/>
 <div>
 <strong>Ad Title: *</strong> <input type="text" name="fname" style="width: 60%; box-    sizing: border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box;"value="<?php      echo $fname; ?>"/><br/>
  <strong>Description: *</strong> <textarea name="lname" cols="45" rows="5"><?php echo     $lname; ?></textarea><br/>
 <strong>Contact*</strong> <input type="text" name="contact"  style="width: 60%; box-    sizing: border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box;" value="<?php     echo $contact; ?>"/><br/>
<strong>Price*</strong> <input type="text" name="price"  style="width: 60%; box-sizing:    border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box;" value="<?php echo    $price; ?>"/><br/>
 <p>* Required</p>
 <input type="submit" name="submit" value="Submit">
 </div>
 </form>
 </div>
 </div>
 </body>
 </html> 
 <?php
  }

// Inialize session
    session_start();


 // connect to the database
 include('conn.php');

 // check if the form has been submitted. If it has, process the form and save it to the    database
 if (isset($_POST['submit']))
  { 
 // confirm that the 'id' value is a valid integer before getting the form data
 if (is_numeric($_POST['id']))
 {
 // get form data, making sure it is valid
 $id = $_POST['id'];
 $fname = mysql_real_escape_string(htmlspecialchars($_POST['fname']));
 $lname = mysql_real_escape_string(htmlspecialchars($_POST['lname']));
 $contact = mysql_real_escape_string(htmlspecialchars($_POST['contact']));
 $price = mysql_real_escape_string(htmlspecialchars($_POST['price']));

 // check that firstname/lastname fields are both filled in
 if ($fname == '' || $lname == '' || $contact == '' || $price == '' )
 {
 // generate error message
 $error = 'ERROR: Please fill in all required fields!';

 //error, display form
 renderForm($id, $fname, $lname, $contact, $price, $error);
 }
else
 {
 // save the data to the database
 mysql_query("UPDATE people SET price='$price', contact='$contact', fname='$fname',      lname='$lname' WHERE id='$id'")
 or die(mysql_error()); 

 // once saved, redirect back to the view page
 header("Location: view.php"); 
 }
 }
 else
 {
 // if the 'id' isn't valid, display an error
 echo 'Error!';
 }
 }
 else
 // if the form hasn't been submitted, get the data from the db and display the form
 {

 // get the 'id' value from the URL (if it exists), making sure that it is valid (checing   that it is numeric/larger than 0)
 if (isset($_GET['id']) && is_numeric($_GET['id']) && $_GET['id'] > 0)
 {
 // query db
 $id = $_GET['id'];
 $result = mysql_query("SELECT * FROM people WHERE id=$id")
 or die(mysql_error()); 
$row = mysql_fetch_array($result);

 // check that the 'id' matches up with a row in the databse
 if($row)
 {

 // get data from db
 $fname = $row['fname'];
 $lname = $row['lname'];
 $contact = $row['contact'];
 $price = $row['price'];

 // show form
 renderForm($id, $fname, $lname, $contact, $price, '');
 }
 else
 // if no match, display result
 {
 echo "No results!";
 }
 }
 else
 // if the 'id' in the URL isn't valid, or if there is no 'id' value, display an error
 {
 echo 'Error!';
 }
 }
 ?>

Answer 1

您需要在数据库中记录每个广告的海报。这只是另一专栏。

当尝试编辑广告(无论是为了显示表单还是保存结果)时，您需要检查广告的所有者是否与当前登录的用户匹配。

例如更新广告 SET text=?哪里 id=？和用户=？