这是用户评论系统的代码,一切正常使用此代码,但我想只允许那些用户修改他们在会话上的评论(登录)所以我只想添加if($ _ SESSION ['id'] == $ row ['user_id'])然后打开修改页面或者回显“拒绝访问”;我已经尝试过这段代码,但它没有取得session_id而且我不知道我应该在哪里放置这段代码,因为我也会阻止编辑页面请帮助任何人......我被困
编辑页面是用户可以添加评论的页面修改页面是用户可以更新编辑已添加评论的页面
reviews.php
<?php
session_start();
include('server3.php');
include('config.php');
if (isset($_GET['edit'])) {
$id = $_GET['edit'];
$record = mysqli_query($db, "SELECT * FROM info WHERE user_id=$id");
if (count($record) == 1 ) {
$nm = mysqli_fetch_array($record);
$name = $nm['name'];
$address = $nm['address'];
$yid= $nm['id'];
}
}
if (isset($_GET['modify'])) {
$update = true;
$id = $_GET['modify'];
$record2 = mysqli_query($db, "SELECT * FROM info WHERE id=$id");
if (count($record2) == 1 ) {
$n = mysqli_fetch_array($record2);
$name = $n['name'];
$address = $n['address'];
}
}
?>
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="style.css">
<link rel="stylesheet" type="text/css" href="somecss.css">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
<script src="NAV/jquery.min.js"></script>
<script src="NAV/bootstrap.min.js"></script>
</head>
<body>
<header id="fixed-header">
<a href="./index.php"> <center><img id="logo" src="logo.png" height="82" width="350" style="border-radius:8px; margin-top:-100px;"/></center> </a>
</header>
<nav class="navbar navbar-inverse" style="margin-bottom:0px;" >
<div class="container-fluid">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#myNavbar">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="#">NearestMentor.Com</a>
</div>
<div class="collapse navbar-collapse" id="myNavbar">
<ul class="nav navbar-nav">
<li class="active"><a href="#">Home</a></li>
<li><a href="#">What's This</a></li>
<li><a href="#">How to Use</a></li>
<li><a href="#">Contribute & Win</a></li>
<li><a href="#">Winner Mentors Leatherboard</a></li>
<li><a href="#">Terms</a></li>
<li><a href="#">About Us</a></li>
<li><a href="#">Donate Us</a></li>
</ul>
<ul class="nav navbar-nav navbar-right">
<?php
$loggedin = isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true;
if($loggedin) : ?>
<li><a href="myque.php"><span class="glyphicon glyphicon-pencil"> </span>My Q & A</a></li>
<li><a href="Member-Profile.php"><span class="glyphicon glyphicon-user"> </span>Edit Profile</a></li>
<li><a href="./logout.php"><span class="glyphicon glyphicon-log-in"> </span>Logout</a></li>
<?php else : ?>
<li><a href="form-signup.php"><span class="glyphicon glyphicon-user"></span> Sign Up</a></li>
<li><a href="form-login.php"><span class="glyphicon glyphicon-log-in"></span> Login</a></li>
<?php endif; ?>
</ul>
</div>
</div>
</nav>
<?php if (isset($_SESSION['message'])): ?>
<div class="msg">
<?php
echo $_SESSION['message'];
unset($_SESSION['message']);
?>
</div>
<?php endif ?>
<?php $results = mysqli_query($db, "SELECT * FROM info WHERE user_id=$id"); ?>
<table>
<thead>
<tr>
<th>Name</th>
<th>Review</th>
<th colspan="2">Action</th>
</tr>
</thead>
<?php while ($row = mysqli_fetch_array($results)) { ?>
<tr>
<td><?php echo $row['name']; ?></td>
<td><?php echo $row['address']; ?></td>
<td>
<?php
if($row['user_id']==$_SESSION['id'])
{
echo "<a href='review.php?modify=".$row['id'];"class='edit_btn' >Edit</a>";
}
else
{
echo "";
}
?>
</td>
<td>
<a href="server3.php?del=<?php echo $row['id']; ?>" class="del_btn">Delete</a>
</td>
</tr>
<?php } ?>
</table>
<form method="post" action="server3.php" >
<input type="hidden" name="id" value="<?php echo $id; ?>">
<div class="input-group">
<label>USERID</label>
<input type="text" name="user_id" style="width:670px; height:40px;" value=
"<?php echo $id;?>"
</div>
<div class="input-group">
<label>Name</label>
<input type="text" name="name" style="width:670px; height:40px;" value='<?php echo $_SESSION['username'] ?>' readonly="readonly">
</div>
<div class="input-group">
<label>Give Your Review</label>
<input type="text" name="address" style="width:670px;" value="<?php echo $address; ?>">
</div>
<div class="input-group">
<?php if($update=='true')
{
echo '<button class="btn" type="submit" name="update" style="background: #556B2F;" >update</button>';
}
else
{
echo '<button class="btn" type="submit" name="save" >Save</button>';
} ?>
</div>
</form>
</body>
</html>
server3.php
<?php
session_start();
$db = mysqli_connect('localhost', 'root', '', 'mydatabase');
// initialize variables
$name = "";
$address = "";
$id = 0;
$update = false;
if (isset($_POST['save'])) {
$user_id = $_POST['user_id'];
$name = $_POST['name'];
$address = $_POST['address'];
mysqli_query($db, "INSERT INTO info (user_id, name, address) VALUES ('$user_id','$name', '$address')");
$_SESSION['message'] = "Review Saved, Thankyou!";
header('location: review.php?edit='.$user_id);
}
if (isset($_POST['update'])) {
$id = $_POST['id'];
$name = $_POST['name'];
$address = $_POST['address'];
mysqli_query($db, "UPDATE info SET name='$name', address='$address' WHERE id=$id");
$_SESSION['message'] = "Review Updated, Thankyou!";
echo("<script>alert('Review Successfully Updated!')</script>");
echo("<script>window.location = 'index.php';</script>");
}
if (isset($_GET['del'])) {
$id = $_GET['del'];
mysqli_query($db, "DELETE FROM info WHERE id=$id");
$_SESSION['message'] = "Review Deleted, Thankyou!";
echo("<script>alert('Review Successfully Deleted!')</script>");
echo("<script>window.location = 'index.php';</script>");
}
$results = mysqli_query($db, "SELECT * FROM info");
?>
为什么不直接使用像谷歌这样的OAuth登录来创建用户,然后使用该登录来验证用户是否可以编辑评论?它使用户更容易创建帐户,这意味着您更有可能获得这些评论并且您可以通过实施他们可以在线订购的系统来检查他们是否是实际客户,然后检查他们是否真的从您那里购买并验证他们是购买者。可能隐藏垃圾邮件或非客户评论的评论。
我在看server3.php,你需要做很多检查。此代码易受MySQL注入攻击,可以轻松地将垃圾数据存储到数据库服务器中。我建议使用PDO和准备好的查询。我还建议您检查有效的电子邮件并转义用户输入的所有数据。现在我希望这不是一个真实的网站。