如何在张贴表单时存储(和/或张贴)用户ID?
[英]How to store (and/or POST) user ID as their form is POSTed?
问题描述
I'm building a site where users create profiles and projects (startups, research, inventions, etc) and share and connect with others for a valuable exchange. 
我正在建立一个网站,用户可以在其中创建个人资料和项目(初创企业,研究,发明等),并与他人共享和联系以进行有价值的交流。
I started the site sometime ago with a friend and we've since stopped working on it together. 不久前,我与一个朋友一起启动了该网站,此后我们就停止了合作。 He wrote all of the php and I did all the front end. 他写了所有的php,而我做了所有的前端。 Now I'm doing both and the concept has changed a bit. 现在,我同时做这两个事情,概念已经改变了一点。 This means I'm adapting a lot of the code he has already written. 这意味着我正在改编他已经编写的许多代码。
When users posts a new project, there is certain background information that needs to be posted with it. 用户发布新项目时,需要与之一起发布某些背景信息。 Therefore, when they create a new post I want to store their ID with it. 因此,当他们创建新帖子时,我想将其ID与之一起存储。 This way when their post is displayed, it also shows the pertinent user profile information. 这样,在显示其帖子时,它还会显示相关的用户个人资料信息。
How do I properly store (and/or POST) their user ID as the form is POSTed? 表单过帐后,如何正确存储(和/或POST)其用户ID?
(I apologize, I'm fairly new to PHP. Doing my best with the lingo.) (很抱歉,我是PHP的新手。尽我所能使用行话。)
Here is some of the code (not all is needed, I know) 这是一些代码(我知道并不需要全部)
<?php
require_once("../includes/config.php");
require_once("../assets/classes/projects.php");
$x = new projects();
if(isset($_SESSION['username']))
{
$_SESSION['logged_in'] = 1;
}
$dbh = config::get();
$checkCountQ = $dbh->prepare("SELECT cork_user_notes.tf_index FROM `cork_user_notes` INNER JOIN `cork_users` ON cork_user_notes.tf_index = cork_users.tf_index WHERE cork_users.tf_username = :un");
$checkCountQ->bindParam(":un", $_GET['user']);
$checkCountQ->execute();
$checkCountR = $checkCountQ->rowCount();
?>
<form action="addProjects.php" method="POST">
<tbody>
<tr>
<td>
Enter your project name
</td>
<td>
<input type="text" name="title" placeholder="project name">
</td>
</tr>
<tr>
<td>
Enter your project's category
</td>
<td>
<select name="category">
<option value="1">Startup</option>
<option value="2">Software</option>
<option value="3">Hardware</option>
<option value="4">Research</option>
<option value="5">Discovery</option>
<option value="6">Invention</option>
</select>
</td>
</tr>
3 个解决方案
解决方案1
0 2014-09-16 04:45:33
Allowing the user to alter their user_id is not safe for your records because a user could pose as someone else. 允许用户更改其user_id对于您的记录并不安全,因为用户可能冒充其他人。 Here there is no user_id in your code, only their username which if unique, might work just as well. 这里在您的代码中没有user_id ,只有他们的username (如果唯一的话)可能同样有效。 In order to do this efficiently it might be best to pass the value in a hidden form field in addition to a hashed field that contains a value known only to you to verify on the other side: 为了高效地执行此操作,除了散列字段中最好包含隐藏值字段中的值,该散列字段还包含只有您知道才能在另一侧进行验证的值:
<?php
print "<input type=\"hidden\" name=\"uid\" value=\"".$_SESSION['username']."\">";
print "<input type=\"hidden\" name=\"uidh\"
value=\"".md5($_SESSION['username']."Something that only you know")."\">";
?>
On the other side you check the hash. 另一方面,您检查哈希。
if (!empty($_POST['uid'])&&!empty($_POST['uidh'])
&&$_POST['uid']==md5($_POST['uidh']."Something that only you know")){
//then they're okay
} else {
//fail spectacularly at their attempt
}
If your server is setup to handle sessions with cookies, the cookies are unsafe and can't be trusted as well. 如果您的服务器设置为处理与cookie的会话,则cookie是不安全的,也不能被信任。
To verify sessions you would want to hash the data with a unique key only known to you as well. 要验证会话,您可能希望使用一个唯一已知的唯一密钥来哈希数据。
解决方案2
0 2014-09-16 04:51:30
Why does the user ID value need to be posted from the form at all? 为什么根本需要从表单中发布用户ID值?
You have an authenticated user, you have their user's ID on the server side in some shape or fashion (maybe stored in the session or something similar). 您具有经过身份验证的用户,并且在服务器端具有某种形状或方式的用户ID(可能存储在会话中或类似的内容中)。 Use that when creating the project, and do not accept a user-supplied user ID. 在创建项目时使用它,并且不接受用户提供的用户ID。
解决方案3
-1 2014-09-16 04:42:10
Two ways to do this. 有两种方法可以做到这一点。
You session the user id when the user logs in like this
当用户以这种方式登录时,您可以会话用户ID $_SESSION['userid'] = $id;
which you can subsequently used anywhere in the website as this case maybe when inserting 您可以随后在网站上的任何位置使用该代码,例如在插入时
create an hidden field in the form to store userid
在表单中创建一个隐藏字段以存储userid <input type="hidden" name="id" value="<?php echo $_SESSION['userid']; ?>" />
you can then get it with $_POST['id'] when submit button isset. 您可以在设置提交按钮后使用$_POST['id']来获取它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.