PHP PDO插入公司与会话数据
[英]Php pdo inserting firm with session data
问题描述
I am working on an application that has different forms that a logged in user can fill out and submit. 
我正在开发一种具有不同表单的应用程序,已登录的用户可以填写并提交。 For example, an artist is able to submit their video through a form and that movie will be saved and uploaded to the database. 例如,艺术家可以通过表单提交他们的视频,并且该电影将被保存并上传到数据库。 However, I would like when a form is submitted for it to automatically connect the userID and userEmail to the form when it is submitted so that I can easily check for either user id or email when pulling back data. 但是,我希望提交表单时能在提交表单时自动将userID和userEmail连接到表单,以便在回取数据时可以轻松地检查用户ID或电子邮件。 I have tried several different methods of doing this and nothing has worked so any help is much appreciated. 我尝试了几种不同的方法来执行此操作,但是没有任何效果,因此非常感谢您的帮助。 I am also using foreign keys in my database tables but I do not understand how that works in connecting to a table. 我也在数据库表中使用外键,但是我不明白在连接到表时它如何工作。 So here is my table setup for users and for movies Users table 所以这是我的用户和电影用户表设置
CREATE TABLE IF NOT EXISTS. `users` (
`userID` int(11) NOT NULL. AUTO_INCREMENT,
`userEmail` varchar(100) NOT NULL,
`userPass` varchar(100) NOT NULL,
`userType` varchar(6) NOT NULL,
`agreement` enum('Yes', 'No') NOT NULL,
`userStatus` enum('Y','N') NOT NULL. DEFAULT 'N',
`tokenCode` varchar(100) NOT NULL,
PRIMARY KEY (`userID`),
UNIQUE KEY `userEmail` (`userEmail`)
) ENGINE= MyISAM DEFAULT. CHARSET=latin1. AUTO_INCREMENT=1 ;
Movies Table 电影表
CREATE TABLE `movies` (
`userID` int(11) NOT NULL,
`userEmail` varchar(250) NOT. NULL,
`movie_name` varchar(300) NOT NULL,
FOREIGN KEY (userID) Refrences users(userID),
FOREIGN KEY (userEmail) REFRENCES users(userEmail),
UNIQUE KEY `movie_name` (`movie_name`)
) ENGINE=MyISAM DEFAULT. CHARSET=latin1;
The Form page is here ( I tried adding the SESSION data to the POST here and tried the GET method to add SESSION data neither of which worked) 表单页面在此处(我尝试在此处将SESSION数据添加到POST,并尝试使用GET方法添加SESSION数据,但两者均无效)
if(isset($_POST['submit']))
{
$email = trim($_POST['email']);
$movie = trim($_POST['movie']);
if($user_home->upload($email, $movie))
{
header("Location: Artist_Uploads.php?inserted");
}
else
{
header("Location: Artist_Uploads.php?failure");
}
}
<form action="Artist_Uploads.php" method="post" name="upload">
<input name="email" type="hidden" value="<?php echo. htmlentities($row['userEmail']); ?>" />
<input name="movie" type="text" />
<input name="submit" type="submit" />
</form>
Page that processes form submission 处理表单提交的页面
public function upload($email,$movie) { try
{
$stmt = $this->conn->prepare("INSERT INTO movies(userEmail, movie_name) VALUES(:email, :movie)");
$stmt->bindValue(":email",$email);
$stmt->bindparam(":movie",$movie);
$stmt->execute();
return true;
}
catch(PDOException $e)
{
echo $e->getMessage();
return false;
}
}
I have tried insert lasted() below the return true and before the return true. 我尝试在返回true之下和返回true之前插入lasted()。
Tried adding VALUES ('','$_SESSION[cuserID]','$_SESSION[userEmail]','') :movies");. I also tried adding the _SESSION data in the bindValue or the bindCol neither of those worked either. I also tried adding INSERT INTO movies FROM users.userID, users.userEmail but that did not work either. 尝试添加VALUES('','$ _ SESSION [cuserID]','$ _ SESSION [userEmail]',''):movies“);.我也尝试在bindValue或bindCol中添加_SESSION数据,但都不起作用。我还尝试了从users.userID,users.userEmail添加INSERT INTO电影,但是那也不起作用。
So I do not know how to get it to insert the userID and userEmail without outputting it into the form then inserting it that way but that seems to dangerous and open to injection because someone could easily manipulate that info or get the users ID and start playing with it. 因此,我不知道如何将其插入到用户ID和userEmail中,而不将其输出到表单中,然后以这种方式插入,但这似乎很危险,并且很容易注入,因为有人可以轻松地操纵该信息或获取用户ID并开始播放用它。 So any suggestions or pointers would be much appreciated. 因此,任何建议或指示将不胜感激。 Thank you in advance. 先感谢您。
3 个解决方案
解决方案1
1 2017-01-04 21:04:28
The user ID or username whatever you use to uniquely and permanently identify each user should be stored in the session right after the user is authenticated. 用户ID或用户名(无论您用来唯一且永久地标识每个用户的身份)应在用户通过身份验证后立即存储在会话中。 I say permanently because by using the email and then even setting up foreign key constraints on the email you are looking for a world of pain. 我之所以说是永久性的,是因为通过使用电子邮件,然后甚至在电子邮件上设置外键约束,您都在寻找痛苦的世界。 Don't do that. 不要那样做 Use something that would never be modified by the user. 使用用户永远不会修改的内容。 Typically users aren't allowed to modify their username and it would be pointless to give a user the option to modify their user id. 通常,不允许用户修改其用户名,并且为用户提供修改其用户ID的选项是毫无意义的。
First you authenticate (something like this): 首先,您进行身份验证(类似这样):
<?php
if ($user->authenticate($_POST['username'], $_POST['password'])) {
session_start();
$_SESSION['userid'] = $user->getUserId();
}
else {
echo "invalid password";
}
On subsequent requests, make sure you do session_start() first, and then you can just retrieve the information from the database using the value stored in the session. 对于后续请求,请确保先执行session_start() ,然后才可以使用会话中存储的值从数据库中检索信息。 No need to send it in the form. 无需以表格形式发送。 In fact, sending it in the form would be a huge security risk because people could upload videos to other users' accounts. 实际上,以这种形式发送它会带来巨大的安全风险,因为人们可以将视频上传到其他用户的帐户。
session_start();
// Make sure user is logged in
if (!isset($_SESSION['userid'])) {
header("Location: login.php");
}
// Pull their info from the database
$stmt = $this->conn->prepare("SELECT * FROM users WHERE userid = ?");
$stmt->bindValue(1, $_SESSION['userid']);
$stmt->execute();
$user = $stmt->fetch();
Then you can execute your other queries based on the values you get in $user . 然后,您可以根据$user获得的值执行其他查询。 Similar to what I mentioned earlier, get rid of emails from tables where it is irrelevant. 与我之前提到的类似,请删除与表无关的电子邮件。 You are duplicating information across tables and modifying the value would be very difficult. 您正在跨表复制信息,并且修改值将非常困难。 You also want to add some sort of unique way to identify the movies as well: 您还希望添加某种独特的方式来识别电影:
CREATE TABLE `movies` (
`movieID` int(11) NOT NULL. AUTO_INCREMENT,
`userID` int(11) NOT NULL,
`movie_name` varchar(300) NOT NULL,
FOREIGN KEY (userID) Refrences users(userID),
UNIQUE KEY `movie_name` (`movie_name`)
) ENGINE=MyISAM DEFAULT. CHARSET=latin1;
Then query: 然后查询:
public function upload($userid,$movie) {
try
{
$stmt = $this->conn->prepare("INSERT INTO movies(userID, movie_name)
VALUES(:userid, :movie)");
$stmt->bindValue(":userid",$userid);
$stmt->bindparam(":movie",$movie);
$stmt->execute();
return true;
}
catch(PDOException $e) {
echo $e->getMessage();
return false;
}
}
解决方案2
0 2017-01-04 21:05:07
There are several issues going on here. 这里有几个问题。 I can't say I completely understand the errors you're seeing (please post any error messages as part of the question). 我不能说我完全理解您看到的错误(请在问题中张贴任何错误消息)。
However, I do see a potentially significant issue with your table schema. 但是,我确实发现您的表架构存在潜在的重大问题。 If the movies table has users.userID as a foreign key, it should not need a userEmail attribute at all (nor its associated foreign key), as this information is obtained by joining users and movies on userID . 如果movies表已经users.userID作为外键,它不应该需要一个userEmail在所有(也与其相关的外键)的属性,因为这些信息是通过将获得users和movies的userID 。 In addition, trying to build a foreign key on userEmail is extra problematic, as users.userEmail is not guaranteed to be unique. 另外,尝试在userEmail上构建外键是另外一个问题,因为不能保证users.userEmail是唯一的。
解决方案3
0 2017-01-10 01:14:06
Answer: 回答:
On the page that process the form do the following 在处理表单的页面上执行以下操作
If (isset ($_POST ['submit']))
{
$email = $_SESSION ['userEmail'];
Everything else is normal and it works perfectly. 其他一切都正常,并且运行正常。 Just make sure you have sessions setup or it will not work. 只要确保您有会话设置,否则将无法使用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.