PHP/MySQL - 发布/问题批准系统?
[英]PHP/MySQL - Post/Question approval system?
问题描述
So, I'm making a trivia game--and I have a page where users can submit their own trivia questions which will later be put into games (separate part of the game that isn't too relevant here).
所以,我正在制作一个问答游戏——我有一个页面,用户可以在其中提交他们自己的问答问题,这些问题稍后会被放入游戏中(游戏的单独部分,在这里不太相关)。 Anyway, so prevent spam, and irrelevancy, or false submitting/trolls, I'm making a moderator approval page;无论如何,所以要防止垃圾邮件、不相关的内容或虚假提交/喷子,我正在制作一个版主批准页面; this page displays individual "pending" questions that users submit.该页面显示用户提交的各个“未决”问题。 (When they submit a question, it goes into a "pending" database table called 'usertriviadata'. (当他们提交问题时,它会进入一个名为“usertriviadata”的“待定”数据库表。
Then, it displays each of the pending questions on the moderator approval page, with a submit button where a mod/admin can approve it.然后,它会在版主批准页面上显示每个未决问题,并带有一个提交按钮,版主/管理员可以在其中批准它。
Step by step this is how it works:一步一步,这是它的工作原理:
- The page displays (per trivia category) each individual pending question on the approval page, each one has a submit button.该页面在批准页面上显示(每个琐事类别)每个单独的未决问题,每个问题都有一个提交按钮。
- A moderator can view it, and if they want to approve it, they click the "approve" button.版主可以查看它,如果他们想批准它,则单击“批准”按钮。
- If the "approve" button is clicked, the system deletes the question from the "pending" 'usertriviadata' table, and inserts it into the 'approved' database table where I will use the data in that table for later.如果单击“批准”按钮,系统会从“待定”“usertriviadata”表中删除该问题,并将其插入到“已批准”数据库表中,我稍后将在该表中使用该表中的数据。
The problem I'm having, and can't quite figure out how to fix--when I click the approve button, it approves ALL/ANY pending questions in that particular category.我遇到的问题,无法完全弄清楚如何解决——当我单击批准按钮时,它会批准该特定类别中的所有/任何未决问题。 Let's say there is 3 pending questions in the "geography" category.假设“地理”类别中有 3 个未决问题。 I click approve on any of those 3 questions, and it approves all of them.我在这 3 个问题中的任何一个上单击批准,它都会批准所有这些问题。 Basically, the deletion and insertion (swapping data between the two database tables) works, but I want to individualize it.基本上,删除和插入(在两个数据库表之间交换数据)有效,但我想对其进行个性化设置。 I've tried a few different things, but I can't quite get it right.我尝试了一些不同的东西,但我不能完全正确。
Any suggestions?有什么建议么? The code is below this image (image shows the approval page to get a general idea of what it looks like when there are multiple pending questions):代码在此图像下方(图像显示批准页面以大致了解存在多个未决问题时的外观):
[enter image description here][1] [在此处输入图片描述][1]
<div class="categories">
<h3>Geography</h3>
<?php
$sql = "SELECT questionID, category, uploaderUsername, question, correctAnswer, answerTwo, answerThree, answerFour FROM usertriviadata WHERE category='geography'";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
$questionID = $row['questionID'];
$category = $row['category'];
$uploaderUsername = $row['uploaderUsername'];
$question = $row['question'];
$correctAnswer = $row['correctAnswer'];
$answerTwo = $row['answerTwo'];
$answerThree = $row['answerThree'];
$answerFour = $row['answerFour'];
echo "<div class='individuals'><p>Question ID: $questionID</p> <p>Category: $category</p> <p>Uploader Username: $uploaderUsername</p> <p>Question: $question</p> <p>Correct Answer: $correctAnswer</p> <p>Answer 2: $answerTwo</p> <p>Answer 3: $answerThree</p> <p>Answer 4: $answerFour</p> <form action='' method='GET'><input type='submit' name='submit' value='Approve'/></form> </div> ";
if (isset($_GET["submit"])) {
// Move question to approved table
$sql = "INSERT INTO approved (category, uploaderUsername, question, correctAnswer, answerTwo, answerThree, answerFour)
VALUES ('$category', '$uploaderUsername', '$question', '$correctAnswer', '$answerTwo', '$answerThree', '$answerFour')";
// Error Handles
if ($conn->query($sql) === TRUE) {
echo "<p class='green'>Question approved.</p>";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
// Delete question from pending/usertriviadata table
$sql = "DELETE FROM usertriviadata WHERE questionID='$questionID'";
if ($conn->query($sql) === TRUE) {
echo "<p class='green'>Question removed from pending/usertriviadata database table. Please wait 5 seconds before approving another post.</p>";
echo "<meta http-equiv='refresh' content='5; URL=../triviaApproval/moderatorApproval' />";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
}
}
} else {
echo "No posts need approved here.";
}
?>
</div>```
If you want the CSS as well, it is here:
```html {
background-color: #AC6A6C;
font-family: "Trirong", serif;
color: #DEF706;
text-align: center;
}
.option-a {
text-align: center;
display: inline;
background-color: gray;
color: #DEF706;
font-size: 125%;
width: 100px;
padding: 0.5%;
text-decoration: none;
}
.option-a:hover {
cursor: pointer;
background-color: #4E4E4D;
}
.option-a:focus {
padding: 0.3%;
background-color: blue;
}
.individuals {
padding: 1%;
display: inline-block;
border: 1px solid;
}
.green {
color: green;
}
```[enter image description here][2]
2 个解决方案
解决方案1
0 2022-04-23 23:42:39
You have this, a separate form for each question pending approval:你有这个,每个待批准的问题都有一个单独的表格:
<form action='' method='GET'>
<input type='submit' name='submit' value='Approve'/>
</form>
<form action='' method='GET'>
<input type='submit' name='submit' value='Approve'/>
</form>
<form action='' method='GET'>
<input type='submit' name='submit' value='Approve'/>
</form>
But note they're all the same.但请注意,它们都是一样的。 There's no ID to indicate which form represents which question.没有 ID 来指示哪个表单代表哪个问题。 Pressing any one of these buttons is going to do the same thing.按下这些按钮中的任何一个都会做同样的事情。 In the script that handles the submit, you run this query:在处理提交的脚本中,您运行此查询:
$sql = "SELECT ... FROM usertriviadata WHERE category='geography'";
Note there's no WHERE clause to limit the select to a single question.请注意,没有 WHERE 子句将 select 限制为单个问题。 So, you're using the same query to render the question list as you are to approve.因此,您使用相同的查询来呈现您要批准的问题列表。 It seems that you're trying to use if (isset($_GET["submit"])) { inside the question loop as a condition to determine which of the questions was selected.您似乎正在尝试在问题循环内使用if (isset($_GET["submit"])) {作为确定选择了哪些问题的条件。 However, this can't work.但是,这是行不通的。 There is only one $_GET["submit"] -- there is not one per question.只有一个$_GET["submit"] -- 每个问题没有一个。 So clicking any one of the form buttons is going to copy all of the questions.因此,单击任何一个表单按钮都会复制所有问题。
You're confusing yourself by having one script do both the form rendering and the form processing.让一个脚本同时执行表单呈现和表单处理会让您感到困惑。 I'd separate those two functions for simplicity -- have one file render the list and a second file process the form submit.为了简单起见,我将这两个函数分开——让一个文件呈现列表,让第二个文件处理表单提交。 So, your form render would do something like this to include the question id in each form:因此,您的表单呈现器将执行类似这样的操作以在每个表单中包含问题 ID:
<form action='approve.php' method='POST'>
<input type='hidden' name='questionId' value='<?= $questionID =?'>
<input type='submit' name='submit' value='Approve'/>
</form>
And then, in approve.php , use $_POST['questionId'] in your WHERE clause to process the activation.然后,在approve.php中,在 WHERE 子句中使用$_POST['questionId']来处理激活。
Other recommendations:其他建议:
- Use POST for form submits, not GET.使用 POST 进行表单提交,而不是 GET。 In general, if the request results in a change to the database, it should be a POST.一般来说,如果请求导致对数据库的更改,则应该是 POST。
- If you build a form that has one checkbox per question (instead of one whole form per question) then you can allow multiple questions to be approved at once.如果您构建的表单每个问题都有一个复选框(而不是每个问题一个完整的表单),那么您可以允许一次批准多个问题。
- Fix your SQL injection now.立即修复您的 SQL 注入。 Shrugging it off to "I'll just fix it later" is a really bad habit, especially when it's no harder to just do it correctly from the start.耸耸肩说“我稍后会修复它”是一个非常糟糕的习惯,尤其是当从一开始就正确地做到这一点并不困难时。
解决方案2
0 2022-04-24 01:22:02
EDIT: No it doesn't.编辑:不,不是。 It's a step I feel in the right direction but it's still messed up.我觉得这是朝着正确方向迈出的一步,但它仍然搞砸了。 Taking a break on this issue.在这个问题上休息一下。 I'm so frustrated.我很沮丧。
Okay, so... this kind of falls under what you were saying, and I'm not sure if this is exactly what you were getting me to do, BUT, I did this and it works flawlessly.好的,所以...这属于您所说的内容,我不确定这是否正是您要我做的,但是,我做到了,而且效果完美。
<div class="categories">
<h3>Geography</h3>
<?php
$sql = "SELECT questionID, category, uploaderUsername, question, correctAnswer, answerTwo, answerThree, answerFour FROM usertriviadata WHERE category='geography'";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
$questionID = $row['questionID'];
$category = $row['category'];
$uploaderUsername = $row['uploaderUsername'];
$question = $row['question'];
$correctAnswer = $row['correctAnswer'];
$answerTwo = $row['answerTwo'];
$answerThree = $row['answerThree'];
$answerFour = $row['answerFour'];
echo "<div class='individuals'><p>Question ID: $questionID</p> <p>Category: $category</p> <p>Uploader Username: $uploaderUsername</p> <p>Question: $question</p> <p>Correct Answer: $correctAnswer</p> <p>Answer 2: $answerTwo</p> <p>Answer 3: $answerThree</p> <p>Answer 4: $answerFour</p> <form action='' method='POST'><input type='hidden' name='questionId' value='<?= $questionID =?'><input type='submit' name='submit' value='Approve'/></form> </div> ";
}
} else {
echo "No posts need approved here.";
}
?>
</div>
At the bottom of the page:在页面底部:
<?php
if (isset($_POST["submit"])) {
// Move question to approved table
$sql = "INSERT INTO approved (category, uploaderUsername, question, correctAnswer, answerTwo, answerThree, answerFour)
VALUES ('$category', '$uploaderUsername', '$question', '$correctAnswer', '$answerTwo', '$answerThree', '$answerFour')";
// Error Handles
if ($conn->query($sql) === TRUE) {
echo "<p class='green'>Question approved.</p>";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
// Delete question from pending/usertriviadata table
$sql = "DELETE FROM usertriviadata WHERE questionID='$questionID'";
if ($conn->query($sql) === TRUE) {
echo "<p class='green'>Question removed from pending/usertriviadata database table. Please wait 5 seconds before approving another post.</p>";
echo "<meta http-equiv='refresh' content='5; URL=../triviaApproval/moderatorApproval' />";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
}
$conn->close();
?>
Now I'll work on SQL injection.现在我将处理 SQL 注入。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.