更新个人详细信息PHP脚本

Question

I have a page that displays a user's current personal information and a handler that cycles through the form elements, filtering them through to the relevant mysql query. 我有一个页面，显示用户的当前个人信息，以及一个处理程序，该处理程序遍历表单元素，并将其过滤到相关的mysql查询。 There are two tables, one that contains the master data, eg username, email, password hash, and one that has address data. 有两个表，一个包含主数据（例如，用户名，电子邮件，密码哈希），另一个包含地址数据。 However, the script doesn't work and I can't see why. 但是，该脚本不起作用，我看不出原因。 I've been over it a lot. 我已经经历了很多。 It's quite long, I'm afraid, but it's all pertinent to understand the logic. 恐怕很长，但是了解逻辑都与之有关。 Here it is... 这里是...

    if(!$_POST) {
  //come directly via address bar
  header("Location: index.hmtl");
  exit;
}
//loop through all the post variables

foreach ($_POST as $k => $v) {

  if(eregi("confirm",$k) || eregi("old",$k)) {
//the field in question is a duplicate one or there for authentication purposes and shouldn't be added to a table
    continue;
  }

  if($k == "address" || $k == "town" || $k == "city" || $k == "postcode") {

    //use aromaAddress table


        $v = trim(htmlspecialchars(check_chars_mailto(mysqli_real_escape_string($mysqli,$v))));

        if(empty($v)) {
//the field is empty...do nothing
          continue; 
        }

  //create query
  $update_sql = "UPDATE aromaAddress SET ".$k." = '".$v."' WHERE userid = '".$_SESSION["userid"]."'";
  $update_res = mysqli_query($mysqli, $update_sql) or die(mysqli_error($mysqli));

  //add to session for the sake of having the form fields filled in next time

  $_SESSION["$k"] = $v;
  session_write_close();



  } else {
  //sanitize them

  $v = trim(htmlspecialchars(mysqli_real_escape_string($mysqli,check_chars_mailto($v))));

          if(empty($v)) {
          continue;
        }

  if(eregi("email",$k)) {

    if($_POST["email"] != $_POST["confirmEmail"]) {
      header("Location: account_management.php5?error=ef");
      exit();
    }

    $_SESSION["$k"] = $v;
      session_write_close();

  //if email address/username being changed, check for pre-existing account with new address/username

  $check_sql = "SELECT id FROM aromaMaster WHERE email='".$v."'";
  $check_res = mysqli_query($mysqli, $check_sql) or die(mysqli_error($mysqli));

  if(mysqli_num_rows($check_res) >= 1) {
    //duplicate entry
    mysqli_free_result($check_res);
    header("Location: account_management.php5?error=email");
    exit;
  }
  } else if(eregi("username",$k)) {

        if($_POST["username"] != $_POST["confirmUsername"]) {
      header("Location: account_management.php5?error=ef");
      exit();
    }


  $v = trim(htmlspecialchars(mysqli_real_escape_string($mysqli,check_chars_mailto($v))));

    //check for pre-existing account with same username
      $check_sql = "SELECT id FROM aromaMaster WHERE username='".$v."'";
  $check_res = mysqli_query($mysqli, $check_sql) or die(mysqli_error($mysqli));

  if(mysqli_num_rows($check_res) >=1 ) {
    //duplicate entry
    mysqli_free_result($check_res);
    header("Location: account_management.php5?error=username");
    exit;
  }

    } else if(eregi("newPassword",$k)) {

        if(($_POST["newPassword"] != $_POST["confirmNewUsername"]) || ($_POST["oldPassword"] != $_POST["confirmOldPassword"])) {
      header("Location: account_management.php5?error=ef");
      exit();
    }


  $v = trim(htmlspecialchars(mysqli_real_escape_string($mysqli,check_chars_mailto($v))));

    //check for pre-existing account with same username
      $check_sql = "SELECT id FROM aromaMaster WHERE id='".$_SESSION["userid"]."'";
  $check_res = mysqli_query($mysqli, $check_sql) or die(mysqli_error($mysqli));

  if(mysqli_num_rows($check_res) >=1 ) {
    //duplicate entry
    mysqli_free_result($check_res);
    header("Location: account_management.php5?error=username");
    exit;
  }
} else {

        $v = trim(htmlspecialchars(check_chars_mailto(mysqli_real_escape_string($mysqli,$v))));

  //create query
  $update_sql = "UPDATE aromaMaster SET ".$k." = '".$v."' WHERE id = '".$_SESSION["userid"]."'";
  $update_res = mysqli_query($mysqli, $update_sql) or die(mysqli_error($mysqli));

$_SESSION["$k"] = $v;
      session_write_close();
      header("Location: account_management.php5?res=suc");
      exit();
}
  }
  }
  mysqli_close($mysqli);

Answer 1

what exactly is not working? 到底什么不起作用？ it's hard to guess … 很难猜测……

you shouldn't be using erigi to check for a substring: 1) it's deprecated 2) use stripos instead. 您不应该使用erigi来检查子字符串：1）已弃用2）使用stripos代替。

edit: 编辑：

your code screams sql injection! 您的代码会尖叫sql注入！

Answer 2

What data gets submitted (ie what's in $_POST )? 提交什么数据（即$_POST ）？

Your foreach($_POST as $k => $v) loop is wrapped right around the whole chunk of code, so if you're submitting anything other than username and email-address, you've got no guarantee you'll be updating the db before redirecting to the res=suc URL. 您的foreach($_POST as $k => $v)循环被包装在整个代码段中，因此，如果您提交的不是用户名和电子邮件地址，则无法保证会进行更新db，然后重定向到res=suc URL。

Others have mentioned SQL injection possibilities. 其他人提到了SQL注入的可能性。 It looks like you're escaping $v properly, but you've done nothing to protect against people stuffing shit in $k . 看起来您在正确地逃避了$v ，但是您并没有采取任何措施来防止人们将$k塞入狗屎。

Finally, your res=suc is a default option. 最后，您的res=suc是默认选项。 ie your success criteria and redirection occur for ANY value of $k not explicitly coded and handled earlier in the code. 也就是说，您的成功标准和重定向发生在$k任何值中，而未在代码中更早地进行显式编码和处理。

更新个人详细信息PHP脚本

问题描述

2 个解决方案

解决方案1
2 2009-09-03 14:50:39

解决方案2
0 2009-09-03 16:34:11

更新个人详细信息PHP脚本

问题描述

2 个解决方案

解决方案1 2 2009-09-03 14:50:39

解决方案2 0 2009-09-03 16:34:11

解决方案1
2 2009-09-03 14:50:39

解决方案2
0 2009-09-03 16:34:11