在我的网站上,我想转到特定页面(例如:Challenge.php?challenge_id = 4)。该数字来自具有功能的数据库,当我登录时,我想使用以下内容转到该页面:
header("Location: challenge.php?challenge_id=" . $current_cid . "" );
但是问题在于他没有在网址中输入数字吗?
$current_cid =我正在使用以下函数检索此数字: getUserInfoByEmail1();
D B:
if(!empty($_POST["btnSignin"]))
{
try
{
$user = new User();
$user->Email = $_POST["email"];
$user->Password = $_POST["password"];
$u_email = $user->getUserInfoByEmail1($user->Email);
$current_cid = $u_email['current_challenge_id'];
var_dump($current_cid);
$user->Login($current_cid);
}
catch(Exception $e)
{
$feedback = $e->getMessage();
}
}
public function getUserInfoByEmail1($email)
{
$db = new Db();
$select = "SELECT * FROM tblusers WHERE email = '" . $_SESSION["email"] . "';";
$result = $db->conn->query($select);
return $data=mysqli_fetch_assoc($result);
}
public function Login($current_cid)
{
$salt = "ab4p73wo5n3ig247xb1w9r";
$db = new Db();
$select = "SELECT * FROM tblusers WHERE email = '" . $db->conn->real_escape_string($this->Email) .
"' AND password = '" . $db->conn->real_escape_string(md5($this->Password . $salt)) . "';";
$result = $db->conn->query($select);
if($result->num_rows == 1)
{
// logged in, naam session ophalen en je schermt springt door naar challenge.php
session_start();
$_SESSION["loggedin"] = true;
$_SESSION["name"] = $this->Name;
$_SESSION["surname"] = $this->Surname;
$_SESSION["email"] = $this->Email;
var_dump($current_cid);
header("Location: challenge.php?challenge_id=" . $current_cid . "" );
//header("Location: challenge.php?challenge_id=1" );
}
else
{
throw new Exception("Please enter correct username and password");
}
}
您应该更改功能:
public function getUserInfoByEmail1($email)
{
$db = new Db();
$select = "SELECT * FROM tblusers WHERE email = '" . $_SESSION["email"] . "';";
$result = $db->conn->query($select);
return $data=mysqli_fetch_assoc($result);
}
进入:
public function getUserInfoByEmail1($email)
{
$db = new Db();
$select = "SELECT * FROM tblusers WHERE email = '" . $email . "';";
$result = $db->conn->query($select);
return mysqli_fetch_assoc($result);
}
而不是使用函数参数($ email),而是使用$ _SESSION ['email']
您还应该添加mysqli_real_escape_string来防止SQL注入。您还应该考虑为什么将数据库对象与mysqli_fetch_assoc混合使用。您可能应该使用Db方法或mysqli函数,现在将它们混合在一起并不是对应用程序进行编码的最佳方法
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句