据我所知,我可以使用POST方法的URL参数来显示数据根据特定的变量,我知道如何使用GET方法 - 但我被告知, POST方法可以用来隐藏像这样的URL部分。使用POST方法来隐藏URL参数
/data.php?parameter=1234
这两种方法在URL参数方面的实际区别是什么?
下面是一些代码,根据特定的链接
<?php
//This includes the variables, adjusted within the 'config.php file' and the functions from the 'functions.php' - the config variables are adjusted prior to anything else.
require('configs/config.php');
require('configs/functions.php');
//This is the actual interaction with the database, according to the id.
$query = mysql_query("SELECT * FROM table WHERE id=" .$_GET['id'] . ";") or die("An error has occurred");
//This re-directs to an error page the user preventing them from viewing the page if there are no rows with data equal to the query.
if(mysql_num_rows($query) < 1)
{
header('Location: 404.php');
exit;
}
//Here each cell in the database is fetched and assigned a variable.
while($row = mysql_fetch_array($query))
{
$id = $row['id'];
$title = $row['title'];
$month = $row['month'];
$day = $row['day'];
$photo = $row['photo'];
$text = $row['text'];
}
?>
的ID在一个单独的页面我根据像这样的ID生成链接到data.php文件从数据库中提取数据:
<a href="post.php?id=<?php echo $content['id']; ?>"><?php echo $content['title']; ?></a>
忘记,有可以通过上面的代码中出现潜在的SQL注入,我将如何去利用POST方法,以隐藏URL参数,或者至少不会像这样显示出来:
http://example.com/data.php?id=1
一个小侧面说明'''的mysql_query(只是增加POST到窗体中被移除的参数 “SELECT * FROM表WHERE ID =”。$ _ GET [ '身份证'] “;”)'''很容易受到SQL注入的影响,所以如果你把它放在线上并且你的数据库包含重要的数据,那么请小心。 – Mason