1. 首页
  2. 问答
  3. SQL数据库密码保护提交

SQL数据库密码保护提交

2015-12-09 119 views
0

如何让以下数据库只提交条目,如果密码匹配'1996' - 我试图调查这一点,找不到任何东西。以下也可能有一个display.php文件,其中包含数据库详细信息,并且它们也具有正确的引脚编码。我只是不知道如何使这部分编码在提交细节前确保引脚是正确的,并且如果引脚不正确,则会出现错误消息。SQL数据库密码保护提交

<?php 

class simpleCMS { 

    var $host; 
    var $username; 
    var $password; 
    var $db; 
    var $pin; 

    public function display_public() { 
    $q = "SELECT * FROM sianDB4 ORDER BY created DESC LIMIT 4"; 
    $r = mysql_query($q); 
    $entry_display = ''; 

    if ($r !== false && mysql_num_rows($r) > 0) { 
     while ($a = mysql_fetch_assoc($r)) { 

    $title = ($a['title']); 
    $bodytext = ($a['bodytext']); 
    $author = ($a['author']); 

    $entry_display .= <<<ENTRY_DISPLAY 
<div class="post"> 
<h2> 
$title 
</h2> 
<h3> 
$bodytext 
</h3> 
<p> 
$author 
</p> 
</div> 
ENTRY_DISPLAY; 
     } 
     } else { 
     $entry_display = <<<ENTRY_DISPLAY 

     <h2> This Page Is Under Construction </h2> 
     <p> 
      No entries have been made on this page. 
      Please check back soon, or click the 
      link below to add an entry! 
     </p> 

    ENTRY_DISPLAY; 
     } 
     $entry_display .= <<<ADMIN_OPTION 

     <p class="admin_link"> 
      <a href="{$_SERVER['PHP_SELF']}?admin=1">Add a New Entry</a> 
      </p> 

ADMIN_OPTION; 

    return $entry_display; 
    } 

     public function display_admin() { 
     return <<<ADMIN_FORM 

     <form action="{$_SERVER['PHP_SELF']}" method="post"> 

     <label for="title">Title:</label><br /> 
     <input name="title" id="title" type="text" maxlength="150" /> 
     <div class="clear"></div> 

     <label for="bodytext">Body Text:</label><br /> 
     <textarea name="bodytext" id="bodytext"></textarea> 
     <div class="clear"></div> 

     <label for="author">Author:</label><br /> 
     <textarea name="author" id="author"></textarea> 
     <div class="clear"></div> 

     <label for="pin">Pin:</label><br /> 
     <input name="pin" id="pin" type="Password" maxlength="4" /> 
     <div class="clear"></div> 

     <input type="submit" value="Create This Entry!" /> 
    </form> 

ADMIN_FORM; 
    } 


    public function write($p) { 

     if ($_POST['title']) 
      $title = mysql_real_escape_string($_POST['title']); 
     if ($_POST['bodytext']) 
      $bodytext = mysql_real_escape_string($_POST['bodytext']); 
     if ($_POST['author']) 
      $author = mysql_real_escape_string($_POST['author']); 
     if ($title && $bodytext && $author) { 
      $created = time(); 
      $sql = "INSERT INTO sianDB4      
VALUES('$title','$bodytext','$author','$created')"; 
     return mysql_query($sql); 
     }else{ 
     return false; 
    } 
} 

    public function connect() { 
    mysql_connect($this->host,$this->username,$this->password,$this->pin) or die("Could not connect. " . mysql_error()); 
    mysql_select_db($this->db) or die("Could not select database. " . mysql_error()); 

    return $this->buildDB(); 
    } 

    private function buildDB() { 
    $sql = <<<MySQL_QUERY 
CREATE TABLE IF NOT EXISTS sianDB4 (
title  VARCHAR(150), 
bodytext TEXT, 
author TEXT, 
created  VARCHAR(100) 
) 
MySQL_QUERY; 

    return mysql_query($sql); 
    } 

    } 

    ?>

来源

2015-12-09 Sian Annie Gardener

+2

请[停止使用'mysql_ *'功能](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php)。 [这些扩展](http://php.net/manual/en/migration70.removed-exts-sapis.php)已在PHP 7中删除。了解[编写]​​(http://en.wikipedia.org/ wiki/Prepared_statement)语句[PDO](http://php.net/manual/en/pdo.prepared-statements.php)和[MySQLi](http://php.net/manual/en/mysqli.quickstart .prepared-statements.php)并考虑使用PDO,[这真的很简单](http://jayblanchard.net/demystifying_php_pdo.html)。 –

回答

0

正如@Jay指出,使用mysql_*套件的功能是不被推荐了所以希望你可以利用下面它使用mysqli的,而不是代码。

我不知道你是如何使用或向用户展示该类的,但你无疑会做出必要的更改。

<?php 
    class simplecms{ 
     /* 
      Pass in the dbconn as a parameter to this class's constructor 
     */ 
     private $db; 
     private $pin; 


     public function __construct(dbconn $db=null, $pin=false){ 
      $this->db=$db; 
      $this->pin=intval($pin); 
     } 


     public function display_public() { 
      $sql='select * from `siandb4` order by `created` desc limit 4'; 

      $res=$this->db->query($sql); 

      /* use an array rather than concatenating a string for output */ 
      $html=array(); 

      if($res){ 
       while($rs = $res->fetch_object()){ 
        $html[]=" 
        <div class='post'> 
         <h2>{$rs->title}</h2> 
         <h3>{$rs->bodytext}</h3> 
         <p>{$rs->author}</p> 
        </div>"; 
       } 
      } else { 
       $html[]=" 
       <h2>This Page Is Under Construction</h2> 
       <p>No entries have been made on this page. Please check back soon, or click the link below to add an entry!</p>"; 
      } 

      /* hide this from ordinary users somehow */ 
      $html[]=" 
      <p class='admin_link'> 
       <a href='{$_SERVER['SCRIPT_NAME']}?admin=1'>Add a New Entry</a> 
      </p>"; 

      /* Add the admin form */ 
      $html[]=$this->display_admin(); 

      /* display stuff */ 
      echo implode(PHP_EOL, $html); 
     } 



     public function display_admin() { 
      $message=''; 

      if($_SERVER['REQUEST_METHOD']=='POST'){/* Add record to the db if the pin matches */ 
       $message=$this->write() ? 'Database has been updated' : 'Sorry, unable to add that record - check your PIN is correct'; 
      } 

      $admin = isset($_GET['admin']) ? intval(filter_input(INPUT_GET, 'admin', FILTER_SANITIZE_NUMBER_INT)) : false; 

      return $admin ? " 
       <style> 
        form#admin, form#admin *{display:block;box-sizing:content-box!important;} 
        form#admin{ width:50%;display:block;clear:both;float:none;margin:0 auto;} 
        form#admin label{width:100%;clear:both;float:none;margin:0.5rem auto 3rem auto;padding:0.25rem;} 
        form#admin label input, form#admin textarea{float:right;width:60%;padding:1rem;} 
        form#span{color:red;} 
       </style> 

       <form id='admin' method='post'> 
         <label for='title'>Title:<input name='title' id='title' type='text' maxlength='150' /></label> 
         <label for='bodytext'>Body Text:<textarea name='bodytext' id='bodytext'></textarea></label> 
         <label for='author'>Author:<textarea name='author' id='author'></textarea></label> 
         <label for='pin'>Pin:<input name='pin' id='pin' type='Password' maxlength='4' /></label> 
         <input type='submit' value='Create This Entry!' /> 
         <span>{$message}</span> 
       </form>" : ""; 
     } 




     public function write(){ 
      $pin  = isset($_POST['pin'])   ? intval(filter_input(INPUT_POST, 'pin', FILTER_SANITIZE_NUMBER_INT)) : false; 
      $title  = isset($_POST['title'])  ? filter_input(INPUT_POST, 'title', FILTER_SANITIZE_STRING)    : false; 
      $bodytext = isset($_POST['bodytext'])  ? filter_input(INPUT_POST, 'bodytext', FILTER_SANITIZE_STRING)   : false; 
      $author  = isset($_POST['author'])  ? filter_input(INPUT_POST, 'author', FILTER_SANITIZE_STRING)    : false; 

      if ($title && $bodytext && $author && $pin===$this->pin) { 
       /* ? not sure you really want to run this each and every time but... */ 
       $this->buildtbl(); 

       /* Prepare the sql and execute - return status */ 
       $sql='insert into `sianDB4` set `title`=?, `bodytext`=?, `author`=?;'; 
       $stmt=$this->db->prepare($sql); 
       $stmt->bind_param('sss', $title, $bodytext, $author); 

       return $stmt->execute(); 
      } 

      return false; 
     } 


     private function buildtbl(){/* build the table - slightly modified */ 
      $sql='create table if not exists `siandb4` (
        `id` int(10) unsigned not null auto_increment, 
        `title` varchar(150) null default null, 
        `bodytext` text null, 
        `author` text null, 
        `created` timestamp null default current_timestamp, 
        primary key (`id`) 
       )engine=innodb;'; 
      $this->db->query($sql); 
     } 

    }//end class 











    class dbconn{ 
     /* Simple mysqli db connection */ 
     private $conn; 

     public function __construct($dbhost, $dbuser, $dbpwd, $dbname){ 
      $this->conn=new mysqli($dbhost, $dbuser, $dbpwd, $dbname); 
     } 
     public function query($sql){ 
      return $this->conn->query($sql); 
     } 
     public function prepare($sql){ 
      return $this->conn->prepare($sql); 
     } 
    }//end class 
?> 

<html> 
    <head> 
     <title>Simple CMS - Hello Kitty Example!</title> 
     <style> 
      h2,h3{font-size:1rem;} 
      div.post{font-size:0.85rem;border-bottom:1px dotted gray;margin:0 auto 3rem auto;} 
     </style> 
    </head> 
    <body> 
     <h1>Simple CMS - Hello Kitty Example!</h1> 
     <?php 

      $dbhost = 'localhost'; 
      $dbuser = 'root'; 
      $dbpwd = 'xxxxxx'; 
      $dbname = 'xxxxxx'; 

      $db=new dbconn($dbhost, $dbuser, $dbpwd, $dbname); 
      $cms=new simplecms($db, 1996); 

      $cms->display_public(); 

      $db=$cms=null; 

     ?> 
    </body> 
</html>

来源

2015-12-09 16:22:04 RamRaider

相关问题

 相关问题