如何使用URL中的ID显示信息数据
示例是www.thatsite.com/?id=1092
它将显示1092 ID的数据
<?php
$connect = mysqli_connect("localhost", "xxxxxxx", "xxxx","xxxx");
$query = "SELECT `name`, `age`, `xxxxx` , `xxxxx`, `image` FROM `profiles` WHERE `id` = $id LIMIT 1";
$id=$_GET['id'];
$result = mysqli_query($connect, $query,$id);
while ($row = mysqli_fetch_array($result))
{
echo $row['name'];
echo $row['xxxx'];x
echo $row['age'];
echo $row['xxxxxxx'];
echo $row['image'];
}
?>
<?php
session_start(); //It doesn't appear in your code
$connect = mysqli_connect("localhost", "xxxxxxx", "xxxx","xxxx");
$id=$_GET['id']; //You get the Id first, then you use it for the query
$query = "SELECT `name`, `age`, `xxxxx` , `xxxxx`, `image` FROM `profiles` WHERE `id` = $id LIMIT 1";
$result = mysqli_query($connect, $query); //No '$id'
while ($row = mysqli_fetch_assoc($result)) //Maybe array works too, idk
{
echo $row['name'];
echo $row['xxxx'];
echo $row['age'];
echo $row['xxxxxxx'];
echo $row['image'];
}
?>
将$id=$_GET['id'];行放在$query行之前,它将起作用
轻松。首先从url获取id参数其次,在您的mysql查询中添加此$ id变量
<?php
$connect = mysqli_connect("localhost", "xxxxxxx", "xxxx","xxxx");
$id = $_GET["id"]
$query = "SELECT `name`, `age`, `xxxxx` , `xxxxx`, `image` FROM `profiles` WHERE id = '$id' LIMIT 1";
$result = mysqli_query($connect, $query);
while ($row = mysqli_fetch_array($result))
{
echo $row['name'];
echo $row['xxxx'];
echo $row['age'];
echo $row['xxxxxxx'];
echo $row['image'];
}
?>
我希望它能解决您的问题。
您的代码充满安全漏洞。它易于发生sql注入,xss攻击,csrf,html注入。
为了避免所有问题,我重新编写了它。
1。)Sql注入现在可以通过使用预查询来缓解]
对于整数变量,使用intval和对于字符串使用strip_tags可以缓解2。)HTML注入。您可以在php中阅读有关数据验证和消毒的更多信息,以查看更多可用选项
3。)xss攻击已通过htmlentities()缓解。您还可以使用htmlspecialchars()。阅读有关所有这些内容的更多信息
请参阅下面的更好的安全代码
<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "ur dbname";
// Create connection
$connect = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($connect->connect_error) {
die("Connection failed: " . $connect->connect_error);
}
// ensure that the Id is integer using intval
$id = intval($_GET["id"]);
// if id is a string. you can strip all html elements using strip_tags
//$id = strip_tags($_GET["id"]);
//Avoid sql injection using prepared statement
// prepare and bind
$stmt = $connect->prepare("SELECT name, age , xxxxx, image FROM profiles WHERE id = ? LIMIT 1");
// id is integer or number use i parameter
$stmt->bind_param("i", $id);
// id is integer or number use s parameter
//$stmt->bind_param("s", $id);
$stmt->execute();
$stmt -> store_result();
$stmt -> bind_result($name, $age, $xxxxx, $image);
while ($stmt -> fetch()) {
// ensure that xss attack is not possible using htmlentities
echo "your Name: .htmlentities($name). <br>";
echo "your age: .htmlentities($age). <br>";
echo "your xxxxx: .htmlentities($). <br>";
echo "your image name: .htmlentities($image). <br>";
}
$stmt->close();
$connect->close();
?>