dongtang1909 2013-10-06 21:04
浏览 31
已采纳

向用户展示他们照片的最佳方式

Okay so I was wondering what is the best way to show a user their own photo and if my way is safe or what should i change.

url: 

http://localhost/project/everyone/myphoto.php?num=2

php code:

$user_id = $_SESSION['user_id'];

if (isset($_GET['num'])) {
    $num = $_GET['num'];

    if ($stmt = $dbconn->prepare("SELECT 1 FROM t_photos WHERE id ='$num' AND user_id ='$user_id' LIMIT 1")) {
        $stmt->execute();
        $stmt->store_result();

        $rows = $stmt->num_rows;
        if ($rows === 1) {
            $stmt = $dbconn->prepare("SELECT url,uploaddate FROM t_photos WHERE id = ?");
        $stmt->bind_param('i', $num); // Bind "$email" to parameter.
        $stmt->execute(); // Execute the prepared query.
        $stmt->store_result();
        $stmt->bind_result($photopath, $uploadtime); // get variables from result.
        $stmt->fetch();
        } else {
            $error2 = "Error 2";
            require 'notfound.php';
            die();
        }
    }
}

html & Php code :

<div id="pathwrap">
    <div class="photowrap">
        <?php if (isset($photopath)) {
        echo '<img src="' . $photopath . '">';
        } ?>
    </div>
</div>
  • 写回答

1条回答 默认 最新

  • douqi0090 2013-10-07 00:23
    关注

    This is how I would do it with PDO and Exception style:

    function requestCurrentUserPhoto(){
if( !isset($_GET['num']) ){
    throw new Exception('Bad request. The generated link missing get prop num.');
}
if( !isset($_SESSION['user_id']) ){
    throw new Exception('Bad request. The generated link linked to a guest.');
}
$sth = $dbh->prepare('SELECT url,uploaddate FROM t_photos WHERE id = :id AND user_id = :user_id LIMIT 1');
$sth->execute(array(
    ':id' => (int) $_GET['num'],
    ':user_id' => (int) $_SESSION['user_id']
));
$result = $sth->fetch(PDO::FETCH_ASSOC);
if( $result === false ){
    throw new Exception('Bad request. The generated link linked to a non-existence photo or unauthorized user.');
}
//optional...
if( empty($result['url']) || empty($result['uploaddate']) ){
    throw new Exception('Bad database table row. There is a invalid photo row in t_photos');
}
return $result;
}

    This code should be safe. And it should also check if the code that is related got any errors.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 r包runway详细安装教程
  • ¥15 Html中读取Json文件中数据并制作表格
  • ¥15 谁有RH342练习环境
  • ¥15 STM32F407 DMA中断问题
  • ¥15 uniapp连接阿里云无法发布消息和订阅
  • ¥25 麦当劳点餐系统代码纠错
  • ¥15 轮班监督委员会问题。
  • ¥20 关于变压器的具体案例分析
  • ¥15 生成的QRCode圖片加上下載按鈕
  • ¥15 板材切割优化算法,数学建模,python,lingo