PHP 删除评论按钮答案

【问题标题】：PHP Delete comments buttonPHP 删除评论按钮
【发布时间】：2014-01-30 00:32:45
【问题描述】：

我对 PHP 非常陌生（目前正在做一个大学项目）。我的网站是一个管理员站点，大约有 3 个管理员用户可以登录和更改站点等。目前，我的 cmets（用户可以发布到站点的 cmets）上有一个删除功能，但是任何进入该站点的人都可以看到删除功能，可以删除任何人cmets？

我希望只有我的管理员在登录时才能看到删除功能，并且随后成为唯一可以删除 cmets 的人。我有一个包含名称、密码、用户名和电子邮件列的用户数据库。我想知道是否有人可以看看我的代码并告诉我如何更改它，以便只有当管理员登录时他们才能看到按钮并删除 cmets。

  $str_message = "";
    if (!$db_server){
        die("Unable to connect to MySQL: " . mysqli_connect_error());
    }else{

        //if ($_SESSION['admin'] == 'yes') {


        if(isset($_GET['delete'])){
            $deleteq="DELETE FROM comments WHERE ID={$_GET['delete']} LIMIT 1";

            $deleter=mysqli_query($db_server, $deleteq);
            IF($deleter){
                echo"<p>That message was deleted!</p>";}}


        //}

        //Test whether form has been submitted 
        if(trim($_POST['submit']) == "Submit"){
            //Handle submission
            $resp = recaptcha_check_answer ($privatekey,
                                            $_SERVER["REMOTE_ADDR"],
                                            $_POST["recaptcha_challenge_field"],
                                            $_POST["recaptcha_response_field"]);
            if (!$resp->is_valid) {
                // What happens when the CAPTCHA was entered incorrectly
                $str_message = "The reCAPTCHA wasn't entered correctly. Go back and try it    
    again. 
                                (reCAPTCHA said: " . $resp->error . ")";
            } else {

                // Your code here to handle a successful verification
               $comment = $_POST['comment'];
                if($comment != ""){
                    $query = "INSERT INTO comments (comment) VALUES ('$comment')";
                    mysqli_query($db_server, $query) or die("Comment insert failed: " .     
     mysqli_error($db_server) );
                    $str_message = "Thanks for your comment!";
                }else{
                    $str_message = "Invalid form submission";
                }
            }
        }
        //Create page with or without submission 
        $query = "SELECT * FROM comments";
        $result = mysqli_query($db_server, $query);
        if (!$result) die("Database access failed: " . mysqli_error($db_server) );
        {

        while($row = mysqli_fetch_array($result)){ 
        $ID= $row['ID'];



            $str_result .=  "<p><em>Comment $j (" . $row['commDate'] . 
                    ")</em><br /> " .$row['comment'] . "</p>
                    <a href ='commentnow.php?delete=$ID
                    '>Delete</a><hr />"; 
        }
        mysqli_free_result($result);
    } } 

     ?>

【问题讨论】：

不相关，但我很确定不删除数据而只删除一个标记是常见的做法。我建议考虑这种方法。
在执行删除之前取消注释检查用户是否为管理员的代码。
^ 然后在底部还添加一个 if 语句以有两个可能的 $str_result 分配语句，具体取决于用户是否是管理员（如果用户是管理员显然没有删除按钮）

标签： php mysql database admin sql-delete

【解决方案1】：

如果我们假设您用于检查用户是否为管理员 (if ($_SESSION['admin'] == 'yes')) 的注释掉的语句有效，那么下面的代码应该可以让您很好地了解如何执行此操作。有两个地方需要添加 if 语句。我无法对此进行测试，但请查看此代码以了解您在哪里看到 // ADMIN IF STATEMENT，我希望您了解需要对代码进行哪些更改才能使其正常工作。

<?

$str_message = "";

if (!$db_server) {

    die("Unable to connect to MySQL: " . mysqli_connect_error());

} else {

    if ($_SESSION['admin'] == 'yes') { // ADMIN IF STATEMENT

        if (isset($_GET['delete'])) {

            $deleteq = "DELETE FROM comments WHERE ID={$_GET['delete']} LIMIT 1";
            $deleter = mysqli_query($db_server, $deleteq);

            if ($deleter) {

                echo "<p>That message was deleted!</p>";

            }

        }

    }

    //Test whether form has been submitted 
    if (trim($_POST['submit']) == "Submit") {

        //Handle submission
        $resp = recaptcha_check_answer(
            $privatekey,
            $_SERVER["REMOTE_ADDR"],
            $_POST["recaptcha_challenge_field"],
            $_POST["recaptcha_response_field"]
        );

        if (!$resp->is_valid) {

            // What happens when the CAPTCHA was entered incorrectly
            $str_message = "The reCAPTCHA wasn't entered correctly. Go back and try it again. (reCAPTCHA said: " . $resp->error . ")";

        } else {

            // Your code here to handle a successful verification
            $comment = $_POST['comment'];

            if ($comment != "") {

                $query = "INSERT INTO comments (comment) VALUES ('$comment')";
                mysqli_query($db_server, $query) or die("Comment insert failed: " . mysqli_error($db_server) );
                $str_message = "Thanks for your comment!";

            } else {

                $str_message = "Invalid form submission";

            }

        }
    }

    //Create page with or without submission 
    $query = "SELECT * FROM comments";
    $result = mysqli_query($db_server, $query);

    if (!$result) die("Database access failed: " . mysqli_error($db_server) ); {

        while ($row = mysqli_fetch_array($result)) { 

            $ID = $row['ID'];

            if ($_SESSION['admin'] == 'yes') { // ADMIN IF STATEMENT

                $str_result .=  "<p><em>Comment $j (" . $row['commDate'] . ")</em><br /> " .$row['comment'] . "</p><a href ='commentnow.php?delete=$ID'>Delete</a><hr />"; 

            } else {

                $str_result .=  "<p><em>Comment $j (" . $row['commDate'] . ")</em><br /> " .$row['comment'] . "</p>"; 

            }
        }

        mysqli_free_result($result);

    }

} 

?>

【讨论】：

$deleteq = "DELETE FROM comments WHERE ID={$_GET['delete']} LIMIT 1"; 我认为这个查询容易受到 sql 注入的攻击。另见stackoverflow.com/questions/5370426/…
@RomanPickl 很多张贴者的代码是错误的，但我个人不喜欢在漏洞上烧烤别人
@Sinmai 我明白这一点。有时，如果不进行大量更改，代码的某些部分似乎无法修复，这可能会降低学习编码人员的兴趣。不过我猜还是指出这些事情是件好事。

【解决方案2】：

首先您需要更改您的登录页面。当用户登录时，检查他是否是管理员用户。如果是，则将会话变量 ($_SESSION['admin']) 设置为是或将其设置为否。试试这样：

//login.php
if (!$db_server){
            die("Unable to connect to MySQL: " . mysqli_connect_error());
        }else{

     session_start(); 
     $sql="Select * FROM users WHERE user_name = 'your_username' and LIMIT 1";
     $result=mysqli_query($db_server, $sql);
     $objUser = $result->fetch_object();
     if($objUser->user_type =="admin")
        $_SESSION['admin'] = 'yes';
      else
       $_SESSION['admin'] = 'no';
  //rest of your code for login the user
}

然后在您的删除页面中检查当前用户是否为管理员。如果是，则执行查询，否则回显一条消息。像这样：

session_start(); 
$str_message = "";
    if (!$db_server){
        die("Unable to connect to MySQL: " . mysqli_connect_error());
    }else{


        if(isset($_GET['delete'])){
            if ($_SESSION['admin'] == 'yes') {
              $deleteq="DELETE FROM comments WHERE ID={$_GET['delete']} LIMIT 1";

              $deleter=mysqli_query($db_server, $deleteq);
               if($deleter){
                echo"<p>That message was deleted!</p>";}
            }
          else
           {
            echo "you are not admin";
           }

        }

        //Test whether form has been submitted 
        if(trim($_POST['submit']) == "Submit"){
            //Handle submission
            $resp = recaptcha_check_answer ($privatekey,
                                            $_SERVER["REMOTE_ADDR"],
                                            $_POST["recaptcha_challenge_field"],
                                            $_POST["recaptcha_response_field"]);
            if (!$resp->is_valid) {
                // What happens when the CAPTCHA was entered incorrectly
                $str_message = "The reCAPTCHA wasn't entered correctly. Go back and try it    
    again. 
                                (reCAPTCHA said: " . $resp->error . ")";
            } else {

                // Your code here to handle a successful verification
               $comment = $_POST['comment'];
                if($comment != ""){
                    $query = "INSERT INTO comments (comment) VALUES ('$comment')";
                    mysqli_query($db_server, $query) or die("Comment insert failed: " .     
     mysqli_error($db_server) );
                    $str_message = "Thanks for your comment!";
                }else{
                    $str_message = "Invalid form submission";
                }
            }
        }
        //Create page with or without submission 
        $query = "SELECT * FROM comments";
        $result = mysqli_query($db_server, $query);
        if (!$result) die("Database access failed: " . mysqli_error($db_server) );
        {

        while($row = mysqli_fetch_array($result)){ 
        $ID= $row['ID'];



            $str_result .=  "<p><em>Comment $j (" . $row['commDate'] . 
                    ")</em><br /> " .$row['comment'] . "</p>
                    <a href ='commentnow.php?delete=$ID
                    '>Delete</a><hr />"; 
        }
        mysqli_free_result($result);
    } } 

     ?>

我觉得有道理！

【讨论】：

【解决方案3】：

if ($_SESSION['admin'] == 'yes') {
<insert code to generate a delete button here>
}

【讨论】：

上面的代码中也应该有一个检查服务器端，不允许删除