【发布时间】:2021-11-13 08:32:35
【问题描述】:
我正在尝试制作一个网站。 So this is the index.php page. 当单击任何表单的“更多信息”时,用户将被重定向到 payment.php 页面,用户必须在该页面进行付款。付款完成后,用户被重定向到success.php页面,该页面应该是show these 3 lines 两秒钟,然后将用户重定向到details.php页面。但是,由于某种原因,不是重定向到 details.php,而是 details.php 和 index.php 同时出现like this。我怎样才能避免索引文件也在那里?我只想显示详细信息文件。
这里是成功页面的代码:
<?php
include 'index.php';
if(!empty($_GET['tid'] && !empty($_GET['product']))) {
$GET = filter_var_array($_GET, FILTER_SANITIZE_STRING);
$tid = $GET['tid'];
$product = $GET['product'];
} else {
header('Location: payment.php');
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">
<title>Thank You</title>
</head>
<body>
<div class="container mt-4">
<h2>Thank you for purchasing <?php echo $product; ?></h2>
<hr>
<p>Your transaction ID is <?php echo $tid; ?></p>
<p>Check your email for more info</p>
<?php header('Refresh: 2; URL=details.php?id='.$customer['id']);?>
</div>
</body>
</html>
我觉得这是success.php代码中最重要的部分:
<?php header('Refresh: 2; URL=details.php?id='.$customer['id']);?>
这是详细信息页面:
<?php
include 'config/db_connect.php';
include 'config/db.php';
include 'index.php';
if (isset($_POST['delete'])) {
$id_to_delete = mysqli_real_escape_string($conn, $_POST['id_to_delete']);
$sql = "DELETE FROM customers WHERE id = $id_to_delete";
if (mysqli_query($conn, $sql)) {
header('Location: index.php');
} else {
echo 'query error: ' . mysqli_error($conn);
}
}
// check GET request id param
if (isset($_GET['id'])) {
// escape sql chars
$id = mysqli_real_escape_string($conn, $_GET['id']);
// make sql
$sql = "SELECT * FROM customers WHERE id = $id";
// get the query result
$result = mysqli_query($conn, $sql);
// fetch result in array format
$customer = mysqli_fetch_assoc($result);
mysqli_free_result($result);
//mysqli_close($conn);
}
?>
<!DOCTYPE html>
<html>
<?php include 'templates/header.php'; ?>
<div class="container center grey-text">
<?php if ($customer) : ?>
<h4><?php echo $customer['Job_Type']; ?></h4>
<p>Contact Number of loan enquirer: <?php echo $customer['Telephone']; ?></p>
<p>Annual income: <?php echo 12 * $customer['Monthly_salary']; ?></p>
<p>Existing loan amount: <?php echo $customer['Existing_loan_amount']; ?></p>
<p>Residential_Type: <?php echo $customer['Residential_Type']; ?></p>
<p>Job: <?php echo $customer['Job']; ?></p>
<p>Form submission time: <?php echo date($customer['Form_Submission_Time']); ?></p>
<!-- DELETE FORM -->
<form action="details.php" method="POST">
<input type="hidden" name="id_to_delete" value="<?php echo $customer['id']; ?>">
<input type="submit" name="delete" value="Delete" class="btn brand z-depth-0">
</form>
<?php else : ?>
<h5>No such customer exists.</h5>
<?php endif ?>
</div>
<?php include 'templates/footer.php'; ?>
</html>
【问题讨论】:
-
常量FILTER_SANITIZE_STRING 已弃用。请停止使用。
-
警告:您对SQL Injections 持开放态度,应该使用参数化的prepared statements,而不是手动构建查询。它们由PDO 或MySQLi 提供。永远不要相信任何形式的输入!即使您的查询仅由受信任的用户执行,you are still in risk of corrupting your data。 Escaping is not enough!