我有三个PHP页面。登录,投票和投票流程。在投票页面中,用户可以投票给候选人。有单选按钮和复选框。以下是投票页面的代码:
<?php
error_reporting(E_ALL & ~E_NOTICE);
session_start();
if (isset($_SESSION['uname'])) {
$username = $_SESSION['uname'];
}
else {
header('Location: login_user.php');
die();
}
?>
<html>
<head>
<title>Trinity University of Asia Voting System</title>
</head>
<body>
<img src="images/tua_logo.jpg"><marquee>Practice your right to vote.</marquee><br>
<center>
<a href="/">Home</a> | <a href="results.php">Results</a> | <a href="logout.php">Logout</a><br>
<h3>Cast Your Vote</h3>
<form action="processvoting.php" method="post">
<table cellpadding="4" border="1">
<tr>
<th>Position</th>
<th>Choice 1</th>
<th>Choice 2</th>
</tr>
<tr>
<th>President</th>
<td><input type="radio" name="president" value="pres1"> JOHN MICHAEL KALEMBE<br>College of Business Administration</td>
<td><input type="radio" name="president" value="pres2"> SUZAN JOHN<br>College of Education</td>
</tr>
<tr>
<th>Vice President</th>
<td><input type="radio" name="vice_president" value="vicepres1"> JULIUS SAMWEL<br>College of Medical Technology</td>
<td><input type="radio" name="vice_president" value="vicepres2"> JEUNICE MARIANO<br>College of Business Administration</td>
</tr>
<tr>
<th>Secretary</th>
<td><input type="radio" name="secretary" value="sec1"> ANGELO CHRSTIAN DE GUZMAN<br>College of Medical Technology</td>
<td><input type="radio" name="secretary" value="sec1"> MICHAEL SANGA<br>College of Hospitality and Tourism Management</td>
</tr>
<tr>
<th>Treasurer</th>
<td><input type="radio" name="treasurer" value="treas1"> MARIE DANIELLE THEREZE VALDEZ<br>College of Hospitality and Tourism Management</td>
<td><input type="radio" name="treasurer" value="treas1"> JEUNICE MARIANO<br>College of Business Administration</td>
</tr>
<tr>
<th>Auditor</th>
<td><input type="radio" name="auditor" value="aud1"> KOBI TSARLZ GONZALES<br>College of Computing and Information Sciences</td>
<td><input type="radio" name="auditor" value="aud1"> MARIAN ENTERO<br>College of Business Administration</td>
</tr>
<tr>
<th>Business Manager</th>
<td><input type="checkbox" name="bus_manager" value="bus1"> MICAH EDILYN TAN<br>College of Arts and Sciences</td>
<td>N/A</td>
</tr>
<tr>
<th>Public Relations Officer (PRO)</th>
<td><input type="checkbox" name="pro" value="pro1"> MARIBETH LIAMZON<br>College of Education</td>
<td>N/A</td>
</tr>
</table>
<input type="submit" name="submit" value="Cast Your Vote"> <input type="reset" value="Reset">
</form>
</center>
</body>
</html>
一旦用户投票,他将被重定向到投票流程页面,这是代码:
<?php
error_reporting(E_ALL & ~E_NOTICE);
session_start();
if (isset($_SESSION['uname'])) {
$username = $_SESSION['uname'];
}
else {
header('Location: login_user.php');
die();
}
include 'connection.php';
if(isset($_POST['submit'])) {
$president = $_POST['president'];
$vicepres = $_POST['vice_president'];
$secretary = $_POST['secretary'];
$treasurer = $_POST['treasurer'];
$auditor = $_POST['auditor'];
$businessmanager = $_POST['bus_manager'];
$pro = $_POST['pro'];
$conn = mysqli_connect('localhost', 'root', '', 'electiondb');
if (!$conn) {
die("Connecton failed: " . mysqli_connect_error());
}
$votesql = "SELECT voted FROM student_log WHERE username = '$username'";
$query = mysqli_query($conn, $votesql);
while($record = mysqli_fetch_array($query)) {
$hasvoted = $record['voted'];
}
if ($hasvoted == 0) {
if ($president == '') {
echo "You cannot leave $president blank. Please go back and try again.";;
}
elseif ($vicepres == '') {
echo "You cannot leave $vicepres blank. Please go back and try again.";
}
elseif ($secretary == '') {
echo "You cannot leave $secretary blank. Please go back and try again.";
}
elseif ($treasurer == '') {
echo "You cannot leave $treasurer blank. Please go back and try again.";
}
elseif ($auditor == '') {
echo "You cannot leave $auditor blank. Please go back and try again.";
}
elseif ($businessmanager == ''){
echo "You cannot leave $businessmanager blank. Please go back and try again.";
}
elseif ($pro == '') {
echo "You cannot leave $pro blank. Please go back and try again.";
}
else {
switch ($president) {
case 'pres1':
$votepres1 = "UPDATE vote_log SET choice1 = choice1+1 WHERE position = 'president'";
$runpres1 = mysqli_query($conn, $votepres1);
break;
case 'pres2':
$votepres2 = "UPDATE vote_log SET choice2 = choice2+1 WHERE position = 'president'";
$runpres2 = mysqli_query($conn, $votepres2);
break;
}
switch ($vicepres) {
case 'vicepres1':
$votevicepres1 = "UPDATE vote_log SET choice1 = choice1+1 WHERE position = 'vice_president'";
$runvicepres1 = mysqli_query($conn, $votevicepres1);
break;
case 'vicepres2':
$votevicepres2 = "UPDATE vote_log SET choice2 = choice2+1 WHERE position = 'vice_president'";
$runvicepres2 = mysqli_query($conn, $votevicepres2);
break;
}
switch ($secretary) {
case 'sec1':
$votesec1 = "UPDATE vote_log SET choice1 = choice1+1 WHERE position = 'secretary'";
$runsec1 = mysqli_query($conn, $votesec1);
break;
case 'sec2':
$votesec2 = "UPDATE vote_log SET choice2 = choice2+1 WHERE position = 'secretary'";
$runsec2 = mysqli_query($conn, $votesec1);
break;
}
switch ($treasurer) {
case 'treas1':
$votetreas1 = "UPDATE vote_log SET choice1 = choice1+1 WHERE position = 'treasurer'";
$runtreas1 = mysqli_query($conn, $votetreas1);
break;
case 'treas2':
$votetreas2 = "UPDATE vote_log SET choice2 = choice2+1 WHERE position = 'treasurer'";
$runtreas2 = mysqli_query($conn, $votetreas2);
break;
}
switch ($auditor) {
case 'aud1':
$voteaud1 = "UPDATE vote_log SET choice1 = choice1+1 WHERE position = 'auditor'";
$runaud1 = mysqli_query($conn, $voteaud1);
break;
case 'aud2':
$voteaud2 = "UPDATE vote_log SET choice2 = choice2+1 WHERE position = 'auditor'";
$runaud2 = mysqli_query($conn, $voteaud2);
break;
}
switch ($businessmanager) {
case 'bus1':
$votebus1 = "UPDATE vote_log SET choice1 = choice1+1 WHERE position = 'business_manager'";
$runbus1 = mysqli_query($conn, $votebus1);
break;
}
switch ($pro) {
case 'pro1':
$votepro1 = "UPDATE vote_log SET choice1 = choice1+1 WHERE position = 'pro'";
$runpro1 = mysqli_query($conn, $votepro1);
break;
}
$sqlforvoted = "UPDATE student_log SET voted = 1 WHERE username = '$username'";
$processsql = mysqli_query($conn, $sqlforvoted) or die (mysqli_error($conn));
echo "Thank you for voting. You may now logout of the system.<br><a href='logout.php'>Logout</a>";
}
}
else {
echo "You cannot vote more than once. <br><a href='logout.php'>Logout</a>";
}
}
?>
<html>
<head>
<title>Voting Process</title>
</head>
<body>
</body>
</html>
投票不会增加,但用户被视为已投票&#39;因此,一旦登录,用户就无法再次投票。我唯一担心的是投票不计算在内。我的代码有什么问题,或者我对投票的理解不是很好吗?谢谢!
答案 0 :(得分:0)
您可以替换它:
switch ($president) {
case 'pres1':
$votepres1 = "UPDATE vote_log SET choice1 = choice1+1 WHERE position = 'president'";
$runpres1 = mysqli_query($conn, $votepres1);
break;
case 'pres2':
$votepres2 = "UPDATE vote_log SET choice2 = choice2+1 WHERE position = 'president'";
$runpres2 = mysqli_query($conn, $votepres2);
break;
}
有了这个:
// here you take the last char of $president (value 1 or 2) and concatenate it to "choice"
$choice = "choice".substr($president, -1);
$votepres = "UPDATE vote_log SET $choice = $choice + 1 WHERE position = 'president'";
$runpres = mysqli_query($conn, $votepres);
注释SQL语句中的间距。
要防止SQL注入,您必须修改调用变量的语句。在这种情况下,您调用$username的语句(您应该调用用户ID,而不是用户名)。
调用用户ID,您可以在执行查询之前检查它是否为整数值,如下所示:if (is_int($userID)) { ...do query... } else { ...do not... }
答案 1 :(得分:0)
我认为您的HTML中存在一些拼写错误。此处,选项为pres1和pres2:
<td><input type="radio" name="president" value="pres1"> ... </td>
<td><input type="radio" name="president" value="pres2"> ... </td>
但是在这里,两个选项都是sec1:
<td><input type="radio" name="secretary" value="sec1"> ... </td>
<td><input type="radio" name="secretary" value="sec1"> ... </td>
关于数据库交互,最好使用PDO和预处理语句 - 它比大多数字符串连接方案更安全。请查看此页右侧的“相关”列 - 最常见的问题this one可以很好地解释此主题。
无论如何,这是对submit部分的不同看法,它只是删除了所有的重复。它不使用PDO(我没有添加任何数据库代码),但至少在最终查询中没有未经过滤的用户输入 - 只有预定义的值:
if(isset($_POST['submit']) && !empty($_POST["submit"])) {
if($hasvoted != 0){
echo "You cannot vote more than once. <br><a href='logout.php'>Logout</a>";
exit;
}
$positions = array(
"president" => null,
"vice_president" => null,
"secretary" => null,
"treasurer" => null,
"auditor" => null,
"bus_manager" => null,
"pro" => null
);
foreach (array_keys($positions) as $position)
{
if (!isset($_POST[$position]) || empty($_POST[$position])) {
echo "All positions must be filled. Please try again.<br>";
exit;
}
else{
$choice = "";
$choice_num = substr($_POST[$position], -1);
if($choice_num == 1 || $choice_num == 2){
$choice = "choice" . $choice_num;
}
else{
echo "Error - invalid option";
exit;
}
$positions[$position] = $choice;
}
}
foreach (array_keys($positions) as $position)
{
$choice = $positions[$position];
$sql_str = "UPDATE vote_log SET " . $choice ." = " . $choice . "+1 WHERE position = '" . $position . "'";
// $sql_insert = mysqli_query($conn, $sql_str);
echo $sql_str . "<br>";
}
echo "Thank you for voting. You may now logout of the system.<br><a href='logout.php'>Logout</a>";
}