我要確保「STAFFID是」當「查看聯繫人」頁面,從一個鏈接加載存儲,而不是直接從登錄表單PHP/SQL限制查看權限
登錄表單:
<?php session_start(); // Start PHP session
$StaffID = isset($_SESSION["StaffID"]) ? $_SESSION["StaffID"] : "";?>
<form name="staffaccess" method="post" action="staff-login.php">
<table border="1" cellpadding="3" cellspacing="1">
<tr>
<td colspan="3"><strong>Staff Login </strong></td>
</tr>
<input type="hidden" name="StaffID" id="StaffID" value="<?php echo $StaffID; ?>" />
<tr>
<td>Username:</td>
<td><input name="StaffUsername" size= "30" type="text" id="StaffUsername" value="<?php echo $StaffUsername; ?>"/></td>
</tr>
<tr>
<td>Password:</td>
<td><input name="StaffPassword" size= "30" type="text" id="StaffPassword" value="<?php echo $StaffPassword; ?>"/></td>
</tr>
<tr>
<td></td>
<td><input type="submit" name="Submit" value="Login"/></td>
</tr>
</table>
</form>
LOGIN CHECK:
<?php session_start(); // Start PHP session?>
<body>
<?php
$_SESSION["StaffUsername"] = isset($_POST["StaffUsername"]) ? $_POST["StaffUsername"] : "";
$_SESSION["StaffPassword"] = isset($_POST["StaffPassword"]) ? $_POST["StaffPassword"] : "";
$_SESSION["StaffID"] = isset($_GET["StaffID"]) ? $_GET["StaffID"] : "";
<?php
//connect to database//
$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());
//select database//
$db_selected = mysql_select_db("tafe", $dbc);
if (!$db_selected)
die ('Could not connect: ' . mysql_error());
// username and password sent from form
$StaffUsername=$_POST['StaffUsername'];
$StaffPassword=$_POST['StaffPassword'];
// To protect MySQL injection (more detail about MySQL injection)
$StaffUsername = stripslashes($StaffUsername);
$StaffPassword = stripslashes($StaffPassword);
$StaffUsername = mysql_real_escape_string($StaffUsername);
$StaffPassword = mysql_real_escape_string($StaffPassword);
$qry=("SELECT * FROM staffaccess WHERE Username= '" . $StaffUsername . "' AND Password= '" .$StaffPassword ."'");
$rst = mysql_query($qry, $dbc);
$row = mysql_fetch_array($rst);
if ($row["Username"]==$StaffUsername && $row["Password"]==$StaffPassword)
{
$_SESSION["StaffID"] = $row["StaffID"];
echo "Your login was successful";
echo "</br></br>";
echo "<a href=list-contacts.php>Continue</a>";
}
else {
echo "Sorry your details are not valid";
echo "</br></br>";
echo "<a href=staff-login.htm>Return</a>";
}
?>
查看聯繫人(我只希望這允許以查看該特定用戶已添加聯繫人)
<?php
//connect to database
$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());
//select database
$db_selected = mysql_select_db("tafe", $dbc);
if (!$db_selected)
die ('Could not connect: ' . mysql_error());
$StaffID = (int)$_GET['StaffId'];
// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**
//run insert satement against database
$rst = mysql_query($qry, $dbc);
// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{
echo "<table border=\"1\" cellspacing=\"0\">";
/***print out field names***/
echo "<tr>"; // start row
for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
{
echo "<th>" . mysql_field_name($rst, $i) . "</th>";
}
echo "<th> </th>";
echo "<th> </th>";
echo "</tr>";
/***print out field values***/
while ($row = mysql_fetch_array($rst)) // fetch each of the rows
{
echo "<tr>";
echo "<td>".$row['ContactID']."</td>";
echo "<td>".$row['Name']."</td>";
echo "<td>".$row['Address']."</td>";
echo "<td>".$row['Phone']."</td>";
echo "<td>".$row['Mobile']."</td>";
echo "<td>".$row['Email']."</td>";
echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
echo "</tr>";
}
echo "</table>";
}
else
{
echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}
?>
謝謝,我也補充說,但它仍然沒有工作。這可能是表設置方式的問題。 感謝您的幫助無論如何 – user3110441
檢查你的專欄名稱在stafftabel – NLSaini
我似乎已經解決了這個問題,但現在有一個新問題;該查詢僅提供StaffID(0)的聯繫人。所有用戶都可以訪問這些聯繫人。有什麼想法在這裏出了什麼問題? – user3110441