1. 首頁
  2. 問答
  3. PHP/SQL限制查看權限

PHP/SQL限制查看權限

2014-01-29 67 views
0

我要確保「STAFFID是」當「查看聯繫人」頁面,從一個鏈接加載存儲,而不是直接從登錄表單PHP/SQL限制查看權限

登錄表單:

<?php session_start(); // Start PHP session 

$StaffID = isset($_SESSION["StaffID"]) ? $_SESSION["StaffID"] : "";?> 

<form name="staffaccess" method="post" action="staff-login.php"> 
<table border="1" cellpadding="3" cellspacing="1"> 
<tr> 
<td colspan="3"><strong>Staff Login </strong></td> 
</tr> 

<input type="hidden" name="StaffID" id="StaffID" value="<?php echo $StaffID; ?>" /> 

<tr> 
<td>Username:</td> 
<td><input name="StaffUsername" size= "30" type="text" id="StaffUsername" value="<?php echo $StaffUsername; ?>"/></td> 
</tr> 

<tr> 
<td>Password:</td> 
<td><input name="StaffPassword" size= "30" type="text" id="StaffPassword" value="<?php echo $StaffPassword; ?>"/></td> 
</tr> 

<tr> 
<td></td> 
<td><input type="submit" name="Submit" value="Login"/></td> 
</tr> 
</table> 
</form>

LOGIN CHECK:

<?php session_start(); // Start PHP session?> 
<body> 

<?php 


$_SESSION["StaffUsername"] = isset($_POST["StaffUsername"]) ? $_POST["StaffUsername"] : ""; 
$_SESSION["StaffPassword"] = isset($_POST["StaffPassword"]) ? $_POST["StaffPassword"] : ""; 
$_SESSION["StaffID"] = isset($_GET["StaffID"]) ? $_GET["StaffID"] : ""; 

<?php 

//connect to database// 
$dbc = mysql_connect("", "", ""); 
if (!$dbc) 
die ('Could not connect: ' .mysql_error()); 

//select database// 
$db_selected = mysql_select_db("tafe", $dbc); 
if (!$db_selected) 
die ('Could not connect: ' . mysql_error()); 


// username and password sent from form 
$StaffUsername=$_POST['StaffUsername']; 
$StaffPassword=$_POST['StaffPassword']; 



// To protect MySQL injection (more detail about MySQL injection) 
$StaffUsername = stripslashes($StaffUsername); 
$StaffPassword = stripslashes($StaffPassword); 
$StaffUsername = mysql_real_escape_string($StaffUsername); 
$StaffPassword = mysql_real_escape_string($StaffPassword); 

$qry=("SELECT * FROM staffaccess WHERE Username= '" . $StaffUsername . "' AND Password= '" .$StaffPassword ."'"); 


$rst = mysql_query($qry, $dbc); 
$row = mysql_fetch_array($rst); 


if ($row["Username"]==$StaffUsername && $row["Password"]==$StaffPassword) 
{ 
    $_SESSION["StaffID"] = $row["StaffID"]; 
echo "Your login was successful"; 
echo "</br></br>"; 
echo "<a href=list-contacts.php>Continue</a>"; 
} 

else { 

echo "Sorry your details are not valid"; 
echo "</br></br>"; 
echo "<a href=staff-login.htm>Return</a>"; 
} 


?>

查看聯繫人(我只希望這允許以查看該特定用戶已添加聯繫人) 

<?php 


//connect to database 

$dbc = mysql_connect("", "", ""); 
if (!$dbc) 
die ('Could not connect: ' .mysql_error()); 

//select database 
$db_selected = mysql_select_db("tafe", $dbc); 
if (!$db_selected) 
die ('Could not connect: ' . mysql_error()); 

$StaffID = (int)$_GET['StaffId']; 

// build sql insert statement 
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";** 

//run insert satement against database 
$rst = mysql_query($qry, $dbc); 

// print whether successful or not 
if ($rst) 
{ 
if (mysql_num_rows($rst)>0) // check that there are records 
{ 


    echo "<table border=\"1\" cellspacing=\"0\">"; 

    /***print out field names***/ 

    echo "<tr>"; // start row 
    for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name 
    { 
     echo "<th>" . mysql_field_name($rst, $i) . "</th>"; 

    } 
     echo "<th>&nbsp;</th>"; 
     echo "<th>&nbsp;</th>"; 
    echo "</tr>"; 



    /***print out field values***/ 

    while ($row = mysql_fetch_array($rst)) // fetch each of the rows 
    { 
     echo "<tr>"; 
     echo "<td>".$row['ContactID']."</td>"; 
     echo "<td>".$row['Name']."</td>"; 
     echo "<td>".$row['Address']."</td>"; 
     echo "<td>".$row['Phone']."</td>"; 
     echo "<td>".$row['Mobile']."</td>"; 
     echo "<td>".$row['Email']."</td>"; 
     echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>"; 
     echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>"; 
     echo "</tr>"; 


    } 


    echo "</table>"; 


} 
else 
{ 
    echo "<b><font color='black'>No records returned.</font></b>"; 
} 
} 
else 
{ 
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>"; 
} 

?>

來源

2014-01-29 user3110441

回答

0

您沒有在聯繫人頁面上傳遞員工ID,因此您傳遞了這樣的員工ID在logincheck頁

變化如下變化

if ($row["Username"]==$StaffUsername && $row["Password"]==$StaffPassword) 
{ 
echo "Your login was successful"; 
echo "</br></br>"; 
echo "<a href=list-contacts.php?StaffId=".$row["StaffId"].">Continue</a>"; 
}

您還可以使用會話登錄的用戶

來源

2014-01-29 07:36:31 NLSaini

+0

謝謝,我也補充說,但它仍然沒有工作。這可能是表設置方式的問題。 感謝您的幫助無論如何 – user3110441

+0

檢查你的專欄名稱在stafftabel – NLSaini

+0

我似乎已經解決了這個問題,但現在有一個新問題;該查詢僅提供StaffID(0)的聯繫人。所有用戶都可以訪問這些聯繫人。有什麼想法在這裏出了什麼問題? – user3110441

0

根據你的mysql版本,你可能需要引用你的where屬性,我不確定這是否導致你的問題,但它可能是相關的。另外,您確定您的StaffID字段值正確插入到數據庫中嗎?

來源

2014-01-29 07:31:46

0

我檢查了代碼並且正在使用

echo "<a href=list-contacts.php>Continue</a>";

發送用戶查看聯繫人,該頁面中,你正在做的

$StaffID = (int)$_GET['StaffId'];

所以你需要通過查詢該值字符串爲

echo "<a href=list-contacts.php?StaffId=".$row["column_name_in_table"].">Continue</a>";

來源

2014-01-29 07:36:31

相關問題

 相關問題