因此,我最近在我的网站上创建了一个部分,其中显示了一个从MySQL数据库填充的表。自从用户登录以来,有些记录我不希望其他用户看到,但有些记录我希望看到。因此,我建立了一个安全级别系统。到目前为止,一切正常。在此页面上,我运行一条if语句以查看用户的安全级别是否为4,如果存在,则根据用户名运行SELECT *查询。因此查询是
SELECT * WHERE `assignedTo` = '$username'
理论上这是可行的,它不会给我任何错误,并且我已打开错误报告。这是我到位的错误代码;
//Error Reporting
ini_set('display_startup_errors', 1);
ini_set('display_errors', 1);
error_reporting(-1);
但是,出于测试目的,我在数据库中有一条记录,并且当我以“ Example2”身份登录时,assignedTo字段现在包含“ Example1”,我仍然可以看到分配给“ Example1”的记录。我运行了一个var_dump(),它向我显示了以下内容;
object(PDOStatement)#3 (1) {
["queryString"]=>
string(68) "SELECT * FROM `customerLeads` WHERE `assignedTo` = 'Example2' "
}
因此查询是正确的,这就是查询的运行方式,但不应显示记录,因为assignedTo等于'Example1'而不是'Example2'。
这是该网页的代码;
<?php
//Session Start
session_start();
//Error Reporting
ini_set('display_startup_errors', 1);
ini_set('display_errors', 1);
error_reporting(-1);
require 'includes/conn.php';
$user_id = $_SESSION['user_id'];
$user_security = $_SESSION['user_security'];
if(!isset($_SESSION['user_id']) || !isset($_SESSION['logged_in'])){
//User not logged in. Redirect them back to the login.php page.
?>
<script type="text/javascript">
alert("You must be logged in!");
window.location.href = "login.php";
</script>
<?php
}
$user_name = $_SESSION['user_name'];
if ($user_security == 4) {
$customerList = $salesConn->query("SELECT * FROM `customerLeads` WHERE `assignedTo` = '$user_name' ");
}
if ($user_security == 0 OR 1) {
$customerList = $salesConn->query("SELECT * FROM customerLeads");
}
var_dump($customerList);
?>
然后这是我显示数据的表;
<table>
<thead>
<tr>
<th scope="col">Full Name</th>
<th scope="col">Telephone</th>
<th scope="col">Vehicle of Interest</th>
<th scope="col">Budget</th>
<th scope="col">P/X Vehicle</th>
<th scope="col">P/X Reg</th>
<th scope="col">P/X Finance</th>
<th scope="col">P/X Settlement</th>
<th scope="col">Salesman</th>
<th scope="col">Status</th>
</tr>
</thead>
<tbody>
<?php
while ($cRow = $customerList->fetch()) {
$firstName = $cRow['customerFirstName'];
$lastName = $cRow['customerLastName'];
$tele = $cRow['customerTel'];
$mob = $cRow['customerMob'];
$mail = $cRow['customerEmail'];
$add1 = $cRow['customerAdd1'];
$add2 = $cRow['customerAdd2'];
$add3 = $cRow['customerAdd3'];
$add4 = $cRow['customerAdd4'];
$vehInterest = $cRow['customerVeh'];
$vehChange = $cRow['customerChangeDate'];
$vehDrive = $cRow['customerDriveDate'];
$vehFinance = $cRow['customerFinance'];
$vehBudget = $cRow['customerBudget'];
$pxVeh = $cRow['customerPXVeh'];
$pxReg = $cRow['customerPXReg'];
$pxMile = $cRow['customerPXMileage'];
$pxColour = $cRow['customerPXColour'];
$pxEngine = $cRow['customerPXEngine'];
$pxTrans = $cRow['customerPXTrans'];
$pxFuel = $cRow['customerPXFuel'];
$pxPrice = $cRow['customerPXPrice'];
$pxFinance = $cRow['customerPXFinance'];
$pxSettle = $cRow['customerPXFinance'];
$salesman = $cRow['customerSalesman'];
$notes = $cRow['customerNotes'];
$status = $cRow['customerStatus'];
?>
<tr>
<td data-label="Ful Name"><?php echo $firstName." ".$lastName; ?></td>
<td data-label="Telephone"><?php echo $tele; ?></td>
<td data-label="Vehicle of Interest"><?php echo $vehInterest; ?></td>
<td data-label="Budget"><?php echo $vehBudget; ?></td>
<td data-label="P/X Vehicle"><?php echo $pxVeh; ?></td>
<td data-label="P/X Reg"><?php echo $pxReg; ?></td>
<td data-label="P/X Finance"><?php echo $pxFinance; ?></td>
<td data-label="P/X Settlement"><?php echo $pxSettle ?></td>
<td data-label="Salesman"><?php echo $salesman; ?></td>
<td data-label="Status"><?php echo $status; ?></td>
</tr>
<?php
}
?>
</tbody>
答案 0 :(得分:0)
这种情况总是 为真:
if ($user_security == 0 OR 1)
因为1始终是一个“真实的”值。不要以您大声说出来的方式来考虑布尔表达式,而要始终以单个不同的表达式来考虑它们。在这种情况下,您有两个表达式:$user_security == 0,根据变量而定,条件为真或假。和1,这始终是正确的。
您可能想要这个:
if ($user_security == 0 OR $user_security == 1)