" AND $ _SESSION [' user_id'] = posted_by"不工作

时间:2013-07-18 10:08:05

标签: php mysql session

基本上我有一个人们可以发布主题或讨论的网站,我添加了一个工作正常的edit_post功能,但在测试中我通过更改URL可以编辑其他人的帖子来实现,我试图实现检查所以只有发帖的人才可以编辑它,但没有运气,我没有收到任何错误,但现在不允许其他用户编辑,但它也不会让主题创建者编辑。

if ( isset($_GET['edit'])) {

    $id =   $_GET['edit'];
    $res =  mysql_query("SELECT users.user_id, users.username, users.profile, topics.topic_id, topics.category, topics.sub_category, topics.subsub_category, topics.topic_data, 
            topics.posted_by, topics.posted, topics.view, topics.invisipost
    FROM    `topics` 
    JOIN    `users` on topics.posted_by = users.user_id WHERE topic_id='$id'"); 
    $rows = mysql_fetch_array($res);
}
if ( isset($_POST['topic_data'])) {
    $topic_data = $_POST['topic_data'];
    $id = $_POST['id'];
    $sql = "UPDATE topics SET topic_data='$topic_data' WHERE topic_id='$id' AND '".$_SESSION['user_id']."'='$posted_by'";
    $res = mysql_query($sql) or die("Could not update".mysql_error());
    header("Location: view_topic.php?topic_id=$id");
}

3 个答案:

答案 0 :(得分:0)

您的查询应该是这样的:

"UPDATE topics SET topic_data='$topic_data' WHERE 
topic_id='$id' AND posted_by ='".$_SESSION['user_id']."'";

因为posted_by是列...

答案 1 :(得分:0)

应该是,

AND posted_by='".$_SESSION['user_id']."'"; //posted_by is column name

而不是

AND '".$_SESSION['user_id']."'='$posted_by'";

答案 2 :(得分:0)

试试这个

if ( isset($_POST['topic_data']) and $_SESSION['user_id']==$posted_by) {
$topic_data = $_POST['topic_data'];
$id = $_POST['id'];
$sql = "UPDATE topics SET topic_data='$topic_data' WHERE topic_id='$id'  ";
$res = mysql_query($sql) or die("Could not update".mysql_error());
header("Location: view_topic.php?topic_id=$id");
}