PHP / SQL限制查看权限

时间:2014-01-29 07:28:18

标签: php sql

我想确保从链接加载“查看联系人”页面时存储“StaffID”,而不是直接从登录表单加载

登录表格:

<?php session_start(); // Start PHP session

$StaffID = isset($_SESSION["StaffID"]) ? $_SESSION["StaffID"] : "";?>

<form name="staffaccess" method="post" action="staff-login.php">
<table border="1" cellpadding="3" cellspacing="1">
<tr>
<td colspan="3"><strong>Staff Login </strong></td>
</tr>

<input type="hidden" name="StaffID" id="StaffID" value="<?php echo $StaffID; ?>" />

<tr>
<td>Username:</td>
<td><input name="StaffUsername" size= "30" type="text" id="StaffUsername" value="<?php echo $StaffUsername; ?>"/></td>
</tr>

<tr>
<td>Password:</td>
<td><input name="StaffPassword" size= "30" type="text" id="StaffPassword" value="<?php echo $StaffPassword; ?>"/></td>
</tr>

<tr>
<td></td>
<td><input type="submit" name="Submit" value="Login"/></td>
</tr>
</table>
</form>

登录检查:

<?php session_start(); // Start PHP session?>
<body>

<?php


$_SESSION["StaffUsername"] = isset($_POST["StaffUsername"]) ? $_POST["StaffUsername"] : "";
$_SESSION["StaffPassword"] = isset($_POST["StaffPassword"]) ? $_POST["StaffPassword"] : "";
$_SESSION["StaffID"] = isset($_GET["StaffID"]) ? $_GET["StaffID"] : "";

<?php

//connect to database//
$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());

//select database//
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error()); 


 // username and password sent from form 
 $StaffUsername=$_POST['StaffUsername']; 
 $StaffPassword=$_POST['StaffPassword']; 



// To protect MySQL injection (more detail about MySQL injection)
 $StaffUsername = stripslashes($StaffUsername);
 $StaffPassword = stripslashes($StaffPassword);
 $StaffUsername = mysql_real_escape_string($StaffUsername);
 $StaffPassword = mysql_real_escape_string($StaffPassword);

$qry=("SELECT * FROM staffaccess WHERE Username= '" . $StaffUsername . "' AND Password= '" .$StaffPassword ."'");


$rst = mysql_query($qry, $dbc);
$row = mysql_fetch_array($rst);


if ($row["Username"]==$StaffUsername && $row["Password"]==$StaffPassword)
{
    $_SESSION["StaffID"] = $row["StaffID"];
echo "Your login was successful";
echo "</br></br>";
echo "<a href=list-contacts.php>Continue</a>";
}

else {

echo "Sorry your details are not valid";
echo "</br></br>";
echo "<a href=staff-login.htm>Return</a>";
}


 ?>

查看联系人(我只想让它查看特定用户添加的联系人)           

<?php 


//connect to database

$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());

//select database
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());

$StaffID = (int)$_GET['StaffId'];

// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**

//run insert satement against database
$rst = mysql_query($qry, $dbc);

// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{


    echo "<table border=\"1\" cellspacing=\"0\">";

    /***print out field names***/

    echo "<tr>"; // start row
    for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
    {
        echo "<th>" . mysql_field_name($rst, $i) . "</th>";

    }
        echo "<th>&nbsp;</th>";
        echo "<th>&nbsp;</th>";
    echo "</tr>";



    /***print out field values***/

    while ($row = mysql_fetch_array($rst)) // fetch each of the rows
    {
        echo "<tr>";
        echo "<td>".$row['ContactID']."</td>";
        echo "<td>".$row['Name']."</td>";
        echo "<td>".$row['Address']."</td>";
        echo "<td>".$row['Phone']."</td>";
        echo "<td>".$row['Mobile']."</td>";
        echo "<td>".$row['Email']."</td>";
        echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
        echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
        echo "</tr>";


    }


    echo "</table>";


}
else
{
    echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}

?>

3 个答案:

答案 0 :(得分:0)

根据你的mysql版本,你可能需要引用你的where属性,我不确定这是否会导致你的问题,但它可能是相关的。此外,您确定您的StaffID字段的值是否正确插入数据库?

答案 1 :(得分:0)

我检查了代码,你正在使用

echo "<a href=list-contacts.php>Continue</a>";

发送用户查看联系人,并在此页面中执行

$StaffID = (int)$_GET['StaffId'];

因此您需要将该值作为

传递给查询字符串 
echo "<a href=list-contacts.php?StaffId=".$row["column_name_in_table"].">Continue</a>";

答案 2 :(得分:0)

你没有在联系页面上传递员工ID,所以你传递了这样的员工ID

更改logincheck页面中的以下更改

if ($row["Username"]==$StaffUsername && $row["Password"]==$StaffPassword)
{
echo "Your login was successful";
echo "</br></br>";
echo "<a href=list-contacts.php?StaffId=".$row["StaffId"].">Continue</a>";
}

您还可以将会话用于已登录用户

相关问题
最新问题