Question

我希望我的搜索栏能够根据用户级别进行限制。我拥有的用户级别如下：system_administrator，forum_admin和subforum_admin。如果用户是system_administrator，他/她可以搜索所有内容。如果用户是forum_admin，他/她可以搜索与他/她具有相同用户级别的人。对于subforum_admin也是如此。我的问题是每次都是我使用forum_admin搜索，我仍然可以搜索所有内容。我尝试打印排名函数结果并返回一个值。我也在php管理员中尝试了我的查询，它运行正常。如果我搜索与我使用的帐户具有相同等级的用户并且当我尝试搜索与帐户I＆＃不同级别的用户时返回空结果集，则返回结果＃＆＃ 39; m using.Please help.Thank you

搜索条形式：

   <div class="search">
                <form method="POST" action="index.php?page=search&amp;go">

                        <input type="text" name="search" id="search-text" placeholder="Search" />
                    <input type="image"  class="search-button" src="ext/images/searchicon.png" name="submit" value="Submit"/>
                </form>             
            </div>

search.php（这是显示结果的地方）

   <div id="working_area">
   <?php


   if(isset($_POST['submit'])){ 



    if(isset($_GET['go'])){ 

      if(preg_match("/^[  a-zA-Z]+/", $_POST['search']) === 0){ 

        echo '<div class="msg error">Invalid search query</div>';

      }else{
        $rank=rank();


        $search = search($_POST['search'],$rank);
    }   
 }



 }

 ?>     




 <?php
  foreach ($search as $s){
  ?>

 <?php
 if($s['type'] === msg ){ 
 ?>

    <div id="message" <?php>

        <div class="message">
        <h2>

        <a href="index.php?page=edit_conversation&amp;nc_id=<?php echo $s['id'];?>"><?php echo $s['name'];?></a> 
        </h2>

        </div>


    </div>
    <?php
    }else if($s['type'] === user ){
   ?>



   <div id="message">


<div class="message">
 <h2>   <?php

    if($s['profile']=="n/a"){
        echo '<img src="ext/images/profile.png" width="30" height="30" style="border-radius:5px;"/>';
    }else{
        echo '<img src="ext/images/user_images/'.$s['id'].'.'.$s['profile'].'" width="30" height="30" style="border-radius:5px;"/>';
    }
    ?> 




        <a href="index.php?page=view_profile&amp;id= <?php echo $s['id']; ?> " > <?php echo $s['firstname']." ".$s['lastname']; ?></a> 
        </h2>

        </div>


    </div>
<?php } else { 
    echo '<div class="msg error">Did not match any document</div>'; }?>
<?php
 }
?>

   </div>

这是我的搜索功能：

    function search($search,$rank){


       $search  = mysql_real_escape_string(htmlentities($search));

       $sql = "(SELECT nc_id AS id,nc_title AS name,null AS firstname,null AS lastname,null AS profile,'msg' AS type  FROM new_creation WHERE nc_title LIKE '%" . 
       $search . "%') 
       UNION
       (SELECT id AS id,username AS name,firstname AS firstname,lastname AS lastname,profileext AS profile,'user' AS type FROM users WHERE rank='$rank' AND username LIKE '%" . 
       $search . "%' OR firstname LIKE '%".$search."%' OR lastname LIKE '%".$search."%' ) ";


  //-run  the query against the mysql query function 
  $result=mysql_query($sql) or die(mysql_error());  


$search = array();  

  //-create  while loop and loop through result set 
  while (($row = mysql_fetch_assoc($result)) !== false){
    $search[] = array(



        'id'            => $row['id'],
        'name'          => $row['name'],
        'type'          => $row['type'],
        'profile'       => $row['profile'],
        'firstname'     => $row['firstname'],
        'lastname'      => $row['lastname'],


  );
  }

 return $search;
 }

这是我的排名功能：

      function rank(){


$result = mysql_query("SELECT rank FROM users WHERE id={$_SESSION['id']}");

if(mysql_num_rows($result) !== 1){
    return false;
}

return mysql_result($result,0);

}

提前感谢您的帮助......

P.S。我知道我已经使用了已弃用的功能，但请耐心等待我，我只是一个php的新手。

Answer 1

我会专注于这里的查询，你有这个：

$sql = "(SELECT nc_id AS id,nc_title AS name,null AS firstname,null AS lastname,null AS profile,'msg' AS type  FROM new_creation WHERE nc_title LIKE '%" . 
   $search . "%') 
   UNION
   (SELECT id AS id,username AS name,firstname AS firstname,lastname AS lastname,profileext AS profile,'user' AS type FROM users WHERE rank='$rank' AND username LIKE '%" . 
   $search . "%' OR firstname LIKE '%".$search."%' OR lastname LIKE '%".$search."%' ) ";

搜索用户的查询是：

SELECT id AS id,username AS name,firstname AS firstname,lastname AS lastname,profileext AS profile,'user' AS type FROM users WHERE rank='$rank' AND username LIKE '%" . 
   $search . "%' OR firstname LIKE '%".$search."%' OR lastname LIKE '%".$search."%'

现在，如果您使用forum_admin搜索“wayne”，并且在DB中有一个名为Bruce Wayne的system_admin，则查询将为：

SELECT id AS id,username AS name,firstname AS firstname,lastname AS lastname,profileext AS profile,'user' AS type 
FROM users 
WHERE rank='forum_admin' AND username LIKE '%wayne%' OR firstname LIKE '%wayne%' OR lastname LIKE '%wayne%'

因此，对于“OR”，在firstname或lastname中具有“wayne”的任何用户都将匹配查询，即使排名没有。

您需要将该查询更改为：

SELECT id AS id,username AS name,firstname AS firstname,lastname AS lastname,profileext AS profile,'user' AS type 
FROM users 
WHERE rank='forum_admin' AND (username LIKE '%wayne%' OR firstname LIKE '%wayne%' OR lastname LIKE '%wayne%')

注意括号，他们将强制匹配第一个过滤器和其他一个过滤器

根据用户级别

1 个答案: