我需要你的帮助人..我们制作'家庭博客创意'的网站..我有一个登录表格(login-form.php),其中插入'登录'和'密码',验证后通过login-execute.php,重定向到viewOrder.php,用户可以查看客户订购的所有订单..所有这些都很好,直到这里..但我想要的是,当用户登录时,他只查看该订单这是由他订购的并非所有客户的订单。数据库中有两个表:成员和order_insert ..在'members'表中,登录和密码存储在'order_insert'中,客户的订单被存储..这些的代码三页如下..
.........................
login-form.php
.........................
<form id="loginForm" name="loginForm" method="post" action="login-exec.php">
<table width="300" border="0" align="center" cellpadding="2" cellspacing="0">
<tr>
<td width="112"><b>Login</b></td>
<td width="188"><input name="login" type="text" class="textfield" id="login" /></td>
</tr>
<tr>
<td><b>Password</b></td>
<td><input name="password" type="password" class="textfield" id="password" /></td>
</tr>
<tr>
<td> </td>
<td><input type="submit" name="Submit" value="Login" /></td>
</tr>
</table>
</form>
......................... 登录-execute.php .........................
<?php
//Start session
session_start();
//Include database connection details
require_once('config.php');
//Array to store validation errors
$errmsg_arr = array();
//Validation error flag
$errflag = false;
//Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
die('Failed to connect to server: ' . mysql_error());
}
//Select database
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
die("Unable to select database");
}
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
//Sanitize the POST values
$login = clean($_POST['login']);
$password = clean($_POST['password']);
//Input Validations
if($login == '') {
$errmsg_arr[] = 'Login ID missing';
$errflag = true;
}
if($password == '') {
$errmsg_arr[] = 'Password missing';
$errflag = true;
}
//If there are input validations, redirect back to the login form
if($errflag) {
$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
session_write_close();
header("location: login-form.php");
exit();
}
//Create query
$qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
$result=mysql_query($qry);
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) == 1) {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
$_SESSION['SESS_LAST_NAME'] = $member['lastname'];
session_write_close();
header("location: viewOrder.php");
exit();
}else {
//Login failed
header("location: login-failed.php");
exit();
}
}else {
die("Query failed");
}
?>
............................. viewOrder.php ..............................
<html>
<body bgcolor="#FFFFFF" >
<?
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="mydatabase"; // Database name
$tbl_name="order_insert"; // Table name
$tbl_name2="members";
// connect to server and databases
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$result = mysql_query("SELECT * FROM $tbl_name ");
print "<center>";
$output .= "<table width=1100 border=1 bordercolor=black>";
$output .= "<tr align=center><td>ID</td><td>First Name</td><td>Last Name</td><td>E Mail</td><td> City </td><td> Country </td><td> Phone</td><td>Decoration Type</td><td>Service Description</td><td>Budget</td><td>Update</td><td>Delete</td></tr>";
$output .= "<th></th><th></th>";
$output .= "</tr>\n\n";
while ($row = mysql_fetch_assoc($result)){
$output .= "<tr>\n";
foreach ($row as $col=>$val){
$output .= " <td>$val</td>\n";
} // end foreach
$keyVal = $row["id"];
$output .= "<td><a href='update.php?ID=$row[orderId]' >Update </a></td>";
$output .= "<td><a href='delete.php?ID=$row[orderId]' >Delete </a></td>";
$output .= "</tr>\n\n";
}// end while
$output .= "</table></center>";
print "$output";
?> <br>
<br>
<center><table > <tr><td>
<form action="home.php"><font color="#FF0000"><input type="submit" name="btn" style="color:#CC0000" value="<--Back" ></font></form></td></tr></table></center>
</body>
</html>
..... 您的帮助和建议将不胜感激
答案 0 :(得分:0)
您需要在order_insert表中使用外键(login)。这意味着,每个订单都知道它属于谁(因为订购用户的登录存储在这里)。
然后更新您的查询:
$qry="SELECT * FROM orders,members WHERE
orders.login = members.login AND
members.login='$login' AND
members.passwd='".md5($_POST['password'])."'";
答案 1 :(得分:0)
您已将member_id放入login-execute.php中的会话中,因此它应该可用于后续脚本。
您可以阅读会话数据并使用viewOrder.php中的值:
$memberid = (int) $_SESSION['SESS_MEMBER_ID'];
$result = mysql_query("SELECT * FROM $tbl_name WHERE member_id = $memberid");
// always check for error
if ($result === false) {
throw new Exception(mysql_error());
}
答案 2 :(得分:0)
在viewOrder.php上,
$result = mysql_query("SELECT * FROM $tbl_name WHERE user_id = '{$_SESSION['SESS_MEMBER_ID']}' ");
答案 3 :(得分:0)
SELECT * FROM order_insert,members WHERE order_insert.member_id = members.member_id AND members.member_id =(从login ='$ login'的成员中选择member_id);
在任何查询浏览器中尝试上述查询。用任何登录名替换$ login变量并检查它是否有效。另外,请尝试不使用select *,而是要特定于您希望查询返回的字段。
答案 4 :(得分:0)
添加session_start();在查看订单的页面顶部。
上一篇文章中有类似的内容。
session_start();
$memberid = (int) $_SESSION['SESS_MEMBER_ID'];
$result = mysql_query("SELECT * FROM $tbl_name WHERE member_id = $memberid");
// always check for error
if ($result === false) {
throw new Exception(mysql_error());
}
如果它不起作用,请尝试执行echo $ _SESSION ['SESS_MEMBER_ID']:并查看是否输出任何内容。