这是我有史以来第一个关于stackover流的问题,希望我能很好地解释。我是php / js / html的新手,我遇到了一个问题。我使用会话变量查询数据库,它返回与登录用户关联的所有结果。 下面是我用来获取结果的php代码。
<?php
session_start();
include('conn.php');
if(!isset($_SESSION['40219357_user'])){
header('Location:index.php');
}
$username = $_SESSION['40219357_user'];
$userid = $_SESSION['40219357_id'];
$read = "SELECT * FROM medi_users WHERE dr_id = '$userid'";
$result = $conn ->query($read);
?>
此查询的结果显示在我网站上的表格中。网站的登录用户单击某个人的记录时,它应显示与该特定人有关的所有信息。
问了我最初的问题后,我通过将用户ID作为隐藏值传递给按钮找到了一种简单的解决方案。下面的代码。
<?php
while($row = $result ->fetch_assoc()){
$rowid = $row['id'];
$firstname = $row['firstname'];
$surname = $row ['surname'];
$dob = $row['dob'];
$address = $row['address'];
$town = $row['town'];
$postcode = $row['postcode'];
echo"
<tbody>
<tr>
<td>$firstname</td>
<td>$surname </td>
<td>$dob</td>
<td>$address</td>
<td>$town</td>
<td>$postcode</td>
<td><a class = 'btn btn-danger'
href `='patientsmedication.php?editid=$rowid'>View</a></td>`
</tr>
";
}
?>
</tbody>
</table>
</div>
</div>
我完全理解,这不是一种非常安全的方法,我很乐意学习有关如何正确执行此操作的建议。
答案 0 :(得分:0)
<?php
session_start();
//I think you are already using PDO/Mysqli prepared statements
//in this file since you call $conn->query below
include('conn.php');
if(!isset($_SESSION['40219357_user'])){
header('Location:index.php');
}
//
$username = $_SESSION['40219357_user'];
$userid = $_SESSION['40219357_id'];
//so to make this secure use place markers and bind your params
$read = "SELECT * FROM medi_users WHERE dr_id = '$userid'";
//becomes:
$read = "SELECT * FROM medi_users WHERE dr_id = :userId";
$q = $conn->prepare($read);
$q->bindParam(":userId",$userId,PDO::PARAM_INT);
$q->execute();
//now you can fetch your result set and store it in a variable
$results = $q->fetchAll();
?>
然后您可以使用foreach遍历结果
echo "<table>
<tr>
<th>Heading 1</th><th.....
</tr>";
foreach($results as $row) {
$rowid = $row['id'];
//I'm not sure if this is the right id,
//you would need to confirm, I would think you want to have a user id, but obviously don't know the structure
//of your database - if this is the user (patient?)
//id then it's fine
$firstname = $row['firstname'];
$surname = $row ['surname'];
$dob = $row['dob'];
$address = $row['address'];
$town = $row['town'];
$postcode = $row['postcode'];
echo "<tr>
<td>$firstname</td>
<td>$surname </td>
<td>$dob</td>
<td>$address</td>
<td>$town</td>
<td>$postcode</td>
<td><a class='btn btn-danger'
href='patientsmedication.php?patientId=$rowid'>View</a></td>//or whatever the relevant id is
</tr>";
}
echo "</table">;
我敢肯定在URL中传递id会有不同的感觉-就我个人而言,我不是一个大粉丝,但是我们在只读情况下工作,如果您有足够的其他检查,那么id就会出现它本身对任何人都不是很有用。
现在,在PatientMedication.php中,您可以使用$_GET['patientId']
<?php
session_start();
include('conn.php');
if(!can_view_patient_details()) {
header('Location:error_page.php');
exit();
} else {
$patientId = isset($_GET['patientId'])??0;
//if you aren't using php7 you won't have the null coalescing operator so use a ternary style like $var = cond ? A : B
//now do your query
$q = "SELECT * FROM yourtable WHERE patientId = :patientId";
$q = $conn->prepare($q);
$q->bindParam(":patientId",$patientId,PDO::PARAM_INT);
$q->execute();
//now you can fetch your result set and store it in a variable
$results = $q->fetchAll();
}
function can_view_patient_details() {
//this should return true or false
//you would need to design your own permissions checks,
//given the nature of your project I would think you would
//do a database call to confirm the user has the right access
//to the patient, but you may just check that the correct
//sessions are set, you'd have to decide what is most appropriate
}
?>
然后,根据您的结果,您可以创建自己认为合适的页面-如果要使用此页面更新详细信息,我建议您使用一种表格,因为您可以使用$_POST方法,该方法不会显示网址中的信息-那么我建议它通过控制器对权限,数据类型等进行所有正确的检查。
如果您还没有进入MVC模式(很可能只是刚开始的话),那么至少将您的表单定向到单独的脚本,然后返回一些反馈-可以通过在页面上的一个标志返回此页面。网址或通过设置会话消息并将其回显。
需要注意的几件事是,我假设您使用的是PDO而不是Mysqli准备的语句,它们都很好,但是语法略有不同,我的答案也只在您不再需要的PDO中使用PDO 可以在您的位置标记(:userId == userId)上使用半冒号,但是我个人更喜欢在编写sql时具有可读性。同样,您的会话名称看起来像是在名称中包含用户ID(虽然这可能是内部代码,但这虽然有些含义),但是如果使用该ID,则以这种方式设置它的伸缩性不是很好-仅是简单拥有一个名为“用户”的会话,并为其提供id的值-否则,如果不查找用户就如何知道会话的名称,这会破坏对象。
希望这会为您指明正确的方向,我建议您阅读PDO和MVC模式