PHP/SQL限制查看权限_Php_Sql - Fatal编程技术网

PHP/SQL限制查看权限

php sql

PHP/SQL限制查看权限,php,sql,Php,Sql,我想确保在从链接加载“查看联系人”页面时存储“StaffID”，而不是直接从登录表单加载 <?php //connect to database $dbc = mysql_connect("", "", ""); if (!$dbc) die ('Could not connect: ' .mysql_error()); //select database $db_selected = mysql_select_db("tafe", $dbc ); if (!$db_select

我想确保在从链接加载“查看联系人”页面时存储“StaffID”，而不是直接从登录表单加载

<?php 


//connect to database

$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());

//select database
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());

$StaffID = (int)$_GET['StaffId'];

// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**

//run insert satement against database
$rst = mysql_query($qry, $dbc);

// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{


    echo "<table border=\"1\" cellspacing=\"0\">";

    /***print out field names***/

    echo "<tr>"; // start row
    for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
    {
        echo "<th>" . mysql_field_name($rst, $i) . "</th>";

    }
        echo "<th>&nbsp;</th>";
        echo "<th>&nbsp;</th>";
    echo "</tr>";



    /***print out field values***/

    while ($row = mysql_fetch_array($rst)) // fetch each of the rows
    {
        echo "<tr>";
        echo "<td>".$row['ContactID']."</td>";
        echo "<td>".$row['Name']."</td>";
        echo "<td>".$row['Address']."</td>";
        echo "<td>".$row['Phone']."</td>";
        echo "<td>".$row['Mobile']."</td>";
        echo "<td>".$row['Email']."</td>";
        echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
        echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
        echo "</tr>";


    }


    echo "</table>";


}
else
{
    echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}

?>

登入表格：

<?php session_start(); // Start PHP session

$StaffID = isset($_SESSION["StaffID"]) ? $_SESSION["StaffID"] : "";?>

<form name="staffaccess" method="post" action="staff-login.php">
<table border="1" cellpadding="3" cellspacing="1">
<tr>
<td colspan="3"><strong>Staff Login </strong></td>
</tr>

<input type="hidden" name="StaffID" id="StaffID" value="<?php echo $StaffID; ?>" />

<tr>
<td>Username:</td>
<td><input name="StaffUsername" size= "30" type="text" id="StaffUsername" value="<?php echo $StaffUsername; ?>"/></td>
</tr>

<tr>
<td>Password:</td>
<td><input name="StaffPassword" size= "30" type="text" id="StaffPassword" value="<?php echo $StaffPassword; ?>"/></td>
</tr>

<tr>
<td></td>
<td><input type="submit" name="Submit" value="Login"/></td>
</tr>
</table>
</form>

<?php 


//connect to database

$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());

//select database
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());

$StaffID = (int)$_GET['StaffId'];

// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**

//run insert satement against database
$rst = mysql_query($qry, $dbc);

// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{


    echo "<table border=\"1\" cellspacing=\"0\">";

    /***print out field names***/

    echo "<tr>"; // start row
    for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
    {
        echo "<th>" . mysql_field_name($rst, $i) . "</th>";

    }
        echo "<th>&nbsp;</th>";
        echo "<th>&nbsp;</th>";
    echo "</tr>";



    /***print out field values***/

    while ($row = mysql_fetch_array($rst)) // fetch each of the rows
    {
        echo "<tr>";
        echo "<td>".$row['ContactID']."</td>";
        echo "<td>".$row['Name']."</td>";
        echo "<td>".$row['Address']."</td>";
        echo "<td>".$row['Phone']."</td>";
        echo "<td>".$row['Mobile']."</td>";
        echo "<td>".$row['Email']."</td>";
        echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
        echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
        echo "</tr>";


    }


    echo "</table>";


}
else
{
    echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}

?>


员工登录
根据您的mysql版本，您可能需要引用您的where属性，我不确定这是否导致了您的问题，但可能与此相关。另外，您确定您的StaffID字段值已正确插入数据库吗？
我检查了代码，您正在使用
<?php 


//connect to database

$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());

//select database
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());

$StaffID = (int)$_GET['StaffId'];

// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**

//run insert satement against database
$rst = mysql_query($qry, $dbc);

// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{


    echo "<table border=\"1\" cellspacing=\"0\">";

    /***print out field names***/

    echo "<tr>"; // start row
    for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
    {
        echo "<th>" . mysql_field_name($rst, $i) . "</th>";

    }
        echo "<th>&nbsp;</th>";
        echo "<th>&nbsp;</th>";
    echo "</tr>";



    /***print out field values***/

    while ($row = mysql_fetch_array($rst)) // fetch each of the rows
    {
        echo "<tr>";
        echo "<td>".$row['ContactID']."</td>";
        echo "<td>".$row['Name']."</td>";
        echo "<td>".$row['Address']."</td>";
        echo "<td>".$row['Phone']."</td>";
        echo "<td>".$row['Mobile']."</td>";
        echo "<td>".$row['Email']."</td>";
        echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
        echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
        echo "</tr>";


    }


    echo "</table>";


}
else
{
    echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}

?>

echo "<a href=list-contacts.php>Continue</a>"; 

因此，您需要在查询字符串中将该值作为
<?php 


//connect to database

$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());

//select database
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());

$StaffID = (int)$_GET['StaffId'];

// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**

//run insert satement against database
$rst = mysql_query($qry, $dbc);

// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{


    echo "<table border=\"1\" cellspacing=\"0\">";

    /***print out field names***/

    echo "<tr>"; // start row
    for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
    {
        echo "<th>" . mysql_field_name($rst, $i) . "</th>";

    }
        echo "<th>&nbsp;</th>";
        echo "<th>&nbsp;</th>";
    echo "</tr>";



    /***print out field values***/

    while ($row = mysql_fetch_array($rst)) // fetch each of the rows
    {
        echo "<tr>";
        echo "<td>".$row['ContactID']."</td>";
        echo "<td>".$row['Name']."</td>";
        echo "<td>".$row['Address']."</td>";
        echo "<td>".$row['Phone']."</td>";
        echo "<td>".$row['Mobile']."</td>";
        echo "<td>".$row['Email']."</td>";
        echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
        echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
        echo "</tr>";


    }


    echo "</table>";


}
else
{
    echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}

?>

echo "<a href=list-contacts.php?StaffId=".$row["column_name_in_table"].">Continue</a>"; 

echo”“；
您没有在联系人页面上传递员工id，因此您像这样传递员工id
<?php 


//connect to database

$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());

//select database
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());

$StaffID = (int)$_GET['StaffId'];

// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**

//run insert satement against database
$rst = mysql_query($qry, $dbc);

// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{


    echo "<table border=\"1\" cellspacing=\"0\">";

    /***print out field names***/

    echo "<tr>"; // start row
    for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
    {
        echo "<th>" . mysql_field_name($rst, $i) . "</th>";

    }
        echo "<th>&nbsp;</th>";
        echo "<th>&nbsp;</th>";
    echo "</tr>";



    /***print out field values***/

    while ($row = mysql_fetch_array($rst)) // fetch each of the rows
    {
        echo "<tr>";
        echo "<td>".$row['ContactID']."</td>";
        echo "<td>".$row['Name']."</td>";
        echo "<td>".$row['Address']."</td>";
        echo "<td>".$row['Phone']."</td>";
        echo "<td>".$row['Mobile']."</td>";
        echo "<td>".$row['Email']."</td>";
        echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
        echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
        echo "</tr>";


    }


    echo "</table>";


}
else
{
    echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}

?>

更改登录检查页面中的以下更改
<?php 


//connect to database

$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());

//select database
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());

$StaffID = (int)$_GET['StaffId'];

// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**

//run insert satement against database
$rst = mysql_query($qry, $dbc);

// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{


    echo "<table border=\"1\" cellspacing=\"0\">";

    /***print out field names***/

    echo "<tr>"; // start row
    for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
    {
        echo "<th>" . mysql_field_name($rst, $i) . "</th>";

    }
        echo "<th>&nbsp;</th>";
        echo "<th>&nbsp;</th>";
    echo "</tr>";



    /***print out field values***/

    while ($row = mysql_fetch_array($rst)) // fetch each of the rows
    {
        echo "<tr>";
        echo "<td>".$row['ContactID']."</td>";
        echo "<td>".$row['Name']."</td>";
        echo "<td>".$row['Address']."</td>";
        echo "<td>".$row['Phone']."</td>";
        echo "<td>".$row['Mobile']."</td>";
        echo "<td>".$row['Email']."</td>";
        echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
        echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
        echo "</tr>";


    }


    echo "</table>";


}
else
{
    echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}

?>

if ($row["Username"]==$StaffUsername && $row["Password"]==$StaffPassword)
{
echo "Your login was successful";
echo "</br></br>";
echo "<a href=list-contacts.php?StaffId=".$row["StaffId"].">Continue</a>";
}

if（$row[“Username”]==$StaffUsername&&$row[“Password”]==$StaffPassword）
{
echo“您的登录成功”；
回声“

”；
回声“；
}

您也可以为登录用户使用会话谢谢，我在中添加了这一点，但它仍然不起作用。表的设置方式可能有问题。无论如何谢谢你的帮助在stafftabelI中检查你的列名似乎已经解决了这个问题，但是现在有了一个新问题；该查询仅显示StaffID为（0）的联系人。所有用户都可以访问这些联系人。关于这里出了什么问题，有什么想法吗？如果（！isset（$GET['StaffId'））| |空（$GET['StaffId'））死亡（'show error'），请在获取联系人页面中的记录表单数据库之前检查$GET['StaffId']值$StaffID=（int）$\u GET['StaffID']；哦，天哪，我刚发现我在一些地方涂过，在其他地方涂过！总是最小的东西！谢谢你的帮助
<?php 


//connect to database

$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());

//select database
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());

$StaffID = (int)$_GET['StaffId'];

// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**

//run insert satement against database
$rst = mysql_query($qry, $dbc);

// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{


    echo "<table border=\"1\" cellspacing=\"0\">";

    /***print out field names***/

    echo "<tr>"; // start row
    for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
    {
        echo "<th>" . mysql_field_name($rst, $i) . "</th>";

    }
        echo "<th>&nbsp;</th>";
        echo "<th>&nbsp;</th>";
    echo "</tr>";



    /***print out field values***/

    while ($row = mysql_fetch_array($rst)) // fetch each of the rows
    {
        echo "<tr>";
        echo "<td>".$row['ContactID']."</td>";
        echo "<td>".$row['Name']."</td>";
        echo "<td>".$row['Address']."</td>";
        echo "<td>".$row['Phone']."</td>";
        echo "<td>".$row['Mobile']."</td>";
        echo "<td>".$row['Email']."</td>";
        echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
        echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
        echo "</tr>";


    }


    echo "</table>";


}
else
{
    echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}

?>