PHP/SQL限制查看权限
我想确保在从链接加载“查看联系人”页面时存储“StaffID”,而不是直接从登录表单加载PHP/SQL限制查看权限,php,sql,Php,Sql,我想确保在从链接加载“查看联系人”页面时存储“StaffID”,而不是直接从登录表单加载 <?php //connect to database $dbc = mysql_connect("", "", ""); if (!$dbc) die ('Could not connect: ' .mysql_error()); //select database $db_selected = mysql_select_db("tafe", $dbc ); if (!$db_select
<?php
//connect to database
$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());
//select database
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());
$StaffID = (int)$_GET['StaffId'];
// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**
//run insert satement against database
$rst = mysql_query($qry, $dbc);
// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{
echo "<table border=\"1\" cellspacing=\"0\">";
/***print out field names***/
echo "<tr>"; // start row
for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
{
echo "<th>" . mysql_field_name($rst, $i) . "</th>";
}
echo "<th> </th>";
echo "<th> </th>";
echo "</tr>";
/***print out field values***/
while ($row = mysql_fetch_array($rst)) // fetch each of the rows
{
echo "<tr>";
echo "<td>".$row['ContactID']."</td>";
echo "<td>".$row['Name']."</td>";
echo "<td>".$row['Address']."</td>";
echo "<td>".$row['Phone']."</td>";
echo "<td>".$row['Mobile']."</td>";
echo "<td>".$row['Email']."</td>";
echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
echo "</tr>";
}
echo "</table>";
}
else
{
echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}
?>
登入表格:
<?php session_start(); // Start PHP session
$StaffID = isset($_SESSION["StaffID"]) ? $_SESSION["StaffID"] : "";?>
<form name="staffaccess" method="post" action="staff-login.php">
<table border="1" cellpadding="3" cellspacing="1">
<tr>
<td colspan="3"><strong>Staff Login </strong></td>
</tr>
<input type="hidden" name="StaffID" id="StaffID" value="<?php echo $StaffID; ?>" />
<tr>
<td>Username:</td>
<td><input name="StaffUsername" size= "30" type="text" id="StaffUsername" value="<?php echo $StaffUsername; ?>"/></td>
</tr>
<tr>
<td>Password:</td>
<td><input name="StaffPassword" size= "30" type="text" id="StaffPassword" value="<?php echo $StaffPassword; ?>"/></td>
</tr>
<tr>
<td></td>
<td><input type="submit" name="Submit" value="Login"/></td>
</tr>
</table>
</form>
<?php
//connect to database
$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());
//select database
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());
$StaffID = (int)$_GET['StaffId'];
// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**
//run insert satement against database
$rst = mysql_query($qry, $dbc);
// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{
echo "<table border=\"1\" cellspacing=\"0\">";
/***print out field names***/
echo "<tr>"; // start row
for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
{
echo "<th>" . mysql_field_name($rst, $i) . "</th>";
}
echo "<th> </th>";
echo "<th> </th>";
echo "</tr>";
/***print out field values***/
while ($row = mysql_fetch_array($rst)) // fetch each of the rows
{
echo "<tr>";
echo "<td>".$row['ContactID']."</td>";
echo "<td>".$row['Name']."</td>";
echo "<td>".$row['Address']."</td>";
echo "<td>".$row['Phone']."</td>";
echo "<td>".$row['Mobile']."</td>";
echo "<td>".$row['Email']."</td>";
echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
echo "</tr>";
}
echo "</table>";
}
else
{
echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}
?>
员工登录
根据您的mysql版本,您可能需要引用您的where属性,我不确定这是否导致了您的问题,但可能与此相关。另外,您确定您的StaffID字段值已正确插入数据库吗?我检查了代码,您正在使用
<?php
//connect to database
$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());
//select database
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());
$StaffID = (int)$_GET['StaffId'];
// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**
//run insert satement against database
$rst = mysql_query($qry, $dbc);
// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{
echo "<table border=\"1\" cellspacing=\"0\">";
/***print out field names***/
echo "<tr>"; // start row
for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
{
echo "<th>" . mysql_field_name($rst, $i) . "</th>";
}
echo "<th> </th>";
echo "<th> </th>";
echo "</tr>";
/***print out field values***/
while ($row = mysql_fetch_array($rst)) // fetch each of the rows
{
echo "<tr>";
echo "<td>".$row['ContactID']."</td>";
echo "<td>".$row['Name']."</td>";
echo "<td>".$row['Address']."</td>";
echo "<td>".$row['Phone']."</td>";
echo "<td>".$row['Mobile']."</td>";
echo "<td>".$row['Email']."</td>";
echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
echo "</tr>";
}
echo "</table>";
}
else
{
echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}
?>
echo "<a href=list-contacts.php>Continue</a>";
因此,您需要在查询字符串中将该值作为
<?php
//connect to database
$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());
//select database
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());
$StaffID = (int)$_GET['StaffId'];
// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**
//run insert satement against database
$rst = mysql_query($qry, $dbc);
// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{
echo "<table border=\"1\" cellspacing=\"0\">";
/***print out field names***/
echo "<tr>"; // start row
for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
{
echo "<th>" . mysql_field_name($rst, $i) . "</th>";
}
echo "<th> </th>";
echo "<th> </th>";
echo "</tr>";
/***print out field values***/
while ($row = mysql_fetch_array($rst)) // fetch each of the rows
{
echo "<tr>";
echo "<td>".$row['ContactID']."</td>";
echo "<td>".$row['Name']."</td>";
echo "<td>".$row['Address']."</td>";
echo "<td>".$row['Phone']."</td>";
echo "<td>".$row['Mobile']."</td>";
echo "<td>".$row['Email']."</td>";
echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
echo "</tr>";
}
echo "</table>";
}
else
{
echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}
?>
echo "<a href=list-contacts.php?StaffId=".$row["column_name_in_table"].">Continue</a>";
echo”“;
您没有在联系人页面上传递员工id,因此您像这样传递员工id
<?php
//connect to database
$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());
//select database
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());
$StaffID = (int)$_GET['StaffId'];
// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**
//run insert satement against database
$rst = mysql_query($qry, $dbc);
// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{
echo "<table border=\"1\" cellspacing=\"0\">";
/***print out field names***/
echo "<tr>"; // start row
for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
{
echo "<th>" . mysql_field_name($rst, $i) . "</th>";
}
echo "<th> </th>";
echo "<th> </th>";
echo "</tr>";
/***print out field values***/
while ($row = mysql_fetch_array($rst)) // fetch each of the rows
{
echo "<tr>";
echo "<td>".$row['ContactID']."</td>";
echo "<td>".$row['Name']."</td>";
echo "<td>".$row['Address']."</td>";
echo "<td>".$row['Phone']."</td>";
echo "<td>".$row['Mobile']."</td>";
echo "<td>".$row['Email']."</td>";
echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
echo "</tr>";
}
echo "</table>";
}
else
{
echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}
?>
更改登录检查页面中的以下更改
<?php
//connect to database
$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());
//select database
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());
$StaffID = (int)$_GET['StaffId'];
// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**
//run insert satement against database
$rst = mysql_query($qry, $dbc);
// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{
echo "<table border=\"1\" cellspacing=\"0\">";
/***print out field names***/
echo "<tr>"; // start row
for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
{
echo "<th>" . mysql_field_name($rst, $i) . "</th>";
}
echo "<th> </th>";
echo "<th> </th>";
echo "</tr>";
/***print out field values***/
while ($row = mysql_fetch_array($rst)) // fetch each of the rows
{
echo "<tr>";
echo "<td>".$row['ContactID']."</td>";
echo "<td>".$row['Name']."</td>";
echo "<td>".$row['Address']."</td>";
echo "<td>".$row['Phone']."</td>";
echo "<td>".$row['Mobile']."</td>";
echo "<td>".$row['Email']."</td>";
echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
echo "</tr>";
}
echo "</table>";
}
else
{
echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}
?>
if ($row["Username"]==$StaffUsername && $row["Password"]==$StaffPassword)
{
echo "Your login was successful";
echo "</br></br>";
echo "<a href=list-contacts.php?StaffId=".$row["StaffId"].">Continue</a>";
}
if($row[“Username”]==$StaffUsername&&$row[“Password”]==$StaffPassword)
{
echo“您的登录成功”;
回声“”;
回声“;
}
您也可以为登录用户使用会话谢谢,我在中添加了这一点,但它仍然不起作用。表的设置方式可能有问题。无论如何谢谢你的帮助在stafftabelI中检查你的列名似乎已经解决了这个问题,但是现在有了一个新问题;该查询仅显示StaffID为(0)的联系人。所有用户都可以访问这些联系人。关于这里出了什么问题,有什么想法吗?如果(!isset($GET['StaffId'))| |空($GET['StaffId'))死亡('show error'),请在获取联系人页面中的记录表单数据库之前检查$GET['StaffId']值$StaffID=(int)$\u GET['StaffID'];哦,天哪,我刚发现我在一些地方涂过,在其他地方涂过!总是最小的东西!谢谢你的帮助
<?php
//connect to database
$dbc = mysql_connect("", "", "");
if (!$dbc)
die ('Could not connect: ' .mysql_error());
//select database
$db_selected = mysql_select_db("tafe", $dbc );
if (!$db_selected)
die ('Could not connect: ' . mysql_error());
$StaffID = (int)$_GET['StaffId'];
// build sql insert statement
**$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";**
//run insert satement against database
$rst = mysql_query($qry, $dbc);
// print whether successful or not
if ($rst)
{
if (mysql_num_rows($rst)>0) // check that there are records
{
echo "<table border=\"1\" cellspacing=\"0\">";
/***print out field names***/
echo "<tr>"; // start row
for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name
{
echo "<th>" . mysql_field_name($rst, $i) . "</th>";
}
echo "<th> </th>";
echo "<th> </th>";
echo "</tr>";
/***print out field values***/
while ($row = mysql_fetch_array($rst)) // fetch each of the rows
{
echo "<tr>";
echo "<td>".$row['ContactID']."</td>";
echo "<td>".$row['Name']."</td>";
echo "<td>".$row['Address']."</td>";
echo "<td>".$row['Phone']."</td>";
echo "<td>".$row['Mobile']."</td>";
echo "<td>".$row['Email']."</td>";
echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>";
echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>";
echo "</tr>";
}
echo "</table>";
}
else
{
echo "<b><font color='black'>No records returned.</font></b>";
}
}
else
{
echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>";
}
?>