Fatal编程技术网
  • php/
  • Php 如何为登录的用户筛选消息

Php 如何为登录的用户筛选消息

php mysql

Php 如何为登录的用户筛选消息,php,mysql,Php,Mysql,我正在开发一个post/noticeboard系统。用户登录以查看与其相关的帖子。我打算根据学校、课程、级别和其他几个方面筛选要查看的消息。比如说,一个管理员给100级学生发一个a,给100级计算机科学学生发一个B。如果我以100级学生的身份登录,无论我的课程如何,我都会看到a后。如果我以100级计算机科学学生的身份登录,我会看到B后 我有一个post表(tblpost),post存储在其中,同样还有一个用户表(tblusers),其中存储所有用户。所以我尝试使用IF-ELSE语句来过滤帖子,但

我正在开发一个post/noticeboard系统。用户登录以查看与其相关的帖子。我打算根据学校、课程、级别和其他几个方面筛选要查看的消息。比如说,一个管理员给100级学生发一个a,给100级计算机科学学生发一个B。如果我以100级学生的身份登录,无论我的课程如何,我都会看到a后。如果我以100级计算机科学学生的身份登录,我会看到B后

我有一个post表(tblpost),post存储在其中,同样还有一个用户表(tblusers),其中存储所有用户。所以我尝试使用IF-ELSE语句来过滤帖子,但只有IF语句有效

这是我的桌子:

特布卢斯

tblpost

这是我的代码:adminviewpost.php

<?php require_once('Connections/localhost.php'); ?>
<?php
//initialize the session
if (!isset($_SESSION)) {
  session_start();
}

// ** Logout the current user. **
$logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";
if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){
  $logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){
  //to fully log out a visitor we need to clear the session varialbles
  $_SESSION['MM_Username'] = NULL;
  $_SESSION['MM_UserGroup'] = NULL;
  $_SESSION['PrevUrl'] = NULL;
  unset($_SESSION['MM_Username']);
  unset($_SESSION['MM_UserGroup']);
  unset($_SESSION['PrevUrl']);

  $logoutGoTo = "index.php";
  if ($logoutGoTo) {
    header("Location: $logoutGoTo");
    exit;
  }
}
?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

$colname_login = "-1";
if (isset($_SESSION['MM_Username'])) {
  $colname_login = $_SESSION['MM_Username'];
}
mysql_select_db($database_localhost, $localhost);
$query_login = sprintf("SELECT * FROM tblusers WHERE user_id = %s", GetSQLValueString($colname_login, "text"));
$login = mysql_query($query_login, $localhost) or die(mysql_error());
$row_login = mysql_fetch_assoc($login);
$totalRows_login = mysql_num_rows($login);

$db_school = $row_login['school'];
$db_prog = $row_login['prog'];
$db_level = $row_login['level'];
$db_stream = $row_login['stream'];
$db_society = $row_login['society'];
$db_nationality = $row_login['nationality'];
$db_position = $row_login['positionid'];

mysql_select_db($database_localhost, $localhost);
$query_mainposts = "SELECT * FROM tblposts";
$mainposts = mysql_query($query_mainposts, $localhost) or die(mysql_error());
$row_mainposts = mysql_fetch_assoc($mainposts);
$totalRows_mainposts = mysql_num_rows($mainposts);

$db_post_school = $row_mainposts['school'];
$db_post_prog = $row_mainposts['prog'];
$db_post_level = $row_mainposts['level'];
$db_post_stream = $row_mainposts['stream'];
$db_post_society = $row_mainposts['society'];
$db_post_nationality = $row_mainposts['nationality'];
$db_post_position = $row_mainposts['position'];

mysql_select_db($database_localhost, $localhost);
if ($db_post_school!==NULL && $db_post_prog==NULL && $db_post_level==NULL && $db_post_stream==NULL && $db_post_society==NULL && $db_post_nationality==NULL && $db_post_position==NULL) {
    # code...
    $query_posts = "SELECT * FROM tblposts WHERE school = '$db_school'
";
$posts = mysql_query($query_posts, $localhost) or die(mysql_error());
$row_posts = mysql_fetch_assoc($posts);
$totalRows_posts = mysql_num_rows($posts);
}
elseif ($db_post_school!==NULL && $db_post_prog==NULL && $db_post_level !==NULL && $db_post_stream==NULL && $db_post_society==NULL && $db_post_nationality==NULL && $db_post_position==NULL) {
    # code...
    $query_posts = "SELECT * FROM tblposts WHERE school = '$db_school' && level = '$db_level'
";
$posts = mysql_query($query_posts, $localhost) or die(mysql_error());
$row_posts = mysql_fetch_assoc($posts);
$totalRows_posts = mysql_num_rows($posts);
}

?>



为什么只使用多部分
where
子句?您还可以使用此代码进行SQL注入
where program='this'和level>number
。如果切换到PDO并准备语句,而不是手动清理输入,则代码可能会简单得多(也更容易理解)。另外,
mysql\u real\u escape\u string
不能被认为是一种安全的字符串转义方法,因为它不能可靠地使用底层数据库连接编码。为了避免对代码中不相关的部分做出过多的评论性评论,请尝试提供一个最小的例子。考虑使用StEdio CREATE表查询显示表方案: