Php 如何为登录的用户筛选消息
我正在开发一个post/noticeboard系统。用户登录以查看与其相关的帖子。我打算根据学校、课程、级别和其他几个方面筛选要查看的消息。比如说,一个管理员给100级学生发一个a,给100级计算机科学学生发一个B。如果我以100级学生的身份登录,无论我的课程如何,我都会看到a后。如果我以100级计算机科学学生的身份登录,我会看到B后 我有一个post表(tblpost),post存储在其中,同样还有一个用户表(tblusers),其中存储所有用户。所以我尝试使用IF-ELSE语句来过滤帖子,但只有IF语句有效 这是我的桌子: 特布卢斯 tblpost 这是我的代码:adminviewpost.phpPhp 如何为登录的用户筛选消息,php,mysql,Php,Mysql,我正在开发一个post/noticeboard系统。用户登录以查看与其相关的帖子。我打算根据学校、课程、级别和其他几个方面筛选要查看的消息。比如说,一个管理员给100级学生发一个a,给100级计算机科学学生发一个B。如果我以100级学生的身份登录,无论我的课程如何,我都会看到a后。如果我以100级计算机科学学生的身份登录,我会看到B后 我有一个post表(tblpost),post存储在其中,同样还有一个用户表(tblusers),其中存储所有用户。所以我尝试使用IF-ELSE语句来过滤帖子,但
<?php require_once('Connections/localhost.php'); ?>
<?php
//initialize the session
if (!isset($_SESSION)) {
session_start();
}
// ** Logout the current user. **
$logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";
if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){
$logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);
}
if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){
//to fully log out a visitor we need to clear the session varialbles
$_SESSION['MM_Username'] = NULL;
$_SESSION['MM_UserGroup'] = NULL;
$_SESSION['PrevUrl'] = NULL;
unset($_SESSION['MM_Username']);
unset($_SESSION['MM_UserGroup']);
unset($_SESSION['PrevUrl']);
$logoutGoTo = "index.php";
if ($logoutGoTo) {
header("Location: $logoutGoTo");
exit;
}
}
?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
$colname_login = "-1";
if (isset($_SESSION['MM_Username'])) {
$colname_login = $_SESSION['MM_Username'];
}
mysql_select_db($database_localhost, $localhost);
$query_login = sprintf("SELECT * FROM tblusers WHERE user_id = %s", GetSQLValueString($colname_login, "text"));
$login = mysql_query($query_login, $localhost) or die(mysql_error());
$row_login = mysql_fetch_assoc($login);
$totalRows_login = mysql_num_rows($login);
$db_school = $row_login['school'];
$db_prog = $row_login['prog'];
$db_level = $row_login['level'];
$db_stream = $row_login['stream'];
$db_society = $row_login['society'];
$db_nationality = $row_login['nationality'];
$db_position = $row_login['positionid'];
mysql_select_db($database_localhost, $localhost);
$query_mainposts = "SELECT * FROM tblposts";
$mainposts = mysql_query($query_mainposts, $localhost) or die(mysql_error());
$row_mainposts = mysql_fetch_assoc($mainposts);
$totalRows_mainposts = mysql_num_rows($mainposts);
$db_post_school = $row_mainposts['school'];
$db_post_prog = $row_mainposts['prog'];
$db_post_level = $row_mainposts['level'];
$db_post_stream = $row_mainposts['stream'];
$db_post_society = $row_mainposts['society'];
$db_post_nationality = $row_mainposts['nationality'];
$db_post_position = $row_mainposts['position'];
mysql_select_db($database_localhost, $localhost);
if ($db_post_school!==NULL && $db_post_prog==NULL && $db_post_level==NULL && $db_post_stream==NULL && $db_post_society==NULL && $db_post_nationality==NULL && $db_post_position==NULL) {
# code...
$query_posts = "SELECT * FROM tblposts WHERE school = '$db_school'
";
$posts = mysql_query($query_posts, $localhost) or die(mysql_error());
$row_posts = mysql_fetch_assoc($posts);
$totalRows_posts = mysql_num_rows($posts);
}
elseif ($db_post_school!==NULL && $db_post_prog==NULL && $db_post_level !==NULL && $db_post_stream==NULL && $db_post_society==NULL && $db_post_nationality==NULL && $db_post_position==NULL) {
# code...
$query_posts = "SELECT * FROM tblposts WHERE school = '$db_school' && level = '$db_level'
";
$posts = mysql_query($query_posts, $localhost) or die(mysql_error());
$row_posts = mysql_fetch_assoc($posts);
$totalRows_posts = mysql_num_rows($posts);
}
?>
为什么只使用多部分where
子句?您还可以使用此代码进行SQL注入where program='this'和level>number
。如果切换到PDO并准备语句,而不是手动清理输入,则代码可能会简单得多(也更容易理解)。另外,mysql\u real\u escape\u string
不能被认为是一种安全的字符串转义方法,因为它不能可靠地使用底层数据库连接编码。为了避免对代码中不相关的部分做出过多的评论性评论,请尝试提供一个最小的例子。考虑使用StEdio CREATE表查询显示表方案: