我想限制用户只能看到他/她自己的详细信息。我通过URL栏传递一个PHP变量,因此它只显示自己的信息,但是如果他们编辑了ID号码,他们可以查看其他人的详细信息?使用PHP变量限制URL输入
的代码我现在有如下所示:
$managerID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]);
$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["manager"]);
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]);
include "../adminscripts/connect_to_mysql.php";
$sql = mysql_query("SELECT * FROM Users WHERE id='$managerID' AND username='$manager' AND password='$password' AND role='Student' LIMIT 1");
$existCount = mysql_num_rows($sql);
if ($existCount == 0) {
header("location: http://www.zuluirminger.com/SchoolAdmin/index.php");
exit();
}
?>
<?php
// Get a list of all items and display them in alphabetically
include "../adminscripts/connect_to_mysql.php";
//Check to see the URL variable exists in the database
$dynamicList = "";
if (isset($_GET['id'])) {
include "../adminscripts/connect_to_mysql.php";
$id = preg_replace('#[^0-9]#i', '', $_GET['id']);
***********************************************************************************
***********************************************************************************
// If the ID does not exist the display this message.
$sql = mysql_query("SELECT * FROM StudentAttendance WHERE StudentID='$id' ORDER BY AttendanceDate DESC");
$productCount = mysql_num_rows($sql);
if ($productCount > 0) {
while ($row = mysql_fetch_array($sql)) {
$AttendanceDate = $row["AttendanceDate"];
$AttendanceStatus = $row["AttendanceStatus"];
$Notes = $row["Notes"];
$dynamicList .= '<tr style="font-size:15px;">
<td>' . $AttendanceDate . '</td>
<td>' . $AttendanceStatus . '</td>
<td>' . $Notes . '</td>
</tr>';
}
} else {
$AttendanceDate = "nil";
$AttendanceStatus = "nil";
$Notes = "nil";
}
} else {
echo "Something is missing which means we can't display this page! Sorry for the inconvenience and please try again later!";
exit();
}
mysql_close();
?>
我试图把下面的if语句在我把星号在上面的代码...
if ($id != $managerID) {
$id = $managerID;
}
但这似乎没有工作......我把它放在正确的地方?据我可以告诉我已经使用了正确的变量?
任何帮助将不胜感激!
嗯所有这些明星可能会导致你一些问题... – Neal 2012-04-19 18:26:43
我只是把他们在这个问题的目的@尼尔 - 他们实际上并没有在代码:) – 2012-04-19 18:27:17
你可以只加密/解密ID? – kevingreen 2012-04-19 18:33:40