我试图限制用户只能看到他/她自己的细节。我通过URL栏传递一个PHP变量,因此它只显示自己的信息,但是如果他们编辑了ID号码,他们可以查看其他人的详细信息?
我现在的代码显示在这里:
$managerID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]);
$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["manager"]);
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]);
include "../adminscripts/connect_to_mysql.php";
$sql = mysql_query("SELECT * FROM Users WHERE id='$managerID' AND username='$manager' AND password='$password' AND role='Student' LIMIT 1");
$existCount = mysql_num_rows($sql);
if ($existCount == 0) {
header("location: http://www.zuluirminger.com/SchoolAdmin/index.php");
exit();
}
?>
// Get a list of all items and display them in alphabetically
include "../adminscripts/connect_to_mysql.php";
//Check to see the URL variable exists in the database
$dynamicList = "";
if (isset($_GET['id'])) {
include "../adminscripts/connect_to_mysql.php";
$id = preg_replace('#[^0-9]#i', '', $_GET['id']);
***********************************************************************************
***********************************************************************************
// If the ID does not exist the display this message.
$sql = mysql_query("SELECT * FROM StudentAttendance WHERE StudentID='$id' ORDER BY AttendanceDate DESC");
$productCount = mysql_num_rows($sql);
if ($productCount > 0) {
while ($row = mysql_fetch_array($sql)) {
$AttendanceDate = $row["AttendanceDate"];
$AttendanceStatus = $row["AttendanceStatus"];
$Notes = $row["Notes"];
$dynamicList .= '
' . $AttendanceDate . '' . $AttendanceStatus . '' . $Notes . '';}
} else {
$AttendanceDate = "nil";
$AttendanceStatus = "nil";
$Notes = "nil";
}
} else {
echo "Something is missing which means we can't display this page! Sorry for the inconvenience and please try again later!";
exit();
}
mysql_close();
?>我试着在以上代码中放置星号的地方放置以下if语句...
if ($id != $managerID) {
$id = $managerID;
}但是,这似乎没有工作......我把它放在正确的地方?据我可以告诉我已经使用了正确的变量?
任何帮助将不胜感激!