无法从表中选择所有结果,具体取决于PHP和MySQL中的另一个表(关系数据库)
[英]Cannot select all results from a table depending on another table (relational DB) in PHP and MySQL
问题描述
I am trying to finish this website I am currently creating, but I am kind of stuck. 
我正在尝试完成我当前正在创建的该网站,但是我有些困惑。
I want to create a table called "orders" in my DB. 我想在数据库中创建一个名为“ orders”的表。 I want this table to be related to my users table so that when the user goes to his "orders.php" page (once logged in already) he sees all his current and previous orders. 我希望该表与我的用户表相关,以便当用户转到他的“ orders.php”页面(已登录后)时,他可以看到其当前和以前的所有订单。
These would be my table fields/cols: 这些是我的表字段/列:
id username ordernumber description quantity total ID用户名订单号描述数量合计
This is my approach: 这是我的方法:
Whenever a new order is created, insert all the table fields/cols depending on the user's choice (selected stuff for the order), but the username would be the only value gathered from a $_SESSION or $_COOKIE variable, which holds the username. 每当创建新订单时,都将根据用户的选择(为订单选择的内容)插入所有表字段/列,但用户名将是从$ _SESSION或$ _COOKIE变量(包含用户名)中收集的唯一值。 Then, once the user goes to orders.php, I will execute a query to show all the orders that only that username has ordered. 然后,一旦用户转到了orders.php,我将执行一个查询以显示仅该用户名已订购的所有订单。 Please note that I do sanitize all my input/output and I do not store sensitive data in my cookies. 请注意,我确实清除了所有输入/输出,并且没有在Cookie中存储敏感数据。 My system is designed so it only uses the session as the method of authentication, therefore you need to login every time you close the browser but that is fine. 我的系统设计为仅使用会话作为身份验证方法,因此,每次关闭浏览器时都需要登录,但这很好。
1) Is this a safe approach? 1)这是安全的方法吗? Do you have any suggestions/comments? 您有什么建议/意见吗?
2) Could you help me construct the query? 2)您能帮我构造查询吗?
I haven't really worked with relational databases, so I am kind of lost. 我还没有真正使用关系数据库,所以我有点迷失了。 How can I call all the orders from table "orders" where username = "username from the session"? 如何调用表“ orders”中的所有订单,其中“ username =”来自会话的用户名”?
So far I have this: 到目前为止,我有这个:
"SELECT * FROM orders WHERE username = ? " //(Using PDO)
I know that this will work but my concern is in case of getting a session hijacked or something like that, then a user would be able to retrieve any users' orders, or not? 我知道这可以工作,但是我担心的是如果会话被劫持或类似的情况,那么用户是否可以检索任何用户的订单?
Thank you for explaining this a little bit further and helping me out! 感谢您进一步解释并帮助我!
Cheers! 干杯!
1 个解决方案
解决方案1
0 已采纳
Be careful! 小心! Please don't create a plain text cookie containing a human-readable user id (like user2345995 or OllieJones ). 请不要创建包含人类可读用户ID(例如user2345995或OllieJones )的纯文本cookie。 It's far too easy for a badguy to fake a cookie like that just by guessing, and then your users' information leaks out. 一个坏家伙仅仅通过猜测就很难伪造这样的cookie,然后用户的信息就会泄漏出去。
You're working in php. 您正在使用php。 Therefore you can use php's session mechanism to store your userid and other values. 因此,您可以使用php的会话机制来存储您的用户ID和其他值。 php uses hard-to-guess session ids (SIDs) and stores them in either a cookie or as a sid=1234abcd9875 parameter in URLs. php使用难以猜测的会话ID(SID),并将其存储在Cookie中或URL中的sid=1234abcd9875参数中。
For the sake of your system's integrity, please read up on this. 为了系统的完整性,请仔细阅读。 It's actually a pretty well-designed feature and it's been in the wild for fifteen years or so: it's debugged. 它实际上是一个相当精心设计的功能,并且已经流行了十五年左右:它已经过调试。
http://php.net/manual/en/session.idpassing.php http://php.net/manual/en/session.idpassing.php
If you're using the session system, you basically do this in your first page, your login page. 如果您使用的是会话系统,则基本上是在第一页(登录页面)中执行此操作。
session_start();
...
$_SESSION['username'] = $username; /* which you get by logging in */
...
On your order lookup page you do something similar to retrieve the username and use it in a query. 在您的订单查找页面上,您可以执行类似的操作来检索用户名并在查询中使用它。
session_start();
...
$orderstmt = $pdoconn->prepare("SELECT * FROM orders WHERE username = :username");
$orderstmt->execute( array(':username' => $_SESSION['username']) );
...
while ($row = $orderstmt->fetch()) {
/* use the row's data */
}
$orderstmt->closeCursor();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.