[英]How to validate user ID from $_SESSION and MySQL user ID
I have a problem with MySQL query and condition. 我对MySQL查询和条件有疑问。 The main problem is user with another ID can see / edit the same leads even though his id != owner.
主要问题是具有其他ID的用户即使其ID!=所有者也可以查看/编辑相同的销售线索。
I tried to change the vars and add '' or "", but none of these help. 我尝试更改var并添加“或”,但这些帮助均无效。
$myuser_query = mysqli_query($conn,"SELECT * FROM users WHERE id = '".$_SESSION["id"]."'");
$myuser = mysqli_fetch_assoc($myuser_query);
$myleads = "SELECT * FROM leads WHERE owner = '".$myuser["id"]."' AND status = 1 OR status = 2 ORDER BY RAND() LIMIT 1";
$newleads = $conn->query($myleads);
if ($newleads->num_rows >= 1) {
(Here it's all the client side that's showing the date.) (这是所有显示日期的客户端。)
You need to add parenthesis around the OR
conditions in your query. 您需要在查询中的
OR
条件周围添加括号。 Change this: 更改此:
$myleads = "SELECT * FROM leads
WHERE owner = '".$myuser["id"]."' AND status = 1 OR status = 2
ORDER BY RAND() LIMIT 1";
To: 至:
$myleads = "SELECT * FROM leads
WHERE owner = '".$myuser["id"]."' AND (status = 1 OR status = 2)
ORDER BY RAND() LIMIT 1";
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.