gpt4 book ai didi

php程序下载权限

转载 作者:行者123 更新时间:2023-11-30 23:32:19 26 4
gpt4 key购买 nike

这是一个老板可以为其员工启用或禁用文件下载的页面。老板应该只能为其员工启用他(老板)已经可以使用的文件。员工已经可以访问的程序必须是绿色的。问题是所有程序都变绿了,因为 SQL 正在监听老板的 ID,而不是员工的 ID。有什么建议么?

require_once('databankverbinding.php');

if(empty($_SESSION['myusername']))
header('location: /request/login.php');
?>

<html>
<head><title>Programs</title>
<link href="css/search.css" rel="stylesheet" type="text/css"/>
</head>
<body>

<?php
if(!empty($_SESSION['myusername'])){
echo $_SESSION['myusername'];
echo $_SESSION['userID'];}
$user = $_SESSION['userID'];
echo $_GET['UserID'];
echo $user;

$sqlq = "SELECT tblfile.FileID, tblfile.FileName, tblfile.FileDescription,tblfile.FileType,tblfile.FileSize,tblfile.FileDate,tblfile.FileActive, tbluser_file.User_FileID, tbluser_file.FileID, tbluser_file.UserID, tbluser_file.fldactief, tbluser.UserID, tbluser.Username, tbluser.Password, tbluser.BossID
FROM tbluser INNER JOIN (tblfile INNER JOIN tbluser_file ON tblfile.FileID = tbluser_file.FileID) ON tbluser.UserID = tbluser_file.UserID WHERE tbluser_file.UserID = '".$user."' AND tblfile.FileActive = 1 AND tbluser_file.fldactief = 1 " ; // Alle mappen ophalen

$sql = 'SELECT UserID, username FROM tbluser';


$sql .= ' WHERE UserID = '.$_GET['UserID'];

$res = mysql_query($sql);
$row = mysql_fetch_array($res);
$sql3 = "SELECT tblfile.FileID, tblfile.FileName, tblfile.FileDescription,tblfile.FileType,tblfile.FileSize,tblfile.FileDate,tblfile.FileActive, tbluser_file.User_FileID, tbluser_file.FileID, tbluser_file.UserID, tbluser_file.fldactief, tbluser.UserID, tbluser.Username, tbluser.Password, tbluser.BossID
FROM tbluser INNER JOIN (tblfile INNER JOIN tbluser_file ON tblfile.FileID = tbluser_file.FileID) ON tbluser.UserID = tbluser_file.UserID WHERE tbluser_file.UserID = '".$_GET['UserID']."' AND tblfile.FileActive = 1 AND tbluser_file.fldactief = 1 " ; // Alle mappen ophalen
$res3 = mysql_query($sql3);
$row3 = mysql_fetch_array($res3);

$res = mysql_query($sqlq);

echo '
<form action="category.php">
<fieldset>
<legend>Catergory Edit/Delete:</legend>
<table>';
echo $row['UserID'];



while($row = mysql_fetch_array($res)){

if(($row3['fldactief']) == 0){

echo '
<tr>
<td>'. $row['FileName'] . '</td>
<td>&nbsp;&nbsp;<a href="controluser.php?action=enable&UserID='.$_GET['UserID'].'&FileID='.$row['FileID'].'"><img class="delete" src="images/enable.png" /></a></td>
<td>&nbsp;&nbsp;<a href="controluser.php?action=disable&UserID='.$_GET['UserID'].'&FileID='.$row['FileID'].'" ><img class="delete" src="images/disable.png" /></a></td>
</tr>';}
else{
echo '
<tr>
<td><h4 style="color:green;">'. $row['FileName'] . '</h4></td>
<td>&nbsp;&nbsp;<a href="controluser.php?action=enable&UserID='.$_GET['UserID'].'&FileID='.$row['FileID'].'"><img class="delete" src="images/enable.png" /></a></td>
<td>&nbsp;&nbsp;<a href="controluser.php?action=disable&UserID='.$_GET['UserID'].'&FileID='.$row['FileID'].'" ><img class="delete" src="images/disable.png" /></a></td>
</tr>';}
}

echo '

</table>
</fieldset>
</form>

';
?>
<a href="controluser.php">Go to Control Panel</a>
</body>
</html>

最佳答案

看起来您将遇到的主要问题是首先要追查 $_GET['UserID'] 的来源。我看到你在哪里将它传递回启用/禁用部分的页面,但是当你为查询收集它时,不清楚它来自哪里。这个页面是否从另一个页面传递了那个变量?还是当前登录的用户?在这种情况下,这将是第一步,即跟踪该变量,因为它是包含在 SQL 查询中的内容。

作为旁注,我强烈建议您正确转义和清理数据,尤其是在将数据输入 SQL 查询之前。

关于php程序下载权限,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/9928750/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com