PHP / SQL限制查看权限(PHP/ SQL restricting viewing rights)
我想确保从链接加载“查看联系人”页面时存储“StaffID”,而不是直接从登录表单加载
登录表单:
<?php session_start(); // Start PHP session $StaffID = isset($_SESSION["StaffID"]) ? $_SESSION["StaffID"] : "";?> <form name="staffaccess" method="post" action="staff-login.php"> <table border="1" cellpadding="3" cellspacing="1"> <tr> <td colspan="3"><strong>Staff Login </strong></td> </tr> <input type="hidden" name="StaffID" id="StaffID" value="<?php echo $StaffID; ?>" /> <tr> <td>Username:</td> <td><input name="StaffUsername" size= "30" type="text" id="StaffUsername" value="<?php echo $StaffUsername; ?>"/></td> </tr> <tr> <td>Password:</td> <td><input name="StaffPassword" size= "30" type="text" id="StaffPassword" value="<?php echo $StaffPassword; ?>"/></td> </tr> <tr> <td></td> <td><input type="submit" name="Submit" value="Login"/></td> </tr> </table> </form>登录检查:
<?php session_start(); // Start PHP session?> <body> <?php $_SESSION["StaffUsername"] = isset($_POST["StaffUsername"]) ? $_POST["StaffUsername"] : ""; $_SESSION["StaffPassword"] = isset($_POST["StaffPassword"]) ? $_POST["StaffPassword"] : ""; $_SESSION["StaffID"] = isset($_GET["StaffID"]) ? $_GET["StaffID"] : ""; <?php //connect to database// $dbc = mysql_connect("", "", ""); if (!$dbc) die ('Could not connect: ' .mysql_error()); //select database// $db_selected = mysql_select_db("tafe", $dbc ); if (!$db_selected) die ('Could not connect: ' . mysql_error()); // username and password sent from form $StaffUsername=$_POST['StaffUsername']; $StaffPassword=$_POST['StaffPassword']; // To protect MySQL injection (more detail about MySQL injection) $StaffUsername = stripslashes($StaffUsername); $StaffPassword = stripslashes($StaffPassword); $StaffUsername = mysql_real_escape_string($StaffUsername); $StaffPassword = mysql_real_escape_string($StaffPassword); $qry=("SELECT * FROM staffaccess WHERE Username= '" . $StaffUsername . "' AND Password= '" .$StaffPassword ."'"); $rst = mysql_query($qry, $dbc); $row = mysql_fetch_array($rst); if ($row["Username"]==$StaffUsername && $row["Password"]==$StaffPassword) { $_SESSION["StaffID"] = $row["StaffID"]; echo "Your login was successful"; echo "</br></br>"; echo "<a href=list-contacts.php>Continue</a>"; } else { echo "Sorry your details are not valid"; echo "</br></br>"; echo "<a href=staff-login.htm>Return</a>"; } ?>查看联系人(我只希望这能够查看特定用户添加的联系人)
<?php //connect to database $dbc = mysql_connect("", "", ""); if (!$dbc) die ('Could not connect: ' .mysql_error()); //select database $db_selected = mysql_select_db("tafe", $dbc ); if (!$db_selected) die ('Could not connect: ' . mysql_error()); $StaffID = (int)$_GET['StaffId']; // build sql insert statement **$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";** //run insert satement against database $rst = mysql_query($qry, $dbc); // print whether successful or not if ($rst) { if (mysql_num_rows($rst)>0) // check that there are records { echo "<table border=\"1\" cellspacing=\"0\">"; /***print out field names***/ echo "<tr>"; // start row for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name { echo "<th>" . mysql_field_name($rst, $i) . "</th>"; } echo "<th> </th>"; echo "<th> </th>"; echo "</tr>"; /***print out field values***/ while ($row = mysql_fetch_array($rst)) // fetch each of the rows { echo "<tr>"; echo "<td>".$row['ContactID']."</td>"; echo "<td>".$row['Name']."</td>"; echo "<td>".$row['Address']."</td>"; echo "<td>".$row['Phone']."</td>"; echo "<td>".$row['Mobile']."</td>"; echo "<td>".$row['Email']."</td>"; echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>"; echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>"; echo "</tr>"; } echo "</table>"; } else { echo "<b><font color='black'>No records returned.</font></b>"; } } else { echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>"; } ?>I want to ensure "StaffID" is stored when the "View Contacts" page is loaded from a link, rather than straight from the Login Form
LOGIN FORM:
<?php session_start(); // Start PHP session $StaffID = isset($_SESSION["StaffID"]) ? $_SESSION["StaffID"] : "";?> <form name="staffaccess" method="post" action="staff-login.php"> <table border="1" cellpadding="3" cellspacing="1"> <tr> <td colspan="3"><strong>Staff Login </strong></td> </tr> <input type="hidden" name="StaffID" id="StaffID" value="<?php echo $StaffID; ?>" /> <tr> <td>Username:</td> <td><input name="StaffUsername" size= "30" type="text" id="StaffUsername" value="<?php echo $StaffUsername; ?>"/></td> </tr> <tr> <td>Password:</td> <td><input name="StaffPassword" size= "30" type="text" id="StaffPassword" value="<?php echo $StaffPassword; ?>"/></td> </tr> <tr> <td></td> <td><input type="submit" name="Submit" value="Login"/></td> </tr> </table> </form>LOGIN CHECK:
<?php session_start(); // Start PHP session?> <body> <?php $_SESSION["StaffUsername"] = isset($_POST["StaffUsername"]) ? $_POST["StaffUsername"] : ""; $_SESSION["StaffPassword"] = isset($_POST["StaffPassword"]) ? $_POST["StaffPassword"] : ""; $_SESSION["StaffID"] = isset($_GET["StaffID"]) ? $_GET["StaffID"] : ""; <?php //connect to database// $dbc = mysql_connect("", "", ""); if (!$dbc) die ('Could not connect: ' .mysql_error()); //select database// $db_selected = mysql_select_db("tafe", $dbc ); if (!$db_selected) die ('Could not connect: ' . mysql_error()); // username and password sent from form $StaffUsername=$_POST['StaffUsername']; $StaffPassword=$_POST['StaffPassword']; // To protect MySQL injection (more detail about MySQL injection) $StaffUsername = stripslashes($StaffUsername); $StaffPassword = stripslashes($StaffPassword); $StaffUsername = mysql_real_escape_string($StaffUsername); $StaffPassword = mysql_real_escape_string($StaffPassword); $qry=("SELECT * FROM staffaccess WHERE Username= '" . $StaffUsername . "' AND Password= '" .$StaffPassword ."'"); $rst = mysql_query($qry, $dbc); $row = mysql_fetch_array($rst); if ($row["Username"]==$StaffUsername && $row["Password"]==$StaffPassword) { $_SESSION["StaffID"] = $row["StaffID"]; echo "Your login was successful"; echo "</br></br>"; echo "<a href=list-contacts.php>Continue</a>"; } else { echo "Sorry your details are not valid"; echo "</br></br>"; echo "<a href=staff-login.htm>Return</a>"; } ?>VIEW CONTACTS (i only want this to allow to view contacts that particular user has added)
<?php //connect to database $dbc = mysql_connect("", "", ""); if (!$dbc) die ('Could not connect: ' .mysql_error()); //select database $db_selected = mysql_select_db("tafe", $dbc ); if (!$db_selected) die ('Could not connect: ' . mysql_error()); $StaffID = (int)$_GET['StaffId']; // build sql insert statement **$qry = "SELECT * FROM contacts WHERE StaffID= $StaffID ORDER by name ASC";** //run insert satement against database $rst = mysql_query($qry, $dbc); // print whether successful or not if ($rst) { if (mysql_num_rows($rst)>0) // check that there are records { echo "<table border=\"1\" cellspacing=\"0\">"; /***print out field names***/ echo "<tr>"; // start row for ($i=0; $i<mysql_num_fields($rst); $i++) // for each field print out field name { echo "<th>" . mysql_field_name($rst, $i) . "</th>"; } echo "<th> </th>"; echo "<th> </th>"; echo "</tr>"; /***print out field values***/ while ($row = mysql_fetch_array($rst)) // fetch each of the rows { echo "<tr>"; echo "<td>".$row['ContactID']."</td>"; echo "<td>".$row['Name']."</td>"; echo "<td>".$row['Address']."</td>"; echo "<td>".$row['Phone']."</td>"; echo "<td>".$row['Mobile']."</td>"; echo "<td>".$row['Email']."</td>"; echo "<td><a href='edit-contact.php?id=".$row['ContactID']."'>Edit</a></td>"; echo "<td><a href='delete-contact.php?id=".$row['ContactID']."'>Delete</a></td><tr>"; echo "</tr>"; } echo "</table>"; } else { echo "<b><font color='black'>No records returned.</font></b>"; } } else { echo "<b><font color='red'>Error: ".mysql_error($dbc) . "</font></b>"; } ?>
原文:https://stackoverflow.com/questions/21424715
更新时间:2023-01-15 21:01
最满意答案
它允许您隐藏未登录用户的添加到购物车按钮和价格。 此扩展程序提供以下选项:
1.隐藏价格和添加到购物车按钮 -如果管理员设置了仅为访客或访客隐藏价格的选项,则产品价格隐藏在商店的前端,并显示预定义的消息。 (例如,您需要登录才能看到价格!)。 只有登录的客户才能看到此特定情况下的价格。
2.Call For Price -如果管理员设置了“ 价格征询 ”选项,那么所有客人,访客甚至客户将无法看到产品价格或添加到购物车按钮,而是他们将看到商店的电话号码以查询价格或隐藏价格Magento扩展程序还在商店的前端创建了一个链接,当客户点击此链接时,会发送一个表单向管理员发送有关价格请求的电子邮件。 管理员可以设置电子邮件地址,以便在客户完成价格请求时收到通知。 管理员可以根据他/她的请求启用或替换客户通知。
3.Inquiry表格 -如果管理员设置了“查询”选项,那么所有客人,访客甚至客户将继续显示产品价格,但将禁用/删除/隐藏每个人的添加到购物车按钮。 出于安全原因,某些产品可能无法在线销售,因此可以显示价格,但不显示添加到购物车,您可以显示查询表单链接,该链接将显示一个弹出窗口,其中包含商店所有者或表单的联系详细信息。由客户填写以询问向管理员发送电子邮件的产品。 管理员可以设置在客户完成查询请求时收到通知的电子邮件地址。 管理员可以根据他/她的请求启用或替换客户通知。
Checkout Magento Hide Price Extension
It will allow you to hide add to cart button & price from non logged in users. Following options are provided with this extension:
1.Hide Price & Add to Cart button - If admin has set the option to hide prices only for guest or visitors then product price is hidden on store’s front end and a pre defined message is displayed. (Ex. You need to be logged in to see the price!). Only logged in customers can see the prices in this particular case.
2.Call For Price - If admin has setup “Call for price” option then all guests, visitors or even customers will not be able to see the product price or add to cart button, instead they will see store’s phone number to inquire about the price OR Hide Price Magento extension also creates a link on store’ front-end, when customer click’s on this link a form comes which sends an email to admin about the price request. Admin can setup the email addresses which get notified when price request is done by customer. Admin have ability to enable or displable the customer notification for his/her request.
3.Inquiry Form - If admin has setup “Inquire” option then all guests, visitors or even customers will keep showing the product prices but will disable/remove/hide add to cart button for everyone. For safety reasons some products may not be sold online so they can be shown with the prices but instead of showing add to cart you can display an inquiry form link, which will show a popup with contact details of store owner or with a form to be filled by the customer to inquire about the product which sends an email to admin. Admin can setup the email addresses which get notified when Inquiry request is done by customer. Admin have ability to enable or displable the customer notification for his/her request.
相关问答
更多-
据我了解,购物车保存为报价,即使是客人。 登录的用户有一个与报价一起存储的客户ID,因此客人不会因此报价具有空的客户ID,因此您可能会发现商店在数据库中有很多孤立/不完整的报价。 将客人与购物车相关联的唯一方法是将报价ID存储在他们的会话中。 您可以通过将报价ID直接存储在其cookie中的超时时间来延长报价的可用时间,但这会导致明显的安全漏洞; 任何人都可以调整其cookie中的值并查看其他人的购物车。 唯一安全的方法是继续创建一个访客令牌表并将其与引号关联起来(这一次抱歉没有代码,在低级别下有太多解释) ...
-
好吧有人终于找到了这个问题。 它与我服务器上的nginx配置有关。 显然,标题中发送的数据太大了。 所以他将这两行添加到nginx配置中并修复了问题: proxy_buffers 8 16k; proxy_buffer_size 32k; Well someone finally found the issue. It was related to nginx config on my server. Apparently the data being sent in the headers was to ...
-
Magento购物车规则问题(Magento shopping cart rule issue)[2020-01-03]
磁电机1.6中存在一些税收计算问题。 所以它在结账时计算错误的金额。 在更改GST计算“应用客户税”之后,事情正常工作 - 折扣之前,如http://screencast.com/t/UHtJtYZiLa所示 There is some tax calculation issue in the magneto 1.6. So its calculating the wrong amount during checkout. Things are working fine after changes GST ... -
购物车与会话绑定,因此并非所有用户都会共享它,它对于创建它的浏览器会话来说是唯一的 - 实际上每个浏览器会话都有一个购物车访问您的LineItemsController #create方法。 通常这样做是为了允许在用户登录或注册之前创建购物车,从而减少实际将商品添加到购物车时的摩擦。 如果要将购物车与用户关联,则可以在登录或注册时执行此操作。 如果你已经添加了关系,那么这应该是这样简单: current_cart.user = current_user current_cart.save The cart ...
-
你尝试过这样的事吗? 您可以将woocommerce设置为仅在用户登录时显示价格。 add_filter('catalog_visibility_alternate_price_html', 'my_alternate_price_text', 10, 1); function my_alternate_price_text($content) { return ' ...
-
结账Magento隐藏价格延长 它允许您隐藏未登录用户的添加到购物车按钮和价格。 此扩展程序提供以下选项: 1.隐藏价格和添加到购物车按钮 -如果管理员设置了仅为访客或访客隐藏价格的选项,则产品价格隐藏在商店的前端,并显示预定义的消息。 (例如,您需要登录才能看到价格!)。 只有登录的客户才能看到此特定情况下的价格。 2.Call For Price -如果管理员设置了“ 价格征询 ”选项,那么所有客人,访客甚至客户将无法看到产品价格或添加到购物车按钮,而是他们将看到商店的电话号码以查询价格或隐藏价格Mag ...
-
Magento购物车(Magento shopping cart)[2022-07-25]
进入系统>配置。 然后在通用>货币设置中,您可以更改货币。 Go to System>Configuration. Then in GENERAL>Currency setup you can change the currency. -
Magento 1.5.0.1当用户在结账时登录时,物品会从购物车中消失(Magento 1.5.0.1 Items vanish from cart when user logs in at checkout)[2023-08-15]
我之前在uhosin.session.encryptrunning suhosin补丁的服务器上看到过这个问题。 我假设你正在运行一个安全的购物车(如果不是你应该),这里最有可能发生的是你的会话每次在http和https之间改变时都会丢失。 在HTTP和HTTPS之间切换时,HTTP会话不会传递到HTTPS会话。 这可以通过将以下内容放在.htaccess或php.ini文件中来解决: php_value suhosin.session.encrypt Off 让我知道如果它有效或者您仍然遇到同样的问题, ... -
没有用户登录时存储购物车(playframework疑问)(storing a shopping cart when no user is logged in(playframework doubt))[2022-05-10]
你有几个选择。 你可以 将购物车项目存储在会话中(因为它是一个cookie,尝试限制您存储的数量)。 当用户登录时,您可以将会话购物车项目与其登录的用户项目合并。 与亚马逊等网站一样,尝试在用户的计算机上存储长期会话以记住登录用户的ID以供以后使用是有意义的。 将数据存储在数据库中,以防止临时用户名。 这会像会话一样,但是如果没有转换为完整用户,则必须有一个常规作业来清除临时用户数据库表。 就个人而言,我会选择选项1.实现相当简单,cookie中没有任何个人信息(因为它只是ID),它意味着短期存储。 You ... -
在线购物车与Laravel(Online shopping cart with Laravel)[2022-10-08]
如何用登录按钮替换结帐按钮,然后再次重定向到购物车结帐? How about replacing the checkout button with a sign in button and then redirect to the cart checkout again?