php - 从表中删除
问题描述
我试图做到这一点,以便登录用户只能删除他自己的帖子,但 ID 为 1/ admin 的用户可以删除所有帖子。我在这里做错了什么?
<?php
session_start();
?>
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>Untitled Document</title>
</head>
<body>
<?php
$postitid = filter_input(INPUT_POST, 'pid', FILTER_VALIDATE_INT)
or die ('Missing or illegal id parameter');
$userid = $_SESSION['users_id'];
require_once('dbcon.php');
$mysqlstring = 'DELETE FROM postit WHERE id=? AND users_id=? OR
users_id=1';
$stmt = $link->prepare($mysqlstring);
$stmt ->bind_param('iii', $postitid, $userid, $userid);
$stmt -> execute();
if ($postitid == $userid ) {
echo 'Deleted '.$stmt->affected_rows.' Post-it notes';
} else {
echo 'You dont have permission to delete this.';
}
?>
</body>
</html>
解决方案
问题就在这里
$mysqlstring = 'DELETE FROM postit WHERE id=? AND users_id=? OR users_id=1';
此查询删除属于管理员(users_id=1)或登录用户的帖子。您不希望这样,您想检查用户是否是管理员并让他删除带有 id 的给定帖子,如果是用户,那么他应该只在他是帖子所有者的情况下删除帖子。为此:
您需要检查 user_id = 1 如果是,则进行不同的查询
if (intval($userid) === 1) {
// admin
$mysqlstring = 'DELETE FROM postit WHERE id=?';
$stmt = $link->prepare($mysqlstring);
$stmt ->bind_param('i', $postitid);
} else {
$mysqlstring = 'DELETE FROM postit WHERE id=? AND users_id=?';
$stmt = $link->prepare($mysqlstring);
$stmt ->bind_param('ii', $postitid, $userid);
}
$stmt->execute();
推荐阅读
- tfs - 如何从 Microsoft.TeamFoundation.WorkItemTracking.Client.Workitem 的实例开始检索工作项的附加文件的名称
- tinymce - Orbeon 2018.1 TinyMCE 损坏/不同
- java - HTTP 状态 404 - 在 Eclipse 中安装 maven 后未找到
- javascript - React: inline if 条件然后显示这个 div
- sql - how to replace data in one table iF certain columns are equal
- python - 如何使用 Scrapy 递归地从网站上抓取每个链接?
- android - Inflate layout in ViewPager
- node.js - Node.js: Adding SVG to a specific page of PDF by pdfmake
- javascript - I can't render an array of icons in reactjs using skycons
- javafx - javafx TableView: Why does the sortOrder listener does not fire when I sort descending?