1
因此,我制作了一个用户组功能,允许我阻止页面以降低用户级别。这是我抓住信息功能:
function grab_info($id, $requested_info){
$id = $_SESSION['user_id'];
$requested_info = $requested_info;
$con = new mysqli('localhost', 'root', '', 'login');
if ($con->connect_errno >0){
die("Handle your connection error here");
}
$sql = "SELECT * FROM `users` WHERE `id` = $id";
if (!$result = $con->query($sql)) {
die("There as a query error for some reason handle your query error");
}
while($row = $result-fetch_assoc()){
$info = $row[$requested_info];
return $info;
}
}
就在这里:
$sql = "SELECT * FROM `users` WHERE `id` = $id";
if (!$result = $con->query($sql)) {
die("There as a query error for some reason handle your query error");
}
就是事情错了。这是我抓住了信息的方法:
$id = $_SESSION['user_id'];
$rank = grab_info($id, 'rank');//Gets rank from our id
$meets = can_access($rank, 4, true);//We're saying our user has a rank of 1 to access this page you need a rank of 3 and only 3 hence strict
if ($meets == false){//user cant access page
header("Location: index.php");
die();
}
基本上,它只是不断给我“作为有某种原因处理您的查询错误,查询错误”,我被卡住。新来php很抱歉,如果它是混乱。
检查'$ id'不是null东西!您将一个原始变量放入查询中而不进行过滤,这意味着SQL INJECTION!在你的例子中,因为入口来自会话,所以确定但仍然考虑INJECTION – 2014-11-21 17:25:00