多表查询连接
由于我是 PHP 新手,我发现这个问题解决起来非常复杂。我有这个查询显示用户不应该执行的结果。
问题是销售代理能够看到他无权查看的用户的投诉。这涉及到客户的账户表。
$priv = "dire problem" ,
$naone = "not serious" ,
$priv2 = "mild prblem"
are sorting conditions.
$aid is the agent viewing this page.
Complaints is for complaints by the customers.
Accounts table holds all the customer information.
Agents table is for all the sales/customer reps.
代码:
$sql = "SELECT complaints.complaint_id, accounts.full_name,
agents.agent_name, complaints.person_id, complaints.why_complaint,
complaints.just_date, complaints.type, complaints.date_time_added FROM
complaints LEFT JOIN accounts ON complaints.person_id = accounts.person_id
LEFT JOIN agents on complaints.agent_whois = agents.agent_id WHERE
(complaint_type = '$priv' OR complaint_type = '$naone' OR complaint_type = '$priv2') and
(complaints.added_by <> '$aid')";
$result=mysql_query($sql);
$query = mysql_query($sql) or die ("Error: ".mysql_error());
if ($result == "")
{
echo "";
}
echo "";
$rows = mysql_num_rows($result);
if($rows == 0)
{
print("");
}
elseif($rows > 0)
{
while($row = mysql_fetch_array($query))
{
$complaintid = $row['complaint_id'];
$agentwho = $row['person_id'];
$agentname = $row['agent_name'];
$reason = $row['why_complaint'];
$datetimeadded = $row['just_date'];
$docname = $row['full_name'];
$type = $row['type'];
print("");
}
}
Since I am new to PHP, i am finding this immensely complicated to solve. I have this query that is showing results that a user is not supposed to do.
The problem is the sales agent is able to see complaints from users he is not authorized to see. This pertains to the accounts table, which is for the customers.
$priv = "dire problem" ,
$naone = "not serious" ,
$priv2 = "mild prblem"
are sorting conditions.
$aid is the agent viewing this page.
Complaints is for complaints by the customers.
Accounts table holds all the customer information.
Agents table is for all the sales/customer reps.
Code:
$sql = "SELECT complaints.complaint_id, accounts.full_name,
agents.agent_name, complaints.person_id, complaints.why_complaint,
complaints.just_date, complaints.type, complaints.date_time_added FROM
complaints LEFT JOIN accounts ON complaints.person_id = accounts.person_id
LEFT JOIN agents on complaints.agent_whois = agents.agent_id WHERE
(complaint_type = '$priv' OR complaint_type = '$naone' OR complaint_type = '$priv2') and
(complaints.added_by <> '$aid')";
$result=mysql_query($sql);
$query = mysql_query($sql) or die ("Error: ".mysql_error());
if ($result == "")
{
echo "";
}
echo "";
$rows = mysql_num_rows($result);
if($rows == 0)
{
print("");
}
elseif($rows > 0)
{
while($row = mysql_fetch_array($query))
{
$complaintid = $row['complaint_id'];
$agentwho = $row['person_id'];
$agentname = $row['agent_name'];
$reason = $row['why_complaint'];
$datetimeadded = $row['just_date'];
$docname = $row['full_name'];
$type = $row['type'];
print("");
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这并不是一个真正的答案,但无论如何我都会发布它,因为这是我能做的最好的事情。
好吧,首先,你的缩进到处都是。 请,为了任何需要阅读您的代码的人,请使用一致的缩进风格。使用哪种风格并不重要——只需选择一种并一致应用即可。它使您的代码更易于阅读。
也就是说,让我们看一下您的查询。这是它的原始形式,只是为了更好的可读性而重新缩进:
事实上,我们可以像这样更紧凑地重写
WHERE子句:但这只是说明
complain_type必须是三个值之一,并且投诉不得由代理'$aid'添加。你这么说但查询中绝对没有任何关于任何类型授权的内容!由于我什至无法从查询中猜测您的表可能包含哪种授权数据,或者您想用它做什么,所以我能给您的唯一建议是找出一些规则来告诉应该显示的记录从那些不应该的,将它们添加到查询中。
This is not really an answer, but I'm posting it anyway since it's the best I can do.
OK, first of all, your indentation is all over the place. Please, for the sake of anyone who needs to read your code, use a consistent indentation style. It doesn't really matter which style you use — just pick one and apply it consistently. It makes you code much easier to read.
That said, let's take a look at your query. Here it is in its original form, just reindented for better readability:
In fact, we can rewrite the
WHEREclause a bit more compactly like this:But all this says is that
complain_typemust be one of the three values, and that the complaint must not have been added by the agent'$aid'. You say thatbut there's absolutely nothing in the query about any kind of authorization at all! Since I can't even guess from the query what kind of authorization data your tables might contain, or what you want to do with it, the only advice I can give you is to figure out some rules to tell the records that should be shown from those that shouldn't be and add them to the query.