在sql查询中使用SESSION变量时尝试获取非对象的属性
So I'm currently coding a system where when they log in, they get a specialized panel for their ranking.
By default they are called User, and the Admins get, well, Admin.
When I am trying to get the verification that they are an Admin.
error_reporting(E_ALL); // i've been trying to find the bugs with this
require_once('db.php'); //using the good ol $conn = new mysqli
session_start();
if(!isset($_SESSION['username']) || empty($_SESSION['username'])){
header("location: login.php");
exit;
//to detect if they are logged in or not
}
//here is a failed attempt where I tried to "escape" the $_SESSION variable
// which still doesn't work
$username = $conn->real_escape_string($_SESSION['username']);
// I've tried this query with the $_SESSION variable escaped, with it's alias
// etc.
$query1 = "SELECT * FROM `users` WHERE `rank` = Admin AND
`username`='".$username."'";
// preparing to execute
$result = $conn->query($query1);
// this is where I detect if there is a row, set it to use Admin things
// which I will code later, for now just var holders.
if ($result->num_rows > 0) {
$rank = 'Admin';
} else {
$rank = 'User';
}
I've looked everywhere about property of non-object, but I only find old 2008 posts, which I've tried to implement, but end up not working.
Using XAMPP (apache) with PHP 7
所以我正在编写一个系统,在这个系统中,当他们登录时,他们会得到一个专门的面板来进行排名。 / p>
默认情况下,他们被称为用户,管理员得到,以及管理员。 p>
当我尝试获取他们是管理员的验证时 p>
的error_reporting(E_ALL); //我一直试图用这个
require_once('db.php')找到错误; //使用好的$ $ conn = new mysqli
session_start();
if(!isset($ _ SESSION ['username'])|| empty($ _ SESSION ['username'])){
header(“location” :login.php“);
退出;
//以检测它们是否已登录
}
//这里是一次失败的尝试,我试图”逃避“$ _SESSION变量\ n //仍然不起作用
$ username = $ conn-> real_escape_string($ _ SESSION ['username']);
//我尝试使用$ _SESSION变量进行此查询转义,使用它的别名
//等等
$ query1 =“SELECT * FROM`user` WHERE`level` = Admin AND
`username` ='”。$ username。“'”;
//准备执行
$ result = $ conn-> query($ query1);
//这是我检测是否有行的位置,将其设置为使用Admin的事物
//我稍后将编码, 现在只是var holder。
if($ result-> num_rows> 0){
$ rank ='Admin';
} else {
$ rank ='User';
}
code > pre>
我到处都看过非对象的属性,但我只找到了我曾试图实现的2008年旧帖,但最终没有 使用XAMPP(apache)和PHP 7 p>
div>
You need to correct your SQL
"SELECT * FROM `users` WHERE `rank` = Admin AND `username`='".$username."'"
to
"SELECT * FROM `users` WHERE `rank` = 'Admin' AND `username`='".$username."'"
Note: single quote between Admin
I would suggest, to use below SQL instead, and store the rank value to SESSION directly.
"SELECT rank FROM `users` WHERE `username`='".$username."'"
Since you are using mysqli consider using prepared statements. By concatenating the variable values into the query string you are prone to SQL injection!.
more on prepared statements here: php.net/prepared-statements.
You were also missing some ' ' in your query, although when using prepared statements you don't need to add any apostrophes on input variables, while the apostrophes around constant strings must be included (they are missing in your example rank='Admin').
Here is the corrected code:
Note: I moved the session_start() to the top of the document to ensure it works properly, since it will not work if any output occurs before calling the function.
session_start();
error_reporting(E_ALL);
require_once('db.php'); //using the good ol $conn = new mysqli
if(empty($_SESSION['username']))
{
header("location: login.php");
exit();
}
$query1 = $conn->prepare("SELECT * FROM users WHERE rank='Admin' AND username=?");
$query1->bind_param("s", $_SESSION['username']);
$query1->execute();
$query1->store_result();
$result = $query1->num_rows;
if ($result > 0)
{
$rank = 'Admin';
}
else
{
$rank = 'User';
}