0

I am working on a post/noticeboard system. users log in to view posts related to them. i intend to filter messages to be viewed based on school, programme, level, and few others. So for instance, An admin sends a post-A to level 100 students and another post-B to level 100 computer science students. if i log in as a level 100 student, irrespective of my programme, i see post-A. if i log in as level 100 computer science student i see post-B.

I have a post table (tblpost) where posts are stored into and likewise a user table (tblusers) where all users are stored. So i am trying to use IF ELSE statement to filter the posts, but only the IF statement works.

Here are my tables:

tblusers

enter image description here

tblpost

enter image description here

Here is my code: adminviewpost.php

<?php require_once('Connections/localhost.php'); ?>
<?php
//initialize the session
if (!isset($_SESSION)) {
  session_start();
}

// ** Logout the current user. **
$logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";
if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){
  $logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){
  //to fully log out a visitor we need to clear the session varialbles
  $_SESSION['MM_Username'] = NULL;
  $_SESSION['MM_UserGroup'] = NULL;
  $_SESSION['PrevUrl'] = NULL;
  unset($_SESSION['MM_Username']);
  unset($_SESSION['MM_UserGroup']);
  unset($_SESSION['PrevUrl']);

  $logoutGoTo = "index.php";
  if ($logoutGoTo) {
    header("Location: $logoutGoTo");
    exit;
  }
}
?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

$colname_login = "-1";
if (isset($_SESSION['MM_Username'])) {
  $colname_login = $_SESSION['MM_Username'];
}
mysql_select_db($database_localhost, $localhost);
$query_login = sprintf("SELECT * FROM tblusers WHERE user_id = %s", GetSQLValueString($colname_login, "text"));
$login = mysql_query($query_login, $localhost) or die(mysql_error());
$row_login = mysql_fetch_assoc($login);
$totalRows_login = mysql_num_rows($login);

$db_school = $row_login['school'];
$db_prog = $row_login['prog'];
$db_level = $row_login['level'];
$db_stream = $row_login['stream'];
$db_society = $row_login['society'];
$db_nationality = $row_login['nationality'];
$db_position = $row_login['positionid'];

mysql_select_db($database_localhost, $localhost);
$query_mainposts = "SELECT * FROM tblposts";
$mainposts = mysql_query($query_mainposts, $localhost) or die(mysql_error());
$row_mainposts = mysql_fetch_assoc($mainposts);
$totalRows_mainposts = mysql_num_rows($mainposts);

$db_post_school = $row_mainposts['school'];
$db_post_prog = $row_mainposts['prog'];
$db_post_level = $row_mainposts['level'];
$db_post_stream = $row_mainposts['stream'];
$db_post_society = $row_mainposts['society'];
$db_post_nationality = $row_mainposts['nationality'];
$db_post_position = $row_mainposts['position'];

mysql_select_db($database_localhost, $localhost);
if ($db_post_school!==NULL && $db_post_prog==NULL && $db_post_level==NULL && $db_post_stream==NULL && $db_post_society==NULL && $db_post_nationality==NULL && $db_post_position==NULL) {
    # code...
    $query_posts = "SELECT * FROM tblposts WHERE school = '$db_school'
";
$posts = mysql_query($query_posts, $localhost) or die(mysql_error());
$row_posts = mysql_fetch_assoc($posts);
$totalRows_posts = mysql_num_rows($posts);
}
elseif ($db_post_school!==NULL && $db_post_prog==NULL && $db_post_level !==NULL && $db_post_stream==NULL && $db_post_society==NULL && $db_post_nationality==NULL && $db_post_position==NULL) {
    # code...
    $query_posts = "SELECT * FROM tblposts WHERE school = '$db_school' && level = '$db_level'
";
$posts = mysql_query($query_posts, $localhost) or die(mysql_error());
$row_posts = mysql_fetch_assoc($posts);
$totalRows_posts = mysql_num_rows($posts);
}

?>
Stephen Okwechime
  • 35
  • 7
  • Why just use a multi-part `where` clause? You also are open to SQL injections with this code. `where programme = 'this' and level > number`. – chris85 Mar 30 '16 at 12:02
  • Your code would probably be a lot simpler (and easier to understand) if you switched to PDO and prepared statements rather than sanitizing your input manually. Also `mysql_real_escape_string` cannot be considered as a safe way to escape strings since it does not reliably use the underlying database connection encoding. To avoid overly judgemental comments on irrelevant parts of your code please try to provide a minimal example. – apokryfos Mar 30 '16 at 12:26
  • Consider showing your table scheme using a SHOW CREATE TABLE query: http://stackoverflow.com/questions/4294507/how-to-dump-mysql-table-structure-without-data-with-a-sql-query – Reversal Mar 30 '16 at 13:27

0 Answers0