|
|
Posted by Shelly on 08/27/07 02:06
"Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
news:46D21E8F.3040708@attglobal.net...
> Matt wrote:
>>> But then how do the premium users read the non-premium articles? Of
>>> course if you can answer that then you've solved your original problem.
>>>
>>> Norm
>>>
>>> p.s. You need to check your users permissions prior to retrieving your
>>> articles. In other words, build your SELECT statement based on your
>>> users permissions:
>>>
>>> if ($user_is_premium)
>>> {
>>> SELECT both non-premium and premium articles here}
>>>
>>> else
>>> {
>>> SELECT non-premium articles here}
>>>
>>> ...rest of code
>>>
>>> should be a rather small change to your code.
>>
>>
>> Basically on the article index page I'll just loop through all of the
>> articles in the table, and test for isPremium. If a row isPremium,
>> I'll send the link to displaypremiumarticle.php?id=123, if not, just
>> to displayarticle.php?id=123.
>>
>
> Don't. Let SQL do it for you. Norm has the right idea.
>
>> That code would make things simpler but this page specifically
>> displays a single article, hence the confusion. I could just do the
>> above method and not show the links to non-premium users but this
>> means a curious user could just guess at URLs and find 'hidden'
>> content.
>>
>
> IF they aren't authorized, they won't get the article, even if they guess
> the URL.
Jerry beat me to it. The way I do it is to the ifs within the building of
an SQL query statement. I then execute the query. For example, I want to
display a list of orders where it can be all the orders, all the orders for
a given account number, or all the orders for a given account number and a
given agent. Here is my query building code:
***************
$qf = "SELECT * FROM Orders";
$qm = "";
$qe = " ORDER BY timestamp DESC";
if (strlen($accountNumber) > 0) {
$qm = " WHERE accountNumber=" .
GetSQLValueString($accountNumber, "int");
}
if (strlen($agentID) > 0) {
if ($qm == "") {
$qm = " WHERE agentID=" .
GetSQLValueString($agentID, "int");
} else {
$qm .= " AND agentID=" .
GetSQLValueString($agentID, "int");
}
}
$q = $qf . $qm . $qe;
**************
You could do a similar thing with respect to access rights.
--
Shelly
[Back to original message]
|