1

I'm fairly new in development since all I do before this just managing database. I've come up with a system that will have three types of user.

  1. Admin
  2. Management
  3. User

I have successfully created the multi-user login page by administrating user role into the login. But the current problem that I'm having is, I can't view the data that only current user have previously submitted. For example, I have two User, Ariel and Lyla. What I want to do is, when Ariel login into the system, Ariel can only see what she has submitted to the database as for currently, she can see the whole data submitted. I have already do this

$sql = "SELECT * FROM iirincidentmain_draft WHERE username='$_SESSION[user][username]'";

but in return I got this error

Notice: Array to string conversion

my full code is as follows

<?php
session_start();
//Checking User Logged or Not
if(empty($_SESSION['user'])){
 header('location:../index.php');
}
//Restrict admin or Moderator to Access user.php page
if($_SESSION['user']['role']=='admin'){
 header('location:../admin/index.php');
}
if($_SESSION['user']['role']=='management'){
 header('location:../management/index.php');
}


require_once("../db.php");
?>
<div class="col-md-9 bg-white padding-2">
<h3>Reports in Draft</h3>
    <div class="row margin-top-20">
      <div class="col-md-12">
       <div class="box-body table-responsive no-padding"> 
       <table id="example" class="table table-striped table-bordered" style="width:100%">
      <thead>
        <th>Incident Date</th>
     <th>OPU Region Or Country</th>
        <th>Incident Title</th>                      
        <th>Incident Category</th>
    <th>Status</th>
    <th>Draft IIR</th>
        <th>Edit</th>
      </thead>
      <tbody>
      
      <?php
$sql = "SELECT * FROM iir_incidentmain_draft WHERE username='$_SESSION[user][username]'";
  $result = $conn->query($sql);
     if($result->num_rows > 0) {
        while($row = $result->fetch_assoc()) 
         {?>
     
    <tr>
     <td><?php echo date("y-m-d", strtotime($row['incident_date'])); ?></td>
   <td><?php echo $row['opus']; ?></td>
     <td><?php echo $row['incident_title']; ?></td>
     <td><?php echo $row['incident_category']; ?></td>
     <td><?php echo $row['status']; ?></td>
   <td><a href="iir_draft.php?id=<?php echo $row['incident_id']; ?>">&nbsp; &nbsp; <i class="fa fa-files-o"></i></a></td>
     <td><a href="edit_draft.php?id=<?php echo $row['incident_id']; ?>">&nbsp; &nbsp; <i class="fa fa-edit"></i></a></td>
            <?php
            }
         } ?>
        </tbody>                    
        </table>
      </div>
    </div>
   </div>
</div>

Can someone please advise me?

  • There are quite some things that need improvement from a security perspective. But for the start, you could add an `echo $_SESSION[user][username]` somewhere at the top of the file, an `echo($result->num_rows);` after the `$result = ...` line, or `print_r($row);` inside the `while` loop. That would show you at least if there are any results at all. – hey Jan 17 '20 at 02:40

1 Answers1

0

Change this line:

$sql = "SELECT * FROM iir_incidentmain_draft WHERE username='$_SESSION[user][username]'";

To become:

$sql = "SELECT * FROM iir_incidentmain_draft WHERE username='" . $_SESSION['user']['username'] . "'";

In other words, you have a typo with the missing quotes to your keys on session. Also becomes necessary (I think) to use dot notation when appending an array value to a string. So it may be the case that string conversion error you get was due to the parser only seeing $SESSION when embedded in your outer double quotes.

Others will likely note that you should be escaping all this. An effective way to escape the username is to setup an sql prepared statement.

GetSet
  • 1,511
  • 2
  • 10
  • 13