0

I have a problem with MySQL query and condition. The main problem is user with another ID can see / edit the same leads even though his id != owner.

I tried to change the vars and add '' or "", but none of these help.

$myuser_query = mysqli_query($conn,"SELECT * FROM users WHERE id = '".$_SESSION["id"]."'");
$myuser = mysqli_fetch_assoc($myuser_query);

$myleads = "SELECT * FROM leads WHERE owner = '".$myuser["id"]."' AND status = 1 OR status = 2 ORDER BY RAND() LIMIT 1";
$newleads = $conn->query($myleads);
 if ($newleads->num_rows >= 1) {

(Here it's all the client side that's showing the date.)

karel
  • 5,489
  • 46
  • 45
  • 50
Elroy Cohen
  • 41
  • 1
  • 4

1 Answers1

1

You need to add parenthesis around the OR conditions in your query. Change this:

$myleads = "SELECT * FROM leads 
           WHERE owner = '".$myuser["id"]."' AND status = 1 OR status = 2 
           ORDER BY RAND() LIMIT 1";

To:

$myleads = "SELECT * FROM leads 
           WHERE owner = '".$myuser["id"]."' AND (status = 1 OR status = 2)
           ORDER BY RAND() LIMIT 1";
Dave
  • 5,108
  • 16
  • 30
  • 40
  • 1
    He should use prepared statements too – nacho May 14 '19 at 14:13
  • First of all, thank you very much! about prepared statements. Do you have any references? – Elroy Cohen May 14 '19 at 16:34
  • [This answer](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php/60496#60496) should get you headed in the right direction. If an answer solved your problem, consider accepting the answer. [Here's how](https://meta.stackexchange.com/q/5234/379718), then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. You'll earn points and others will be encouraged to help you. Welcome to Stack! – Dave May 14 '19 at 16:44