MySQL internal session check?

This problem sounds so easy but I cannot find the error: My PHP scripts post a text to a MySQL db. This is backed by an user-management-system. So only the user who posted the text is able to see it. Now I want to integrate a "share-function". User a enables user b to see one of user's a postings in his text overview (little bit like a note share function).

After sharing a note with user b, he can see the note in his overview but when opening the note to see the details it's not working.

On the technical side I have 3 tables:

1.) notes - with the fields title, text and user

2.) user - id, name and password

3.) invites - NoteID, fromID and toID

My SQL statement for the invite overview is (which is working):

SELECT * FROM notes a, invites b WHERE (b.toID = '$UserID') AND (b.ItemID = a.id) AND a.Deleted = 0

But when I have this statement

SELECT * FROM notes a, invites b WHERE (a.id = '$ItemID') AND ((a.User = '$username') OR (b.toID =开发者_如何学编程 '$userid'))

in the detail view it's not working. Even if I have this very simple (and unsecure) SQL it's not working:

SELECT * FROM notes WHERE ID = '$ItemID'

I'm really desperate and my only explanation (which is very unrealistic) is that MySQL has a kind of internal security check which does not allow displaying content from strangers :S

any ideas? Thanks a lot

I'm not sure that this is your only problem, but you are doing a cross join by accident. MySQL will probably try to create a huge number of rows in the result set and then time out. Use the JOIN ... ON ... syntax to help you remember to specify how you want to perform the join:

SELECT *
FROM notes a
JOIN invites b
ON ... -- put some join condition here
WHERE (a.id = '$ItemID') AND ((a.User = '$username') OR (b.toID = '$userid'))

I'm guessing that you want something like this:

ON b.NoteID = a.ID