ColdEdge Posted June 5, 2010 Share Posted June 5, 2010 Ok, so I made a delete post script that requires to validate users id before deleting the post, but its not working here is the script.. <?php$topic = $_GET['id'];$post = $_GET['post'];$mysql = mysql_query("SELECT * FROM posts WHERE post_id = ".$_GET['post']." AND post_by = ".$_SESSION['user_id']."");$row = mysql_fetch_array($mysql);$postersId = $row['post_by'];$isOwner = $postersId;$isOwnerCheck = $row['post_by'];if($isOwner == $isOwnerCheck) {echo "<div style='padding:8px;background-color:#fae7af;'>Post Deleted!</div><br>";echo "Go back to the » <a href='topic.php?id=".$topic."'>topic</a>.";$query = mysql_query("DELETE FROM posts WHERE post_id = '$_GET[post]'");} elseif($isOwner != $isOwnerCheck) {echo "<div style='padding:8px;background-color:#fae7af;'>You don't have required rights to delete this topic.</div><br>";echo "Go back to the » <a href='topic.php?id=".$topic."'>topic</a>.";}?> - Thanks in advance Link to comment Share on other sites More sharing options...
skaterdav85 Posted June 5, 2010 Share Posted June 5, 2010 well first of all you have no connection to the mysql server. second, you are comparing the same value here:$isOwner == $isOwnerCheck Link to comment Share on other sites More sharing options...
ColdEdge Posted June 5, 2010 Author Share Posted June 5, 2010 there is a include connection script present ^^, I just removed the few top lines which where include 'connect.php';include 'header.php'; Link to comment Share on other sites More sharing options...
End User Posted June 5, 2010 Share Posted June 5, 2010 Ok, so I made a delete post script that requires to validate users id before deleting the post, but its not working here is the script..When you say, "not working", what specifically isn't working? Are the 'topic' and 'post' variables being received but not acted on? Are you seeing any error messages?Also, I'm not sure but the two quotes at the end of this bit might be an issue:$_SESSION['user_id'].""); Link to comment Share on other sites More sharing options...
ColdEdge Posted June 5, 2010 Author Share Posted June 5, 2010 @End Userthe quote issue is not the problem note this part ^^ mysql_query(" the problem is this if the user is not the poster of the post, his/her post should not be deleted by other members. However in my case there seems to be a problem with checking if the current user that is requesting to run action delete is truly the post owner. If the users ID dose not match post_by id in MySQL the post should not be deleted, but its still is deleted. The only members who can delete any ones posts are admins and staff but not any other user. Link to comment Share on other sites More sharing options...
jeffman Posted June 5, 2010 Share Posted June 5, 2010 $postersId = $row['post_by'];$isOwner = $postersId;$isOwnerCheck = $row['post_by']; This code takes 3 lines to make 2 assignments, but if you look closely you will see that $isOwner and $isOwnerCheck will always have the same value ($row['post_by']), as BigDave pointed out. So your condition always returns true. Link to comment Share on other sites More sharing options...
ColdEdge Posted June 5, 2010 Author Share Posted June 5, 2010 Ye, I know that. I am getting the problem somewhere there even so I tried using $isOwnerCheck = $_SESSION['user_id; this works, but the original post owner can not delete his post Link to comment Share on other sites More sharing options...
jeffman Posted June 5, 2010 Share Posted June 5, 2010 It is hard for an outsider to know, since we do not know the structure of your table or the kinds of values stored there.Have you tested the value of $query, or looked for mysql errors after that value is returned? It is always good practice to test mysql return values.In older versions of PHP, this technique for interpolating array values was permitted:"DELETE FROM posts WHERE post_id = '$_GET'"I refer to this part: '$_GET'The technique is deprecated now and may be causing problems. Try using the recommended syntax:"DELETE FROM posts WHERE post_id='{$_GET['post']}'"Or simply concatenate your string the way you do for your first query. Something like:"DELETE FROM posts WHERE post_id='" . $_GET['post'] ."'"Have you even tested this query using literal values instead of variables? --just to make sure it works, I mean? Link to comment Share on other sites More sharing options...
ColdEdge Posted June 5, 2010 Author Share Posted June 5, 2010 O, I am terribly sorry for not providing all of the data here it isposts table structure CREATE TABLE `posts` ( `post_id` int(8) NOT NULL auto_increment, `post_content` text character set utf8 NOT NULL, `post_date` datetime NOT NULL, `post_topic` int(8) NOT NULL, `post_by` int(8) NOT NULL, PRIMARY KEY (`post_id`), KEY `posts_ibfk_1` (`post_topic`), KEY `posts_ibfk_2` (`post_by`)) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=16; delete.php code [updated still dosen't work >.<] <?phpinclude 'connect.php';include 'header.php';function crunchy($input) { $valid_input = mysql_escape_string($input); return $valid_input;}$topic = crunchy($_POST['tid']);$post = crunchy($_GET['post']);$mysql = mysql_query("SELECT * FROM posts WHERE post_id = ".$post." AND post_by = ".$_SESSION['user_id']."");$row = mysql_fetch_array($mysql);$postersId = $row['post_by'];$isOwner = $postersId;$isOwnerCheck = $row['post_by'];if($isOwner == $isOwnerCheck) {echo "<div style='padding:8px;background-color:#fae7af;'>Post Deleted!</div><br>";echo "Go back to the » <a href='topic.php?id=".$topic."'>topic</a>.";$query = mysql_query("DELETE FROM posts WHERE post_id='{$_GET['post']}'");} elseif($isOwner != $isOwnerCheck) {echo "<div style='padding:8px;background-color:#fae7af;'>You don't have required rights to delete this topic.</div><br>";echo "Go back to the » <a href='topic.php?id=".$topic."'>topic</a>.";}include 'footer.php';?> topic.php delete part $topicID = $row['topic_id'];<form action="delete.php" method="post"> <input type="hidden" name="post" value="' . $posts_row['post_id'] . '" /> <input type="hidden" name="tid" value="' . $topicID . '" /> <input type="submit" name="confirm" value="Delete" style="float:right;padding:3px;font-size:11px;"/> </form> topics table CREATE TABLE `topics` ( `topic_id` int(8) NOT NULL auto_increment, `topic_subject` varchar(255) NOT NULL, `topic_date` datetime NOT NULL, `topic_cat` int(8) NOT NULL, `topic_by` int(8) NOT NULL, `topic_status` int(1) NOT NULL default '0', `topic_cby` varchar(30) NOT NULL, PRIMARY KEY (`topic_id`), KEY `topic_cat` (`topic_cat`)) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=3; With the new delete.php code I am getting this error only Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in D:\wamp\www\bbs\delete.php on line 15 However the Post Deleted! part is echoed out, but the post is not really deleted. Link to comment Share on other sites More sharing options...
End User Posted June 6, 2010 Share Posted June 6, 2010 However the Post Deleted! part is echoed out, but the post is not really deleted.One thing I would recommend is having your code check the results of an action (like deleting a post) and then displaying a message indicating whether or not it succeeded. It's not really proper form to display a result message *prior* to the action it references. From what I can tell, it seems as though this line isn't doing what it's supposed to:$query = mysql_query("DELETE FROM posts WHERE post_id='{$_GET['post']}'");Just for grins, try this code and see what you get:$post_id=$_GET['post'];print "POSTID: $post_id <br />";$query = mysql_query("DELETE FROM posts WHERE post_id='$post_id'");print "SQL: DELETE FROM posts WHERE post_id='$post_id'"; I'm interested in seeing if the "post_id" is really making it to the query and this should show us that. Link to comment Share on other sites More sharing options...
jeffman Posted June 6, 2010 Share Posted June 6, 2010 The traditional way of checking data like that is something like this:var_dump ($_GET);Then you can examine all the GET data at once. Really, this is step one in any debugging process.It might also be worth wrapping your sql identifiers in backticks, as in:"DELETE FROM `posts` WHERE `post_id`='$post_id'"Some implementations don't care. Others won't work without them. Link to comment Share on other sites More sharing options...
Sami Posted June 6, 2010 Share Posted June 6, 2010 Why are the mysql query inside a string? Link to comment Share on other sites More sharing options...
jeffman Posted June 6, 2010 Share Posted June 6, 2010 The mysql functions are PHP functions. PHP can only use its native data types. A query looks like a string of characters, so that is the data type PHP uses to interact with mysql. Link to comment Share on other sites More sharing options...
End User Posted June 6, 2010 Share Posted June 6, 2010 The traditional way of checking data like that is something like this:var_dump ($_GET);Then you can examine all the GET data at once. Really, this is step one in any debugging process.I know var_dump() would be the usual way to do this, but I didn't want to overwhelm him with what might be a lot of stuff to look through, I just wanted to focus on that one variable so he could see what it was doing. It seems like it's one of the key items here since the deletion isn't actually happening. Link to comment Share on other sites More sharing options...
ColdEdge Posted June 6, 2010 Author Share Posted June 6, 2010 @End Useryour code returned thisPOSTID: 16 SQL: DELETE FROM posts WHERE post_id='16' the post was deleted. But the other problem now is to check if the user who is requesting the delete post function is really the post owner. If not the script should cancel the user action and display specific message. Link to comment Share on other sites More sharing options...
End User Posted June 7, 2010 Share Posted June 7, 2010 Okay, good....the post_id is coming through correctly and the delete action is working. (I thought you said it wasn't deleting before?)So, to check that the user who is trying to delete the post is actually the post owner all you should need to do is check the "post_by" value of the post itself to see if that matches the $_SESSION['user_id'] , if I understand your table code correctly. Something like this, I would imagine: if($_SESSION['user_id'] == $row['post_by']){// they are the owner... ....etc etc...}else{// not the owner... ....etc etc...} (Just my opinion, but I think you could do away with some of the extra "$isOwnerCheck" stuff, as long as you're legitimately checking that the user_id does indeed match the "post_by" value.) the post was deleted. But the other problem now is to check if the user who is requesting the delete post function is really the post owner. If not the script should cancel the user action and display specific message. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.