Problem with deleting ONLY specific logged-in user's record...

[mac007]

Hello, all:

I have a problem with a mini-cms I have been building, if anybody can help...

Issue is, I tried to delete a specific logged user's "record", and it did that just fine. But then, to test it, I then tried to delete an un-logged user's record and IT DELETED IT!! while I was logged in as first user!  Not good... It's supposed to delete only a logged user's record! I wander if my tables are not setup right? or if my sql statements not rigth either?

 

See here a quick look at how my tables are setup and it relationships:

 

ACCOUNTS table:

id      email                  pw        date

1      [email protected]    123        10-01-08

2      [email protected]    456        10-01-08

 

NOTEPAD table:

noteid        custid        subject          note                  notedate        completed

4                1              Links            user-1-note        10-05-08        no

5                2              Contacts        user-2-note        10-04-08        no

 

As you can see the common-relationship in the tables are the id & the custid fields which refer to the user when logged in. So when I echo each user's respective "notes" I use the following sql, which seems to work ok, by selecting ONLY a logged-in user's respective "note" records:

 

SELECT *

FROM NOTEPAD, ACCOUNTS

WHERE NOTEPAD.custid = ACCOUNTS.id AND email = colname*

ORDER BY NOTEPAD.notedate DESC

 

*colname refers to logged-in user's "session" username.

 

Then I simply repeated the same "select" statement when trying to DELETE a specific record... this is where the problem comes up... it does delete a logged-user's record, but if I manually change a record id in the url (like page.php?delete=15) that coincides with a record from a non-logged user, it STILL deletes it!!

 

Appreciate any help....

[phpSensei]

Post the script please, and where do you define if the user is logged in? directly on the script or in the database because I dont see it

 

if(logged_in){

 

delete record

 

}else{ // dont}

[dropfaith]

i have a script that works for this it should give you an idea of it  what it does is if the session doesnt exist it redirects to my login form but if the session exists it continues to do the delete

 

<?php
session_start( ); //bored of this function yet?
if(!isset($_SESSION["username"])){
header('Location: /user/index.php');
}
else
{
header('Location: /user/index.php');

// includes
include("../header.php");


// open database connection
$conn = mysql_connect(HOST, DBUSER, PASS) or  die('Could not connect !<br />Please contact the site\'s administrator.');
$db = mysql_select_db(DB) or  die('Could not connect to database !<br />Please contact the site\'s administrator.');

// generate and execute query
$Id = mysql_escape_string(trim(htmlentities($_GET['Id'])));

mysql_query("DELETE FROM business WHERE Id = '$Id'") 
or die(mysql_error()); 




}
?>

[mac007]

Here's my "delete" page script... it is all automatically created by Dreamweaver, and that's how I end up getting lost cause it writes all this code on the fly... I tried several things, tried to insert checking if's statements withtin the Delete mysql statement, but nohting. The DELETE sql is "using" the SELECT sql statement as a basis for acting upon the deletions... it's a bit convoluted, but that's what I got to work with... the way if works, is I click on a record to delete from another page, which calls this page, deletes record, and then automatcially returns back to main notepad-member.php page.

 

As I said it does delete a logged-in user's record, but it ALSO DELETES a non logged user if I manually change the url to coincide with a non-logged member's record!!!

 

Hope it all makes sense.

 

 

 

<code>

<?php require_once('Connections/notepadConnection.php'); ?><?php

//initialize the session

if (!isset($_SESSION)) {

  session_start();

}

 

// ** Logout the current user. **

$logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";

if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){

  $logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);

}

 

if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){

  //to fully log out a visitor we need to clear the session varialbles

  $_SESSION['MM_Username'] = NULL;

  $_SESSION['MM_UserGroup'] = NULL;

  $_SESSION['PrevUrl'] = NULL;

  unset($_SESSION['MM_Username']);

  unset($_SESSION['MM_UserGroup']);

  unset($_SESSION['PrevUrl']);

 

  $logoutGoTo = "index.php";

  if ($logoutGoTo) {

    header("Location: $logoutGoTo");

    exit;

  }

}

?>

<?php

if (!isset($_SESSION)) {

  session_start();

}

$MM_authorizedUsers = "";

$MM_donotCheckaccess = "true";

 

// *** Restrict Access To Page: Grant or deny access to this page

function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {

  // For security, start by assuming the visitor is NOT authorized.

  $isValid = False;

 

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username.

  // Therefore, we know that a user is NOT logged in if that Session variable is blank.

  if (!empty($UserName)) {

    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login.

    // Parse the strings into arrays.

    $arrUsers = Explode(",", $strUsers);

    $arrGroups = Explode(",", $strGroups);

    if (in_array($UserName, $arrUsers)) {

      $isValid = true;

    }

    // Or, you may restrict access to only certain users based on their username.

    if (in_array($UserGroup, $arrGroups)) {

      $isValid = true;

    }

    if (($strUsers == "") && true) {

      $isValid = true;

    }

  }

  return $isValid;

}

 

$MM_restrictGoTo = "login.php";

if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) { 

  $MM_qsChar = "?";

  $MM_referrer = $_SERVER['PHP_SELF'];

  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";

  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)

  $MM_referrer .= "?" . $QUERY_STRING;

  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);

  header("Location: ". $MM_restrictGoTo);

  exit;

}

?>

<?php

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

 

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

 

  switch ($theType) {

    case "text":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;   

    case "long":

    case "int":

      $theValue = ($theValue != "") ? intval($theValue) : "NULL";

      break;

    case "double":

      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";

      break;

    case "date":

      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

      break;

    case "defined":

      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

      break;

  }

  return $theValue;

}

}

 

if ((isset($_GET['delete'])) && ($_GET['delete'] != "")) {

  $deleteSQL = sprintf("DELETE FROM NOTEPAD WHERE noteid=%s",

                      GetSQLValueString($_GET['delete'], "text"));

 

  mysql_select_db($database_notepadConnection, $notepadConnection);

  $Result1 = mysql_query($deleteSQL, $notepadConnection) or die(mysql_error());

 

  $deleteGoTo = "notepad-member.php";

  if (isset($_SERVER['QUERY_STRING'])) {

    $deleteGoTo .= (strpos($deleteGoTo, '?')) ? "&" : "?";

    $deleteGoTo .= $_SERVER['QUERY_STRING'];

  }

  header(sprintf("Location: %s", $deleteGoTo));

}

 

$maxRows_notepad_RS = 10;

$pageNum_notepad_RS = 0;

if (isset($_GET['pageNum_notepad_RS'])) {

  $pageNum_notepad_RS = $_GET['pageNum_notepad_RS'];

}

$startRow_notepad_RS = $pageNum_notepad_RS * $maxRows_notepad_RS;

 

mysql_select_db($database_notepadConnection, $notepadConnection);

$query_notepad_RS = "SELECT * FROM NOTEPAD, ACCOUNTS WHERE NOTEPAD.custid = ACCOUNTS.id";

$query_limit_notepad_RS = sprintf("%s LIMIT %d, %d", $query_notepad_RS, $startRow_notepad_RS, $maxRows_notepad_RS);

$notepad_RS = mysql_query($query_limit_notepad_RS, $notepadConnection) or die(mysql_error());

$row_notepad_RS = mysql_fetch_assoc($notepad_RS);

 

if (isset($_GET['totalRows_notepad_RS'])) {

  $totalRows_notepad_RS = $_GET['totalRows_notepad_RS'];

} else {

  $all_notepad_RS = mysql_query($query_notepad_RS);

  $totalRows_notepad_RS = mysql_num_rows($all_notepad_RS);

}

$totalPages_notepad_RS = ceil($totalRows_notepad_RS/$maxRows_notepad_RS)-1;

?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

<title>Untitled Document</title>

 

<meta name="Keywords" content="best online notepad, online notepad, free online notepad, easy online notepad, best online notebook, free online notebook, online notebook, keep notes online, keeping notes online, online notes" />

<meta name="Description" content="Make notes which you can access from everywhere. Best Online notepad." />

<meta name="robots" content="index,follow" />

<style type="text/css">

<!--

.style20 {font-family: Arial, Helvetica, sans-serif; font-size: 13px; }

.style21 {font-size: 13px}

-->

</style>

</head>

 

<body>

<p align="center"><a href="<?php echo $logoutAction ?>"><strong>Log out</strong></a></p>

<h2 align="center">Welcome, <?php echo $_SESSION['MM_Username']; ?>! <br />

</h2>

<hr />

<p align="center"> </p>

</body>

</html>

<?php

mysql_free_result($notepad_RS);

?>

</code>

[mac007]

Hey, Dropfaith:

 

I kind off see what you have there, but doenst it still could potentially delete another "user's" record if forced in the url??  I dont see how it could prevent that in your script?? thing is, that each member has their own records, which only they should be able to delete or view for that matter (unlike like a blog per say, where maybe all records could be viwable or deletable by ANY logged in user...

 

thanks... appreciate the response

[dropfaith]

 

<?php
session_start( ); //bored of this function yet?
if(!isset($_SESSION["username"])){
header('Location: /user/index.php');
}
else
{
    $u = $_SESSION['username'];
    $uid = $_SESSION['loginid'];
$query = "SELECT * FROM rideshare WHERE loginid = '$uid'";
}

?>

 

 

yea that was my error i posted the wrong part of a script sorry  im working on an admin section for a site right now myself so im kinda doing 1000 things

 

the code above would be more what your looking for change the else as  i just took this direct from a script i wrote a second ago

what this one does is the same thing up top where if the session doesnt exist kicks user to login screen if session does exist it will get the username and Id from the session and process the script based on that id it doesnt pull from a url at all so it can only delete the user that the session belongs to

[mac007]

Thanks Dropfaith...

 

I see what you are doign here. Let me try to see if I can integrate into my script (I'm a newbie and my code is automatically created by dreamweaver). I did realize, as you notice here, that 'm deleting a record based on a url, I just simply thought that it would "restrict" itself to a logged user's record even if you forced a different url-pair...

 

I see now, that maybe I should have had the recorset tied-in to a session-id, instead of a url-based record-id pair...

 

Thanks! let me try this and see if I can get this right, let you know...