[SOLVED] $_SESSION['username'] problem

[adamlacombe]

Im trying to put $_SESSION['username'] in an if statement and its not recognizing it for some reason.

 

this is my code:

<?
function delete(){
$id=$_GET['id'];

if($getcomments3[to] == $_SESSION['username']){
mysql_query("DELETE FROM comments WHERE ID='$id'"); 

echo "Done!";
}else{
echo "Cant";
}

}
?>

 

what could be the problem?

[smerny]

echo "$_SESSION['username'] = ". $_SESSION['username']."<br> $getcomments3[to] = ". $getcomments3[to];

 

to see what they are doing

[adamlacombe]

I dont get it.

what do I have to do?

[smerny]

echo "$_SESSION['username'] = ". $_SESSION['username']."<br> $getcomments3[to] = ". $getcomments3[to];

 

 

put that above your if statement, it will show you the values of those variables... then you can see if or which is not being recognized

[adamlacombe]

ok, did that.

now its a blank page. theres some kind of error in that code..

[947740]

echo "\$_SESSION['username'] = ".$_SESSION['username']."<br>\$getcomments3['to'] = ". $getcomments3['to'];

[adamlacombe]

it doesn't show up as anything. this is what i get:

$_SESSION['username'] =
$getcomments3['to'] = 

[corbin]

Topic moved as it seems to be PHP related, not MySQL.

 

 

 

 

 

Anyway, you do have session_start() in there somewhere, yes?

 

 

Also, is that the complete function?  If so, where is $getcomments3[to] defined?

 

 

Also, unless to is a constant, and I doubt it is, you should do ['to'], not [to].  Unquoted strings are treated as constants by PHP, then if a constant under that key isn't found in PHP's constant registry, it is treated as a normal string.  It takes more time to go through that process, and it throws a warning message.

[adamlacombe]

yes session_start() is at the top.

 

this is the full file:

<?php
session_start();
include "db_connect.php";

switch($_GET['go']){
case 'delete':
delete();
break;
}


$sql="SELECT * from `users3` WHERE `username`='".$_GET['username']."'";
$res=mysql_query($sql) or die(mysql_error());

if(mysql_num_rows($res) != 1)
{
echo "<script language=\"Javascript\" type=\"text/javascript\">
alert(\"This user does not exist\")
document.location.href='index.php'</script>";
}
else
{
$row=mysql_fetch_assoc($res);

?>
<html>
<head><link rel="stylesheet" href="style.css"></head>

<div class="divider">
<strong><?php echo $row['username'] ?>'s Profile</strong><br/>
<img src="<?php echo $row['avatar'] ?>" /> <br/>
Name: <?php echo $row['first']. " " .$row['last'] ?> <br/>
Email: <?php echo $row['email'] ?> <br/>
About: <?php echo $row['about'] ?> <br/>
    </div>

<div class="divider">
<strong>Pictures</strong><br/><br/>
<?php

$result = mysql_query("SELECT reference FROM user_photos WHERE`profile_id`='".$row['id']."'");

while ($row2 = mysql_fetch_array($result, MYSQL_ASSOC))
{
	echo "<a href=\"".$_GET['username']."/pics/".$row2['reference']."\">
	<img src=\"".$_GET['username']."/pics/thumbs/".$row2['reference']."\"></a><br/><br/>";
}
}
print "</div>";
?>


<?php

print "<div class='divider'>
<strong>Blog Posts</strong><br/><br/>";

$getthreads="SELECT * from blogs where author='" .$row['username']. "' order by postid DESC";

$getthreads2=mysql_query($getthreads) or die("Could not get threads");

while($getthreads3=mysql_fetch_array($getthreads2))

{

  $getthreads3[title]=strip_tags($getthreads3[title]);

  $getthreads3[author]=strip_tags($getthreads3[author]);

  print "<A href='blog.php?id=$getthreads3[postid]'>$getthreads3[title]</a><br />";

}

print "</div>";
?>






<?php

print "<div class='divider'>
<strong>Comments</strong><br/><br/>";

$getcomments="SELECT * from comments where `to`='" .$row['username']. "'";

$getcomments2=mysql_query($getcomments) or die("Could not get comments");

while($getcomments3=mysql_fetch_array($getcomments2))

{


  print "<b>By:</b> <a href='profile.php?username=$getcomments3[from]'>$getcomments3[from]</a></b>
<br />
<b>Subject:</b> $getcomments3[subject]</b>
<br />
<b>Comment:</b> $getcomments3[comment]</a><br /><hr>";

}

print "<br />
<a href='comment.php?to=" .$row['username']. "'>Leave A Comment</a><br /><br />
</div>";
echo "\$_SESSION['username'] = ".$_SESSION['username']."<br>\$getcomments3['to'] = ". $getcomments3['to'];
?>









<?
function delete(){
$id=$_GET['id'];

if($getcomments3[to] == $_SESSION['username']){
mysql_query("DELETE FROM comments WHERE ID='$id'"); 

echo "Done!";
}else{
echo "Cant";
}

}
?>

[adamlacombe]

maybe i would need to have that delete function in the

while($getcomments3=mysql_fetch_array($getcomments2))

{


}

 

area... ?

or..?

[adamlacombe]

ok never mind that does not work either.

Im not sure how to do this. Im trying to make it so only the profile owner can delete the comments.

Maybe have the function on a different page?

[pkedpker]

$getcomments3  might have to be global

 

global $getcomments3

[adamlacombe]

what does that mean?

add something like:

 

if(global($getcomments3[to] == $_SESSION['username']){
mysql_query("DELETE FROM comments WHERE ID='$id'");

echo "Done!";
}else{
echo "Cant";
}

[pkedpker]

no like this

 

function delete(){
$id=$_GET['id'];
global $getcomments3;
if($getcomments3[to] == $_SESSION['username']){
mysql_query("DELETE FROM comments WHERE ID='$id'"); 

echo "Done!";
}else{
echo "Cant";
}
}

 

which means it will access getcomments declared outside the function

 

obviously that will fix your problem im surprised no one figured that out.

[adamlacombe]

darn it!

that did not work.

Any ideas on another way to secure the delete function?

[pkedpker]

opps use what I wrote.. but i didn't fix your other error the key for the array cannot be to

 

it has to be a string

 

replace all

$getcomments3[to]

to

$getcomments3['to']

 

 

to secure from sql injection use escape_strings

 

function escape_string ($string) {
if(version_compare(phpversion(),"4.3.0")=="-1") {
	return mysql_escape_string($string);
} else {
	return mysql_real_escape_string($string);
}
}

 

 

query("DELETE FROM blahblah WHERE ID='. escape_string($id).'");

 

 

P.S. after reviewing your code I see no way $getcomments3['to'] will work even as a global.. because its just a result from mysql query.. somewhere far in the code how do you except it will have some information? you will have to recode it to like.

 

Honestly if i cannot understand your code and you can't you obviously fucked up somewhere

 

I see atm it used like

 

?go=delete&id=someNumber

 

thats okay.. but how does it know where to getcomments3 from?

 

maybe you ment

 

?go=delete&id=###&getcomments=somethinghere

 

then delete will be

function delete($id, $getcomments) {
blahblah
}

 

 

and switch will look like this

 

switch($_GET['go']){
case 'delete':
delete($_GET['id'], $_GET['getcomments']);
break;
}

 

 

get it? if you cannot understand the code you should rewrite it from scratch.. no point fixing something horribly bugged

[adamlacombe]

ok i kinda understand, but how would this protect the delete function from other users other than the profile owner?

sorry to be such a pain.

[adamlacombe]

.

[pkedpker]

simple.. first after you setup your sessions.. you sessions will hold a id key for database index for each user correct? when logging in also setup session for admin.. 1 for admin 0 for normal user

 

function isAdmin()
{
if (!session_is_registered('admin'))  {
	return false;
} else {
	return true;
}
}

 

if(isAdmin()) {
switch($_GET['go']){
case 'delete':
delete($_GET['id'], $_GET['getcomments']);
break;
}
}

 

 

yes you will need 2 switch go's  one for admin commands one for normal user commands

 

or u can hardcode isAdmin into delete.. so any user can all delete.. but.. if hes not admin it will not work.. (but that would mean coding isAdmin everywhere in all admin commands? why when you can do it just once.

[adamlacombe]

close...

that lets me (admin) delete them. I want the profile owner to be able to delete them but not anyone else.

[pkedpker]

isAdmin is example.. set instead of admin.. to id

 

and check if  proflie.php?viewId=3424

 

if($_GET['viewId'] == $_SESSION['id'])

canDoDelete();

[adamlacombe]

thats not working.

maybe its something im doing...

if you dont mind you could download the script im using. its like only 7 files.

http://bhaviksblog.com/02/php-login-system-tutorial-part-3/

comments:

CREATE TABLE comments (

  ID bigint(20) NOT NULL auto_increment,

  to varchar(255) NOT NULL default '',

  from varchar(255) NOT NULL default '',

  subject varchar(255) NOT NULL default '',

  comment text NOT NULL,

  PRIMARY KEY  (ID)

)

 

You dont have to but...

[pkedpker]

I dont know man i dont feel like learning new scripts.. it takes time and headaches to do that..

 

but what I suggest it to keep trying with what u know and were told.

 

you got this

 

CREATE TABLE `db`.`users` (
`id` INT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY ,
`first` VARCHAR( 32 ) NOT NULL ,
`last` VARCHAR( 32 ) NOT NULL ,
`username` VARCHAR(32) NOT NULL,
`password` VARCHAR(255) NOT NULL,
`email` VARCHAR(255) NOT NULL,
`about` TEXT NOT NULL
) ENGINE = MYISAM;

 

id is your primary auto incrementer so that you can use it.

 

yo your comments table you can add a new row call it from_id and that id will hold the person who wrote that comment and that id will match users id so you can then join both and see if they can edit the comment etc..

[adamlacombe]

iv tried that.. is there a way to secure it from non-profile owners in the delete query?

[adamlacombe]

ok iv finally got it!!

All I had to do was:

mysql_query("DELETE FROM comments WHERE ID='$id' AND `to`='{$_SESSION['username']}'");

 

I cant believe i hadn't thought of it before lol.

Thanks for your time and help though.