messaging

onthespot · July 26, 2009

My problem is that as i use GET for the msg id, that when i delete the message, it uses the id from the URL.

$user=$_SESSION['username'];
$msgid=$_GET['messageid'];

$delete=mysql_query("DELETE FROM ".TBL_MESSAGES." WHERE to_user='$user' AND message_id='$msgid'"); 
echo header("Location: messages.php");

This is the code for delete_msgs.php

It doesnt let a user delete random messages, but it allows them to attempt without an error message. How would I add that?

The following is the code for how the inbox displays.

$userfinal=$_SESSION['username'];


$get_messages = mysql_query("SELECT message_id FROM ".TBL_MESSAGES." WHERE to_user='$userfinal' ORDER BY message_id DESC") or die(mysql_error());
$get_messages2 = mysql_query("SELECT * FROM ".TBL_MESSAGES." WHERE to_user='$userfinal' ORDER BY message_id DESC") or die(mysql_error());
$num_messages = mysql_num_rows($get_messages);

echo '<ul>';
for($count = 1; $count <= $num_messages; $count++)
{
$row = mysql_fetch_array($get_messages2);


if($row['message_read'] == 0)
{
?>
<table>
<tr><td><? echo '<b><a href="read_message.php?messageid=' . $row['message_id'] . '">' . $row['message_title'] . '</a></b><br>';?></td>
<td><? echo '<a href="delete_message.php?messageid=' . $row['message_id'] . '">Delete</a><br>';?></td></tr></table>
<?}else{?>
<table><tr><td><?echo '<a href="read_message.php?messageid=' . $row['message_id'] . '">' . $row['message_title'] . '</a><br>';?></td>
<td><?echo '<a href="delete_message.php?messageid=' . $row['message_id'] . '">Del</a><br>';?></td></tr></table><?
}}
echo '</ul>';
echo '<form name="newmsgfrm" method="post" action="new_message.php">';
echo '<input type="submit" value="Send a New Message">';
echo '</form>';

echo '<form name="backfrm" method="post" action="index.php">';
echo '<input type="submit" value="Back to Home">';
echo '</form>';

Is this the best way to delete messages? And how can I add a checkbox option to this to allow for multiple delete! Thanks

onthespot · July 26, 2009

May I add I mean that it doesnt allow users of messages that aren't their own to delete them by entering random IDs into the URL but there is no error

smerny · July 26, 2009

It doesnt let a user delete random messages, but it allows them to attempt without an error message. How would I add that?

$user=$_SESSION['username'];
$msgid=$_GET['messageid'];

$search="SELECT ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'";
$result = mysql_query($search);
if (mysql_num_rows($result) == 0)
  echo "you are unable to delete this message";
else
{
  $delete=mysql_query("DELETE FROM ".TBL_MESSAGES." WHERE to_user='$user' AND message_id='$msgid'");
  echo header("Location: messages.php");

onthespot · July 26, 2009

theres an error somewhere there?

onthespot · July 26, 2009

So after I attempt to delete a msg, I get the following error.

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource
you are unable to delete this message

Any ideas?

vineld · July 26, 2009

You do not define what you want to select, nor have the FROM in your select here:

$search="SELECT ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'";

Also, you should never insert user input directly without properly escaping it. As is now people are free to delete what they want from your table.

smerny · July 26, 2009

Also, you should never insert user input directly without properly escaping it. As is now people are free to delete what they want from your table.

they can only delete messages that are to the user who is logged in

$user=$_SESSION['username'];

change

$search="SELECT ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'";

to

$search="SELECT * FROM ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'";

vineld · July 26, 2009

Also, you should never insert user input directly without properly escaping it. As is now people are free to delete what they want from your table.

they can only delete messages that are to the user who is logged in

$user=$_SESSION['username'];

change
$search="SELECT ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'";
to
$search="SELECT * FROM ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'";

No, that's where you're completely wrong. The code you present above makes it possible for me to delete all messages if I feel like it, not just those that are my own.

smerny · July 26, 2009

$user=$_SESSION['username'];

WHERE to_user='".$user."'

you can alter your session info?

vineld · July 26, 2009

$user=$_SESSION['username'];

WHERE to_user='".$user."'

you can alter your session info?

Normally, no, but I can alter the sql which is much easier.

smerny · July 26, 2009

mysql_escape_real_string

vineld · July 26, 2009

mysql_escape_real_string

Exactly, now you believe me? That was what I said in the first place.

Sign In

messaging

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information