onthespot Posted July 26, 2009 Share Posted July 26, 2009 My problem is that as i use GET for the msg id, that when i delete the message, it uses the id from the URL. $user=$_SESSION['username']; $msgid=$_GET['messageid']; $delete=mysql_query("DELETE FROM ".TBL_MESSAGES." WHERE to_user='$user' AND message_id='$msgid'"); echo header("Location: messages.php"); This is the code for delete_msgs.php It doesnt let a user delete random messages, but it allows them to attempt without an error message. How would I add that? The following is the code for how the inbox displays. $userfinal=$_SESSION['username']; $get_messages = mysql_query("SELECT message_id FROM ".TBL_MESSAGES." WHERE to_user='$userfinal' ORDER BY message_id DESC") or die(mysql_error()); $get_messages2 = mysql_query("SELECT * FROM ".TBL_MESSAGES." WHERE to_user='$userfinal' ORDER BY message_id DESC") or die(mysql_error()); $num_messages = mysql_num_rows($get_messages); echo '<ul>'; for($count = 1; $count <= $num_messages; $count++) { $row = mysql_fetch_array($get_messages2); if($row['message_read'] == 0) { ?> <table> <tr><td><? echo '<b><a href="read_message.php?messageid=' . $row['message_id'] . '">' . $row['message_title'] . '</a></b><br>';?></td> <td><? echo '<a href="delete_message.php?messageid=' . $row['message_id'] . '">Delete</a><br>';?></td></tr></table> <?}else{?> <table><tr><td><?echo '<a href="read_message.php?messageid=' . $row['message_id'] . '">' . $row['message_title'] . '</a><br>';?></td> <td><?echo '<a href="delete_message.php?messageid=' . $row['message_id'] . '">Del</a><br>';?></td></tr></table><? }} echo '</ul>'; echo '<form name="newmsgfrm" method="post" action="new_message.php">'; echo '<input type="submit" value="Send a New Message">'; echo '</form>'; echo '<form name="backfrm" method="post" action="index.php">'; echo '<input type="submit" value="Back to Home">'; echo '</form>'; Is this the best way to delete messages? And how can I add a checkbox option to this to allow for multiple delete! Thanks Quote Link to comment Share on other sites More sharing options...
onthespot Posted July 26, 2009 Author Share Posted July 26, 2009 May I add I mean that it doesnt allow users of messages that aren't their own to delete them by entering random IDs into the URL but there is no error Quote Link to comment Share on other sites More sharing options...
smerny Posted July 26, 2009 Share Posted July 26, 2009 It doesnt let a user delete random messages, but it allows them to attempt without an error message. How would I add that? $user=$_SESSION['username']; $msgid=$_GET['messageid']; $search="SELECT ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'"; $result = mysql_query($search); if (mysql_num_rows($result) == 0) echo "you are unable to delete this message"; else { $delete=mysql_query("DELETE FROM ".TBL_MESSAGES." WHERE to_user='$user' AND message_id='$msgid'"); echo header("Location: messages.php"); Quote Link to comment Share on other sites More sharing options...
onthespot Posted July 26, 2009 Author Share Posted July 26, 2009 theres an error somewhere there? Quote Link to comment Share on other sites More sharing options...
onthespot Posted July 26, 2009 Author Share Posted July 26, 2009 So after I attempt to delete a msg, I get the following error. Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource you are unable to delete this message Any ideas? Quote Link to comment Share on other sites More sharing options...
vineld Posted July 26, 2009 Share Posted July 26, 2009 You do not define what you want to select, nor have the FROM in your select here: $search="SELECT ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'"; Also, you should never insert user input directly without properly escaping it. As is now people are free to delete what they want from your table. Quote Link to comment Share on other sites More sharing options...
smerny Posted July 26, 2009 Share Posted July 26, 2009 Also, you should never insert user input directly without properly escaping it. As is now people are free to delete what they want from your table. they can only delete messages that are to the user who is logged in $user=$_SESSION['username']; change $search="SELECT ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'"; to $search="SELECT * FROM ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'"; Quote Link to comment Share on other sites More sharing options...
vineld Posted July 26, 2009 Share Posted July 26, 2009 Also, you should never insert user input directly without properly escaping it. As is now people are free to delete what they want from your table. they can only delete messages that are to the user who is logged in $user=$_SESSION['username']; change $search="SELECT ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'"; to $search="SELECT * FROM ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'"; No, that's where you're completely wrong. The code you present above makes it possible for me to delete all messages if I feel like it, not just those that are my own. Quote Link to comment Share on other sites More sharing options...
smerny Posted July 26, 2009 Share Posted July 26, 2009 $user=$_SESSION['username']; WHERE to_user='".$user."' you can alter your session info? Quote Link to comment Share on other sites More sharing options...
vineld Posted July 26, 2009 Share Posted July 26, 2009 $user=$_SESSION['username']; WHERE to_user='".$user."' you can alter your session info? Normally, no, but I can alter the sql which is much easier. Quote Link to comment Share on other sites More sharing options...
smerny Posted July 26, 2009 Share Posted July 26, 2009 mysql_escape_real_string Quote Link to comment Share on other sites More sharing options...
vineld Posted July 26, 2009 Share Posted July 26, 2009 mysql_escape_real_string Exactly, now you believe me? That was what I said in the first place. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.