onthespot Posted July 26, 2009 Share Posted July 26, 2009 My problem is that as i use GET for the msg id, that when i delete the message, it uses the id from the URL. $user=$_SESSION['username']; $msgid=$_GET['messageid']; $delete=mysql_query("DELETE FROM ".TBL_MESSAGES." WHERE to_user='$user' AND message_id='$msgid'"); echo header("Location: messages.php"); This is the code for delete_msgs.php It doesnt let a user delete random messages, but it allows them to attempt without an error message. How would I add that? The following is the code for how the inbox displays. $userfinal=$_SESSION['username']; $get_messages = mysql_query("SELECT message_id FROM ".TBL_MESSAGES." WHERE to_user='$userfinal' ORDER BY message_id DESC") or die(mysql_error()); $get_messages2 = mysql_query("SELECT * FROM ".TBL_MESSAGES." WHERE to_user='$userfinal' ORDER BY message_id DESC") or die(mysql_error()); $num_messages = mysql_num_rows($get_messages); echo '<ul>'; for($count = 1; $count <= $num_messages; $count++) { $row = mysql_fetch_array($get_messages2); if($row['message_read'] == 0) { ?> <table> <tr><td><? echo '<b><a href="read_message.php?messageid=' . $row['message_id'] . '">' . $row['message_title'] . '</a></b><br>';?></td> <td><? echo '<a href="delete_message.php?messageid=' . $row['message_id'] . '">Delete</a><br>';?></td></tr></table> <?}else{?> <table><tr><td><?echo '<a href="read_message.php?messageid=' . $row['message_id'] . '">' . $row['message_title'] . '</a><br>';?></td> <td><?echo '<a href="delete_message.php?messageid=' . $row['message_id'] . '">Del</a><br>';?></td></tr></table><? }} echo '</ul>'; echo '<form name="newmsgfrm" method="post" action="new_message.php">'; echo '<input type="submit" value="Send a New Message">'; echo '</form>'; echo '<form name="backfrm" method="post" action="index.php">'; echo '<input type="submit" value="Back to Home">'; echo '</form>'; Is this the best way to delete messages? And how can I add a checkbox option to this to allow for multiple delete! Thanks Link to comment https://forums.phpfreaks.com/topic/167495-messaging/ Share on other sites More sharing options...
onthespot Posted July 26, 2009 Author Share Posted July 26, 2009 May I add I mean that it doesnt allow users of messages that aren't their own to delete them by entering random IDs into the URL but there is no error Link to comment https://forums.phpfreaks.com/topic/167495-messaging/#findComment-883214 Share on other sites More sharing options...
smerny Posted July 26, 2009 Share Posted July 26, 2009 It doesnt let a user delete random messages, but it allows them to attempt without an error message. How would I add that? $user=$_SESSION['username']; $msgid=$_GET['messageid']; $search="SELECT ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'"; $result = mysql_query($search); if (mysql_num_rows($result) == 0) echo "you are unable to delete this message"; else { $delete=mysql_query("DELETE FROM ".TBL_MESSAGES." WHERE to_user='$user' AND message_id='$msgid'"); echo header("Location: messages.php"); Link to comment https://forums.phpfreaks.com/topic/167495-messaging/#findComment-883216 Share on other sites More sharing options...
onthespot Posted July 26, 2009 Author Share Posted July 26, 2009 theres an error somewhere there? Link to comment https://forums.phpfreaks.com/topic/167495-messaging/#findComment-883219 Share on other sites More sharing options...
onthespot Posted July 26, 2009 Author Share Posted July 26, 2009 So after I attempt to delete a msg, I get the following error. Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource you are unable to delete this message Any ideas? Link to comment https://forums.phpfreaks.com/topic/167495-messaging/#findComment-883224 Share on other sites More sharing options...
vineld Posted July 26, 2009 Share Posted July 26, 2009 You do not define what you want to select, nor have the FROM in your select here: $search="SELECT ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'"; Also, you should never insert user input directly without properly escaping it. As is now people are free to delete what they want from your table. Link to comment https://forums.phpfreaks.com/topic/167495-messaging/#findComment-883226 Share on other sites More sharing options...
smerny Posted July 26, 2009 Share Posted July 26, 2009 Also, you should never insert user input directly without properly escaping it. As is now people are free to delete what they want from your table. they can only delete messages that are to the user who is logged in $user=$_SESSION['username']; change $search="SELECT ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'"; to $search="SELECT * FROM ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'"; Link to comment https://forums.phpfreaks.com/topic/167495-messaging/#findComment-883238 Share on other sites More sharing options...
vineld Posted July 26, 2009 Share Posted July 26, 2009 Also, you should never insert user input directly without properly escaping it. As is now people are free to delete what they want from your table. they can only delete messages that are to the user who is logged in $user=$_SESSION['username']; change $search="SELECT ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'"; to $search="SELECT * FROM ".TBL_MESSAGES." WHERE to_user='".$user."' AND message_id='".$msgid."'"; No, that's where you're completely wrong. The code you present above makes it possible for me to delete all messages if I feel like it, not just those that are my own. Link to comment https://forums.phpfreaks.com/topic/167495-messaging/#findComment-883262 Share on other sites More sharing options...
smerny Posted July 26, 2009 Share Posted July 26, 2009 $user=$_SESSION['username']; WHERE to_user='".$user."' you can alter your session info? Link to comment https://forums.phpfreaks.com/topic/167495-messaging/#findComment-883280 Share on other sites More sharing options...
vineld Posted July 26, 2009 Share Posted July 26, 2009 $user=$_SESSION['username']; WHERE to_user='".$user."' you can alter your session info? Normally, no, but I can alter the sql which is much easier. Link to comment https://forums.phpfreaks.com/topic/167495-messaging/#findComment-883283 Share on other sites More sharing options...
smerny Posted July 26, 2009 Share Posted July 26, 2009 mysql_escape_real_string Link to comment https://forums.phpfreaks.com/topic/167495-messaging/#findComment-883311 Share on other sites More sharing options...
vineld Posted July 26, 2009 Share Posted July 26, 2009 mysql_escape_real_string Exactly, now you believe me? That was what I said in the first place. Link to comment https://forums.phpfreaks.com/topic/167495-messaging/#findComment-883313 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.