Jump to content

Recommended Posts

When ever they click the red X on index.php, it deletes their posts and the X only shows up on their own posts. But when they enter index.php?id=50 in their address bar, it deletes post ID 50 even if it's not their own post. How do I stop this from happening?

 

<?php require "global_navigation.php"; ?>
<?php

if ($_SESSION['username']) {
echo ' <a href="logout.php"><img src="images/logout.png"></img></a> <a href="member_list.php"><img src="images/members.png"</a> <a href="search_input.php"><img src="images/search.png"></a> <a href="profiles.php"><img src="images/profile.png"></a> <a href="ucp.php"><img src="images/UCP.png"></a></b> <a href="acp.php"><img src="images/acp.png"></a> <a href="modcp.php"><img src="images/modcp.png"></a>';
}
else
{
echo '<a href="register.php"><img src="images/register.png"></img></a> <a href="login.php"><img src="images/log-in.png"></img></a> <a href="search_input.php"><img src="images/search.png"></a> <a href="profiles.php"><img src="images/profile.png"></a>';
echo "<br />";
echo $gmessage;
}

?>
<br />
<?php  

//connecting to the database
$connect = mysql_connect("$dbhost","$dbuser","$dbpassword") or die("Connection failed!");
mysql_select_db("$db") or die("Database fail!");

$delete = $_GET['id'];
$usernamesession = $_SESSION['username'];
$filename = 'install.php';

if (!$delete)
   {
   }
   else
   {

//delete
mysql_query("DELETE FROM posts WHERE id=''") 
or die(mysql_error());
}

if (file_exists($filename)) {
    echo "<div class='box'>If you haven't yet installed commentBB, do so here: <a href='install.php'><b>Install</b></a> - If you already have, then delete install.php and/or installed.php for MAJOR security reasons!</div>";
}
else
{

if ($_SESSION['username']) 
{
echo "<br />Logged in as <b> ".$_SESSION['username']."</b>!<br />";
}
else
   exit
?>

<?php



?>
<?php 

if ($disabled==0) {
echo '<form action="post.php" method="POST">
Message <br><br><textarea name="message" rows="10" cols="100">

</textarea><br>
<input type="submit" value="Post it!">
</form></center></span><hr>
<br>';
}
else {
   echo "<div class='box'>Posting disabled!</div>";
}

//max displayed per page
$per_page = 8;

//get start variable
$start = $_GET['start'];

//count records
$record_count = mysql_num_rows(mysql_query("SELECT * FROM posts"));

//count max pages
$max_pages = $record_count / $per_page; //may come out as decimal

if (!$start)
   $start = 0;

//staff CHECK
$get2 = mysql_query("SELECT * FROM users WHERE username='$name'");
while ($row2 = mysql_fetch_assoc($get2))

{
// get data
$staffcheck = $row2['staff'];
}
   
//display data
$get = mysql_query("SELECT * FROM posts ORDER BY id DESC LIMIT $start, $per_page");
while ($row = mysql_fetch_assoc($get))

{
// get data
$id = $row['id'];
$name = $row['name'];
$message = $row['message'];

if ($staffcheck ==2) {
    $name = " <img src='$acrown'></img><b> $owner</b></a>";
}


//smileys
$before = array('', '', '', '');
$after   = array('<img src="smileys/happy.png">', '<img src="smileys/sad.png">', '<img src="smileys/wide.png">', '<img src="smileys/tounge.png">');
$output  = str_replace($before, $after, $message);

if ($name=="$usernamesession")
   {
   $name = "<a href='index.php?id=$id'><span style='color:red'>X</span></a> $name";
   }

echo "<center><b><a href='report.php?id=$id'><img src='images/report.png' alt='Report'></img></a> ($id)Posted by:</b> ".$name."</a><br /><b>".$output."<hr></b>";

}

//setup prev and next variables
$prev = $start - $per_page;
$next = $start + $per_page;

//show prev button
if (!($start<=0))
       echo "<a href='index.php?start=$prev'>Prev</a> ";

//show page numbers

//set variable for first page
$i=1;

for ($x=0;$x<$record_count;$x=$x+$per_page)
{
if ($start!=$x)
    echo " <a href='index.php?start=$x'>$i</a> ";
else
    echo " <a href='index.php?start=$x'><b>$i</b></a> ";
$i++;
}

//show next button
if (!($start>=$record_count-$per_page))
       echo " <a href='index.php?start=$next'>Next</a>";
   }

//prosses of getting the numbers

        $construct = "SELECT * FROM posts";
        $run = mysql_query($construct);

        $foundnum = (mysql_num_rows($run));

//prosses of getting the numbers for users

        $construct2 = "SELECT * FROM users";
        $run2 = mysql_query($construct2);

        $foundnum2 = (mysql_num_rows($run2));

   
echo "<br /><br />Total comments: ";
echo $foundnum;
echo " ||";
echo " Total members: ";
echo $foundnum2;
?>
</font></td>
										</tr>
									</tbody>
								</table></td>
							</tr>
						</tbody>
					</table>
					</td>
				</tr>
			</tbody>
		</table>
		</center>
		<table class="tborder" cellpadding="4" cellspacing="1" width="67%">
			<tbody>
				<tr>
					<td class="thead"><font face="Trebuchet MS"><strong>  
					Copyright</strong></font></td>
				</tr>
				<tr>
					<td class="trow1">
					<table border="0" cellpadding="4" width="100%">
						<tbody>
							<tr>
								<td class="trow1">
								<p align="center">
<span class="smalltext" style="display: inline; visibility: visible; font-family: Trebuchet MS; font-weight: 700">
<a title="Simple Machines Forum" target="_blank" class="new_win" href="http://commentbb.com">
<font size="2">Powered by CommentBB 1.0 BETA</font></a><font size="2"> |
</font><a href="http://commentbb.com"><font size="2">CBB is © 2009, CommentBB 
INC</font></a></span></td>
							</tr>
						</tbody>
					</table></td>
				</tr>
			</tbody>
		</table> </div>
<font face="Trebuchet MS">
<!-- end: footer -->
<!-- end: portal --></font></body></html>

Doesn't seem to be working for me.

 

<?php require "global_navigation.php"; ?>
<?php

if ($_SESSION['username']) {
echo ' <a href="logout.php"><img src="images/logout.png"></img></a> <a href="member_list.php"><img src="images/members.png"</a> <a href="search_input.php"><img src="images/search.png"></a> <a href="profiles.php"><img src="images/profile.png"></a> <a href="ucp.php"><img src="images/UCP.png"></a></b> <a href="acp.php"><img src="images/acp.png"></a> <a href="modcp.php"><img src="images/modcp.png"></a>';
}
else
{
echo '<a href="register.php"><img src="images/register.png"></img></a> <a href="login.php"><img src="images/log-in.png"></img></a> <a href="search_input.php"><img src="images/search.png"></a> <a href="profiles.php"><img src="images/profile.png"></a>';
echo "<br />";
echo $gmessage;
}

?>
<br />
<?php  

//connecting to the database
$connect = mysql_connect("$dbhost","$dbuser","$dbpassword") or die("Connection failed!");
mysql_select_db("$db") or die("Database fail!");

$delete = $_GET['id'];
$usernamesession = $_SESSION['username'];
$filename = 'install.php';

if($_SESSION['username'] == $_GET['id']){
     mysql_query("DELETE FROM posts WHERE id='$delete'");
}

if (file_exists($filename)) {
    echo "<div class='box'>If you haven't yet installed commentBB, do so here: <a href='install.php'><b>Install</b></a> - If you already have, then delete install.php and/or installed.php for MAJOR security reasons!</div>";
}
else
{

if ($_SESSION['username']) 
{
echo "<br />Logged in as <b> ".$_SESSION['username']."</b>!<br />";
}
else
   exit
?>

<?php



?>
<?php 

if ($disabled==0) {
echo '<form action="post.php" method="POST">
Message <br><br><textarea name="message" rows="10" cols="100">

</textarea><br>
<input type="submit" value="Post it!">
</form></center></span><hr>
<br>';
}
else {
   echo "<div class='box'>Posting disabled!</div>";
}

//max displayed per page
$per_page = 8;

//get start variable
$start = $_GET['start'];

//count records
$record_count = mysql_num_rows(mysql_query("SELECT * FROM posts"));

//count max pages
$max_pages = $record_count / $per_page; //may come out as decimal

if (!$start)
   $start = 0;

//staff CHECK
$get2 = mysql_query("SELECT * FROM users WHERE username='$name'");
while ($row2 = mysql_fetch_assoc($get2))

{
// get data
$staffcheck = $row2['staff'];
}
   
//display data
$get = mysql_query("SELECT * FROM posts ORDER BY id DESC LIMIT $start, $per_page");
while ($row = mysql_fetch_assoc($get))

{
// get data
$id = $row['id'];
$name = $row['name'];
$message = $row['message'];

if ($staffcheck ==2) {
    $name = " <img src='$acrown'></img><b> $owner</b></a>";
}


//smileys
$before = array('', '', '', '');
$after   = array('<img src="smileys/happy.png">', '<img src="smileys/sad.png">', '<img src="smileys/wide.png">', '<img src="smileys/tounge.png">');
$output  = str_replace($before, $after, $message);

if ($name=="$usernamesession")
   {
   $name = "<a href='index.php?id=$id'><span style='color:red'>X</span></a> $name";
   }

echo "<center><b><a href='report.php?id=$id'><img src='images/report.png' alt='Report'></img></a> ($id)Posted by:</b> ".$name."</a><br /><b>".$output."<hr></b>";

}

//setup prev and next variables
$prev = $start - $per_page;
$next = $start + $per_page;

//show prev button
if (!($start<=0))
       echo "<a href='index.php?start=$prev'>Prev</a> ";

//show page numbers

//set variable for first page
$i=1;

for ($x=0;$x<$record_count;$x=$x+$per_page)
{
if ($start!=$x)
    echo " <a href='index.php?start=$x'>$i</a> ";
else
    echo " <a href='index.php?start=$x'><b>$i</b></a> ";
$i++;
}

//show next button
if (!($start>=$record_count-$per_page))
       echo " <a href='index.php?start=$next'>Next</a>";
   }

//prosses of getting the numbers

        $construct = "SELECT * FROM posts";
        $run = mysql_query($construct);

        $foundnum = (mysql_num_rows($run));

//prosses of getting the numbers for users

        $construct2 = "SELECT * FROM users";
        $run2 = mysql_query($construct2);

        $foundnum2 = (mysql_num_rows($run2));

   
echo "<br /><br />Total comments: ";
echo $foundnum;
echo " ||";
echo " Total members: ";
echo $foundnum2;
?>
</font></td>
										</tr>
									</tbody>
								</table></td>
							</tr>
						</tbody>
					</table>
					</td>
				</tr>
			</tbody>
		</table>
		</center>
		<table class="tborder" cellpadding="4" cellspacing="1" width="67%">
			<tbody>
				<tr>
					<td class="thead"><font face="Trebuchet MS"><strong>  
					Copyright</strong></font></td>
				</tr>
				<tr>
					<td class="trow1">
					<table border="0" cellpadding="4" width="100%">
						<tbody>
							<tr>
								<td class="trow1">
								<p align="center">
<span class="smalltext" style="display: inline; visibility: visible; font-family: Trebuchet MS; font-weight: 700">
<a title="Simple Machines Forum" target="_blank" class="new_win" href="http://commentbb.com">
<font size="2">Powered by CommentBB 1.0 BETA</font></a><font size="2"> |
</font><a href="http://commentbb.com"><font size="2">CBB is © 2009, CommentBB 
INC</font></a></span></td>
							</tr>
						</tbody>
					</table></td>
				</tr>
			</tbody>
		</table> </div>
<font face="Trebuchet MS">
<!-- end: footer -->
<!-- end: portal --></font></body></html>

I've added that, but it doesn't even delete the posts. http://www.commentbb.com/demo/

 

Code

 

<?php require "global_navigation.php"; ?>
<?php

if ($_SESSION['username']) {
echo ' <a href="logout.php"><img src="images/logout.png"></img></a> <a href="member_list.php"><img src="images/members.png"</a> <a href="search_input.php"><img src="images/search.png"></a> <a href="profiles.php"><img src="images/profile.png"></a> <a href="ucp.php"><img src="images/UCP.png"></a></b> <a href="acp.php"><img src="images/acp.png"></a> <a href="modcp.php"><img src="images/modcp.png"></a>';
}
else
{
echo '<a href="register.php"><img src="images/register.png"></img></a> <a href="login.php"><img src="images/log-in.png"></img></a> <a href="search_input.php"><img src="images/search.png"></a> <a href="profiles.php"><img src="images/profile.png"></a>';
echo "<br />";
echo $gmessage;
}

?>
<br />
<?php  

//connecting to the database
$connect = mysql_connect("$dbhost","$dbuser","$dbpassword") or die("Connection failed!");
mysql_select_db("$db") or die("Database fail!");

$delete = $_GET['id'];
$usernamesession = $_SESSION['username'];
$filename = 'install.php';

if (!$delete)
   {
   } else {
mysql_query("DELETE FROM posts WHERE id='$delete' AND owner='".$_SESSION['id']."'"); }

if (file_exists($filename)) {
    echo "<div class='box'>If you haven't yet installed commentBB, do so here: <a href='install.php'><b>Install</b></a> - If you already have, then delete install.php and/or installed.php for MAJOR security reasons!</div>";
}
else
{

if ($_SESSION['username']) 
{
echo "<br />Logged in as <b> ".$_SESSION['username']."</b>!<br />";
}
else
   exit
?>

<?php



?>
<?php 

if ($disabled==0) {
echo '<form action="post.php" method="POST">
Message <br><br><textarea name="message" rows="10" cols="100">

</textarea><br>
<input type="submit" value="Post it!">
</form></center></span><hr>
<br>';
}
else {
   echo "<div class='box'>Posting disabled!</div>";
}

//max displayed per page
$per_page = 8;

//get start variable
$start = $_GET['start'];

//count records
$record_count = mysql_num_rows(mysql_query("SELECT * FROM posts"));

//count max pages
$max_pages = $record_count / $per_page; //may come out as decimal

if (!$start)
   $start = 0;

//staff CHECK
$get2 = mysql_query("SELECT * FROM users WHERE username='$name'");
while ($row2 = mysql_fetch_assoc($get2))

{
// get data
$staffcheck = $row2['staff'];
}
   
//display data
$get = mysql_query("SELECT * FROM posts ORDER BY id DESC LIMIT $start, $per_page");
while ($row = mysql_fetch_assoc($get))

{
// get data
$id = $row['id'];
$name = $row['name'];
$message = $row['message'];

if ($staffcheck ==2) {
    $name = " <img src='$acrown'></img><b> $owner</b></a>";
}


//smileys
$before = array('', '', '', '');
$after   = array('<img src="smileys/happy.png">', '<img src="smileys/sad.png">', '<img src="smileys/wide.png">', '<img src="smileys/tounge.png">');
$output  = str_replace($before, $after, $message);

if ($name=="$usernamesession")
   {
   $name = "<a href='index.php?id=$id'><span style='color:red'>X</span></a> $name";
   }

echo "<center><b><a href='report.php?id=$id'><img src='images/report.png' alt='Report'></img></a> ($id)Posted by:</b> ".$name."</a><br /><b>".$output."<hr></b>";

}

//setup prev and next variables
$prev = $start - $per_page;
$next = $start + $per_page;

//show prev button
if (!($start<=0))
       echo "<a href='index.php?start=$prev'>Prev</a> ";

//show page numbers

//set variable for first page
$i=1;

for ($x=0;$x<$record_count;$x=$x+$per_page)
{
if ($start!=$x)
    echo " <a href='index.php?start=$x'>$i</a> ";
else
    echo " <a href='index.php?start=$x'><b>$i</b></a> ";
$i++;
}

//show next button
if (!($start>=$record_count-$per_page))
       echo " <a href='index.php?start=$next'>Next</a>";
   }

//prosses of getting the numbers

        $construct = "SELECT * FROM posts";
        $run = mysql_query($construct);

        $foundnum = (mysql_num_rows($run));

//prosses of getting the numbers for users

        $construct2 = "SELECT * FROM users";
        $run2 = mysql_query($construct2);

        $foundnum2 = (mysql_num_rows($run2));

   
echo "<br /><br />Total comments: ";
echo $foundnum;
echo " ||";
echo " Total members: ";
echo $foundnum2;
?>
</font></td>
										</tr>
									</tbody>
								</table></td>
							</tr>
						</tbody>
					</table>
					</td>
				</tr>
			</tbody>
		</table>
		</center>
		<table class="tborder" cellpadding="4" cellspacing="1" width="67%">
			<tbody>
				<tr>
					<td class="thead"><font face="Trebuchet MS"><strong>  
					Copyright</strong></font></td>
				</tr>
				<tr>
					<td class="trow1">
					<table border="0" cellpadding="4" width="100%">
						<tbody>
							<tr>
								<td class="trow1">
								<p align="center">
<span class="smalltext" style="display: inline; visibility: visible; font-family: Trebuchet MS; font-weight: 700">
<a title="Simple Machines Forum" target="_blank" class="new_win" href="http://commentbb.com">
<font size="2">Powered by CommentBB 1.0 BETA</font></a><font size="2"> |
</font><a href="http://commentbb.com"><font size="2">CBB is © 2009, CommentBB 
INC</font></a></span></td>
							</tr>
						</tbody>
					</table></td>
				</tr>
			</tbody>
		</table> </div>
<font face="Trebuchet MS">
<!-- end: footer -->
<!-- end: portal --></font></body></html>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.