bytesize Posted October 15, 2010 Share Posted October 15, 2010 A logged in user can edit or delete anyone's post. The user should only be able to edit their posts and no one else's. Can someone help me with this code? config.php <?php function login($username, $password) { db_connect(); $query = sprintf("SELECT * FROM users WHERE username = '%s' AND password = '%s' ", mysql_real_escape_string($username), mysql_real_escape_string($password) ); $result = mysql_query($query); $number_of_posts = mysql_num_rows($result); if($number_of_posts == 0) { return false; } $row = mysql_fetch_array($result); $_SESSION['user'] = $row; return true; } function current_user($field) { return $_SESSION['user'][$field]; } function check_authentication() { if($_SESSION['user']) { return true; } else { redirect_to('sessions/new'); } } function logged_in() { if($_SESSION['user']) { return true; } else { return false; } } function current_user($field) { return $_SESSION['user'][$field]; } ?> This is the edit/delete page. <?php if(logged_in()): ?> <p> [ <a href="<?php echo '/poststuff/'; ?>posts/<?php echo $post['id']; ?>/edit">Edit</a> ] [ <a href="<?php echo '/poststuff/'; ?>posts/<?php echo $post['id']; ?>/delete">Delete</a> ] </p> <?php endif; ?> Quote Link to comment https://forums.phpfreaks.com/topic/215954-a-user-can-edit-everyone%E2%80%99s-posts/ Share on other sites More sharing options...
ignace Posted October 15, 2010 Share Posted October 15, 2010 if(logged_in() && $post['auhtor_id'] == $user['id']) Quote Link to comment https://forums.phpfreaks.com/topic/215954-a-user-can-edit-everyone%E2%80%99s-posts/#findComment-1122534 Share on other sites More sharing options...
bytesize Posted October 15, 2010 Author Share Posted October 15, 2010 Thank you for the quick response. Not working for me. The function with the database. <?php function find_post($id) { db_connect(); $query = sprintf("SELECT posts.id as id, posts.title, posts.body, posts.user_id, users.username FROM posts, users WHERE posts.user_id = users.id AND posts.id = %s", mysql_real_escape_string($id) ); $result = mysql_query($query); $number_of_posts = mysql_num_rows($result); if($number_of_posts == 0) { return false; } $row = mysql_fetch_array($result); return $row; } ?> The switch. case "show": $post = find_post($params['id']); break; I tried this but it doesn't work. <?php if(logged_in() && $post['user_id'] == $user['id']): ?> <p> [ <a href="<?php echo '/'.APP_ROOT.'/'; ?>posts/<?php echo $post['id']; ?>/edit">Edit</a> ] [ <a href="<?php echo '/'.APP_ROOT.'/'; ?>posts/<?php echo $post['id']; ?>/delete">Delete</a> ] </p> <?php endif; ?> What am I missing? Quote Link to comment https://forums.phpfreaks.com/topic/215954-a-user-can-edit-everyone%E2%80%99s-posts/#findComment-1122549 Share on other sites More sharing options...
the182guy Posted October 15, 2010 Share Posted October 15, 2010 try <?php if(logged_in() && $post['user_id'] == $_SESSION['user']['id']): ?> By the way, that will only control the showing/hiding of the [edit] and [delete] buttons. So essentially you will stop them from viewing the edit form if they don't own that post, but this is not enough. You need to add code to the part of your system that saves the edited post so that it checks that the current logged in user id matches the author of the post they are trying to edit. Quote Link to comment https://forums.phpfreaks.com/topic/215954-a-user-can-edit-everyone%E2%80%99s-posts/#findComment-1122554 Share on other sites More sharing options...
bytesize Posted October 15, 2010 Author Share Posted October 15, 2010 Your code works and so does this: <?php if(current_user('id') && $post['user_id'] == current_user('id')): ?> I can edit and delete a post with the current user! Thank you for your help. Quote Link to comment https://forums.phpfreaks.com/topic/215954-a-user-can-edit-everyone%E2%80%99s-posts/#findComment-1122558 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.