Jump to content

A User can edit everyone’s posts!


bytesize

Recommended Posts

A logged in user can edit or delete anyone's post.  The user should only be able to edit their posts and no one else's.

Can someone help me with this code?

 

config.php

<?php
  function login($username, $password)
  {
    db_connect();

    $query = sprintf("SELECT * FROM 
                                users
	              WHERE username = '%s' AND
			password = '%s'
			 ", mysql_real_escape_string($username),
			 mysql_real_escape_string($password)
			);						
    $result = mysql_query($query);

    $number_of_posts = mysql_num_rows($result);

    if($number_of_posts == 0)
    {
  return false;
    }

    $row = mysql_fetch_array($result);

    $_SESSION['user'] = $row;	

    return true;	
  }	

  function current_user($field)
  {
      return $_SESSION['user'][$field];
  }

  function check_authentication()
  {
    if($_SESSION['user'])
    {
return true;
    }
    else
    {
redirect_to('sessions/new');
    }
  }

  function logged_in()
  {
    if($_SESSION['user'])
    {
return true;
    }
    else
    {
        return false;
    }
  }

  function current_user($field)
  {
      return $_SESSION['user'][$field];
  }
?>

 

This is the edit/delete page.

<?php if(logged_in()): ?>
  <p>
    [ <a href="<?php echo '/poststuff/'; ?>posts/<?php echo $post['id']; ?>/edit">Edit</a> ]
    [ <a href="<?php echo '/poststuff/'; ?>posts/<?php echo $post['id']; ?>/delete">Delete</a> ]
  </p>
<?php endif; ?>

 

Thank you for the quick response. Not working for me.

The function with the database.

<?php
function find_post($id)
    {
        db_connect();
        
        $query = sprintf("SELECT 
                                posts.id as id,
                                posts.title, 
                                posts.body, 
                                posts.user_id, 
                                users.username 
                            FROM 
                                posts, users
                            WHERE
                                posts.user_id = users.id AND posts.id = %s",
                                mysql_real_escape_string($id)
                            );                        
        $result = mysql_query($query);
        
        $number_of_posts = mysql_num_rows($result);
        if($number_of_posts == 0)
        {
            return false;
        }
        
        $row = mysql_fetch_array($result);    
        
        return $row;    
    }
?>

 

The switch.

case "show":
  $post = find_post($params['id']);
break;

 

I tried this but it doesn't work.

<?php if(logged_in() && $post['user_id'] == $user['id']): ?>
  <p>
    [ <a href="<?php echo '/'.APP_ROOT.'/'; ?>posts/<?php echo $post['id']; ?>/edit">Edit</a> ]
    [ <a href="<?php echo '/'.APP_ROOT.'/'; ?>posts/<?php echo $post['id']; ?>/delete">Delete</a> ]
  </p>
<?php endif; ?>

What am I missing?

 

try

 

<?php if(logged_in() && $post['user_id'] == $_SESSION['user']['id']): ?>

 

By the way, that will only control the showing/hiding of the [edit] and [delete] buttons. So essentially you will stop them from viewing the edit form if they don't own that post, but this is not enough. You need to add code to the part of your system that saves the edited post so that it checks that the current logged in user id matches the author of the post they are trying to edit.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.