Jump to content

Recommended Posts

Hi Guys

 

Sorry for the lame title but I have absolutely no idea how to word this.

 

I have the following code which pulls message from a database:

 

$messages_query = mysql_query("SELECT * FROM messages WHERE id='$message_id' AND recipient='$username'");
$messages_row = mysql_fetch_assoc($messages_query);

$sender = $messages_row['sender'];
$date = $messages_row['date'];
$time = $messages_row['time'];
$subject = $messages_row['subject'];
$message = $messages_row['message'];
$recipient = $message_query['recipient'];

echo $sender . "<br />";
echo $date . "<br />";
echo $time . "<br />";
echo $subject . "<br />";
echo $message . "<br />";

 

As you can see, it only pulls the data if id='$message_id' AND recipient='$username'.

 

I wish to perform a die ("You are not authorised to view this message!"); if id='$message_id' or recipient='$username' is different.

 

Example:

The database reads id: 1 & username: user

 

The data would be displayed if $message_id = 1 and $username = user.

The die would be performed if $message_id = 5 and $username = user

 

I hope that makes sense, iv had a problem trying to word it correctly let alone come up with a solution.

 

Does anybody know what i could do?

 

Thanks

 

I think you mean that if the row doesn't exist in the table, then "die". In which case, you could just do:

 

$messages_query = mysql_query("SELECT * FROM messages WHERE id='$message_id' AND recipient='$username'");

if(mysql_num_rows($messages_query) > 0) {
    list($sender, $date, $time, $subject, $message) = mysql_fetch_row($messages_query); // Shortened version of your long winded assign - may not work depending on your table structure.
    echo $sender . "<br />";
    echo $date . "<br />";
    echo $time . "<br />";
    echo $subject . "<br />";
    echo $message . "<br />";
} else {
    echo "You are not authorised to view this message!";
}

Don't use die for the message, handle it properly:

$messages_query = mysql_query("SELECT * FROM messages WHERE id='$message_id' AND recipient='$username'");
if(mysql_num_rows($messages_query) > 0)
{
   echo "In the database, verified authorization.";
}
else
{
   echo "No rows returned, denied.";
   //Redirect or whatever
}

I wish to perform a die ("You are not authorised to view this message!"); if id='$message_id' or recipient='$username' is different.

 

Different from what? You haven't included enough information for anyone to really be able to help you.

I wish to perform a die ("You are not authorised to view this message!"); if id='$message_id' or recipient='$username' is different.

 

Different from what? You haven't included enough information for anyone to really be able to help you.

I think he meant if there are no matches in the DB.

I wish to perform a die ("You are not authorised to view this message!"); if id='$message_id' or recipient='$username' is different.

 

Different from what? You haven't included enough information for anyone to really be able to help you.

I think he meant if there are no matches in the DB.

 

Yeah, that's what I managed to decipher too :P

lol sorry i knew people would have a problem, yeah if there are no rows in the database that have both $message_id and the correct $username.

 

mattal999 and maq your solutions look good.

 

Its because im passing the message id in the url when going from the inbox to the actual message, i wanted to stop users simply changing the id and viewing other people messages thats why i added the "AND recipient='$username'".

 

If the user tried to be clever and change the id in the address bar , instead of displaying a blank page i wanted to give them the error message.

 

Ill give your solutions a go and let you know how it went.

 

Thanks

 

 

That wasn't what I inferred from reading this line '"You are not authorised to view this message!"'. It sounds more like the OP wants to make sure the owner of the message is the one attempting to access it. I guess we'll have to wait for clarification . . .

Yeah sorry i had a difficult time trying to explain it.

 

Basically if a user changes the message id in the address bar, and the id doesn't lead to a message they have received, return the error "You are not authorised to view this message!".

 

It seems a lot simpler now i know how to word it lol.

 

Doing the mysql_num_rows worked perfect thanks guys.

 

mattal999 assigning the variables that way didnt work, however i am interested in that technique as I have some pages that have around 30 variables, your way looks much easier. I will have to have a play and try to get it to work.

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.