marcus Posted December 3, 2006 Share Posted December 3, 2006 This is about my third time actually trying to get help from these boards for ONE problem.I am making a commenting/news system. I have an admin panel which allows the administrator to delete/edit the comments (so far only delete). Well, I have the code appearing to work by looking at it (I think), but when trying to delete the comments, it will just go back to the comment administrative index.code:[code]<?php include('../header.php'); ?><?phpif($_COOKIE[admin]){ $action = $_GET[act]; $act = $_POST[act]; if($action == delete){ $NFin = "SELECT * FROM `news` WHERE `comments` =1"; $NFgo = mysql_query($NFin); $NFnu = mysql_numrows($NFgo); if($NFnu == 0){ echo "No active news"; }else { echo "<table border=0 cellspacing=2 cellpadding=1>"; echo "<form name=delcomfnews action='".$_SERVER[PHP_SELF]."' method=post>"; echo "<tr><td colspan=2 align=right><h3>Delete Comments - Step 1</h3>"; echo "<tr><td>"; echo "<select name=delcomnews>"; while ($row1 = mysql_fetch_array($NFgo, MYSQL_BOTH)){ echo "<option value=$row1[id]>$row1[title]</option>"; }; mysql_free_result($NFgo); echo "<td><input type=hidden name=act value=dels1><input type=submit value='Show Comments'>"; echo "</form>"; echo "</table>"; }; }else if($act == dels1){ $NFid = $_POST[delcomnews]; $NFin = "SELECT * FROM `comments` WHERE newsid ='$NFid'"; $NFgo = mysql_query($NFin) or die(mysql_error()); $NFnu = mysql_numrows($NFgo); if($NFnu == 0){ echo "There are no comments for news ID #$NFid"; }else { echo "<table border=0 cellspacing=2 cellpadding=1>"; echo "<tr><td colspan=2 align=right><h3>Delete Comments - Step 2</h3>"; while ($row1 = mysql_fetch_array($NFgo, MYSQL_BOTH)){ echo "<tr><td>Posted by: $row1[poster]<td>($row1[ip])"; echo "<tr><td colspan=2 align=left>$row1[message]"; echo "<form name=delcom action='".$_SERVER[PHP_SELF]."' method=post>"; echo "<input type=hidden name=act value=delcomgo>"; echo "<tr><td colspan=2 align=right><input type=hidden name=newid value=$NFid><input type=hidden name=comid value=$row1[id]><input type=submit value='Delect Comment #"."$row1[id]"."'>"; echo "</form>"; } mysql_free_result($NFgo); echo "</table>"; } if($act == delcomgo){ $comid = $_POST[comid]; $newid = $_POST[newid]; $DELcom = "DELETE FROM `comments` WHERE id =$comid"; $DELsql = mysql_query($DELcom) or die(mysql_error()); $sql1 = "SELECT camount FROM `news` WHERE id =$newid"; $sql2 = mysql_query($sql1); $sql3 = mysql_fetch_assoc($sql2); $sql4 = $sql3[camount]; $sql5 = "$sql4 - 1"; $sql6 = "UPDATE `news` SET camount ='$sql5' WHERE id=$newid"; $sql7 = mysql_query($sql6); echo "Comment ID #$comid has been deleted!"; }; }else if(!$act || !$action){ echo "<table border=0 cellspacing=3 cellpadding=2>"; echo "<tr><td colspan=2 align=right><h3>Comment Admin</h3>"; echo "<tr><td colspan=2 align=left><a href=comments.php?act=edit>Edit Comments</a>"; echo "<tr><td colspan=2 align=left><a href=comments.php?act=delete>Delete Comments</a>"; echo "</table>"; }; }else {echo "Bad auth";};?><?php require('../footer.php'); ?>[/code] Quote Link to comment Share on other sites More sharing options...
willfitch Posted December 3, 2006 Share Posted December 3, 2006 Even though PHP will allow the string "delete" to be compared without quotes, you are completely wrong. Furthermore, if you don't put quotes within the GET, POST, COOKIE, and SESSION array keys, PHP will have to check for a constant named whatever your key is. This is not good practice, and it will issue E_STRICT errors if they are turned on.Also, this looks like its just a simple "controller" style script. Consider using a switch() statement rather if/elseif/else constructs.Here's the deal: you have two "actions" scoped: GET and POST. This leads me to believe you aren't sure which method the incoming data is executing. This is a serious security risk. Consider revising your script with quotes around your string, and quotes within your array keys. Also, validate the incoming GET or POST act by either echoing it to the screen, or using print_r or var_dump to show incoming variables. QUOTE YOUR STINGS!! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.