Php mysql user delete option. This one is tricky

[PNewCode]

Hello all. First, I'm not ENTIRELY sure what would need to be included to show you for this help so my apologies in advance. If there is something more you need to see just let me know and I'll be happy to post it as well.

So, what I have is a page where users can make a post, and comment, etc. It works beautifully. Also, I just made a delete button that can delete individual comments and posts, and this works as well.
THE PROBLEM is that any user can delete any and all posts. I need to adjust this so that only the logged in user can delete their own posts and comments and not anyone elses.

So below is some of the pages scripting. (or "coding"... to be honest I never know what the propper word is for that haha).

And if I am too vague on this, then please accept my apology in advance. Since the page is reallllllly long in the scripting, I wanted to start with the bare bones to keep from too much clutter in this post.

The delete button

<a href="delete-post.php?id='.$row['id'].'"><button class="btn3">DELETE</button></a>

And the mysql connect (I didn't include the connection info but that isn't an issue connecting to the db
And I understand it will look strange with the sql_13 and the result2 part, but it's because there's several connections in the page for different functions. Below is the one for the posts

$sql_l3 = "SELECT * FROM nametable ORDER BY id DESC";
  
$result2 = $conn_l->query($sql_l3);
if ($result2->num_rows > 0) {

  while($row2 = $result2->fetch_assoc()) { 
	  if($row2["post_id"] == $row["id"]){

          $usercomment =  $row["usercomment"];
          $usercomment2 =  $row2["usercomment"];
          $myid =  $row["myid"];

 

[Strider64]

You're going to need to setup some kind of security check - Here's a example

 

function check_security($id) {
    // Example of PHP Connection
    $db = new PDO('mysql:host=localhost;dbname=your_database', 'username', 'password');
    
    $sql = "SELECT security FROM user_table WHERE id=:id LIMIT 1";
    $stmt = $db->prepare($sql);
    
    // Bind the named parameter :id to the value $id
    $stmt->bindParam(':id', $id, PDO::PARAM_INT);
    
    $stmt->execute();
    
    // Fetch the result as an associative array
    $result = $stmt->fetch(PDO::FETCH_ASSOC);

    if ($result && $result['security'] === 'admin') {
        return true;
    }

    return false;
}

then simply

// Check if the user has admin security by calling the check_security function
if (check_security($id)) {
    // If the function returns true, echo out an HTML anchor tag that leads to delete-post.php
    // The id of the row to delete is passed in the query string of the URL
    // Inside the anchor tag is a button with the class btn3 and the text DELETE
    echo '<a href="delete-post.php?id='.$row['id'].'"><button class="btn3">DELETE</button></a>';
}

You will still need to check the delete-post.php in order to stop some one from directly accessing that file. This is just a quick example and you can even do that for the original user - just check to see if the user's id for the post matches the original poster's id. Just setup an addition column like user_id in the database table that contains the posts (if you haven't already done so).

Edited June 27, 2023 by Strider64

[PNewCode]

@Strider64 Thank you for that post. If I'm not mistaken, that would require me to add a column (security) to the database correct? If so, then when the post is made then it would also have to enter something in that column to identify if that user has "admin" for that security correct?

2 problems I have if I'm correct in what you're suggesting
1: There's already a lot of posts made and it would be impossible to add an admin status entry to each user and their posts and comments. (thats already posted)
2: I'm not positive I can get access to the database itself to make any alterations (I'm not the site owner, just fixing this page)

Is there an alternative way to hide the button unless it's made from the original poster with their "myid"?

Currently, there is id (the database id entry), post_id (the id of the post itself), myid (the users id that posted), and fname (the name of the user that posted) columns (for identifiers)

EDIT: I just asked and no, I do not have permission to add any new columns to the database

Edited June 27, 2023 by PNewCode

[mac_gyver]

in real life, data is almost never actually deleted. it is just UPDATEd to mark it as deleted, then it is excluded from most database operations, using a table view. you may want to restore it at some point or by keeping a history, you can detect nefarious activity by users.

you would use a post method form when deleting data, not a link.

the way to accomplish the operation you are asking about is straightforward. you would enforce ownership or administrator-ship, by only outputting the delete form, with a hidden field containing the id of the data, and enabling the delete form processing code, if the current logged in user's id matches the owner id of the data or the currently logged in user is an administrator (assuming the system has user roles.)

 

[PNewCode]

@mac_gyver Based on what I'm learning on this so far, I wish there was roles set up as it looks like it would be way easier that way.
Below is a screen shot of one of the entries and the DB itself. So it looks like I'm stuck with trying to match the id with the post_id in order to display the button, to delete the post with the id (I might have just over complicated it now)

Edit: So another words, if the user (myid) matches the post (post_id) then they can see the delete button. Otherwise the button will not be visible

Edited June 27, 2023 by PNewCode

[PNewCode]

WOW I DID IT!!! 
Going off of what @Strider64 posted and what @mac_gyver said about roles, it got me thinking that I can use the session id (not shown in the original post because I forgot it was even in the top of the huge page of scripting) and I put in the following. I'm posting it in case someone else comes here and finds this useful

The page as a session id set up to make sure logged in users only have access to the page
Working code to display the delete button

 

if($row["myid"] == $_SESSION['id']){

echo '<a href="delete-post.php?id='.$row['id'].'"><button class="btn3">DELETE</button></a>
<br><br>';
}

 

[benanamen]

Yeah, that's not going to work. Records can still be deleted. PM me the site URL and I will show you how and why.

Edited June 27, 2023 by benanamen