ID in URL

[Vampen]

Hello. Im new to PHP just so that is clear. I have made a blog system and now i have a problem. All informasjon witch is sent to the database is depending on an ID in the url.

Exsample: DELETE from usser WHERE id = $delete" 

$delete = $_GET['delete'];

I get the $delete number from the URL. If someone just changes the number they can delete someone else. So my question is: Is there eny way of encrypt this number? Sorry for my bad english!

Thx!

[HoTDaWg]

well, i have never done it before but i do believe it goes like this. correct me if im wrong.
[code]
<?php
$mode = $_GET['mode'];
if($mode=='delete'){
    $delete= "DELETE from user WHERE id='".$id."'";
}else{
echo 'Thing you want to delete. <a href="currentpage.php?id=$id&mode=$delete">Delete it!</a>';
}
?>
[/code]

[taith]

[code]<?php
switch($_GET[op]){
default:
  echo '<a href="currentpage.php?id='.$id.'&op=delete">Delete me</a>';
break;
case "delete":
  mysql_query("DELETE FROM user WHERE `id`='$_GET[id]'") or die(mysql_error());
break;
}
?>[/code]

[HoTDaWg]

[quote author=taith link=topic=121150.msg497567#msg497567 date=1168023845]
[code]<?php
switch($_GET[op]){
default:
  echo '<a href="currentpage.php?id='.$id.'&op=delete">Delete me</a>';
break;
case "delete":
  mysql_query("DELETE FROM user WHERE `id`='$_GET[id]'") or die(mysql_error());
break;
}
?>[/code]
[/quote]
just outtta curiousity i have been trying to find a  tutorial for al this break and case stuff, i really need it for a site im making. what do u call it? and please dont tell me its classes :( if u have a tutorial please direct me thanks.

[Hypnos]

NONE of the posted scripts are secure. Anyone with mild knowledge could delete any user.

If this system uses cookies or sessions, why not check that the user is logged in, and that he/she has the permission to delete what he/she is trying to?

[taith]

lol... no its not classes... lol

switch is simple... heres an example
[code]
switch(rand(0,5)){
default:
  echo 'if rand(0,5) doesnt == 1 or 4';
break;
case "1":
  echo 'rand(0,5)==1<br>';
break;
case "4":
  echo 'rand(0,5)==4<br>';
break;
case "1":
case "4":
  echo 'rand(0,5)==1 or 4';
break;
}
[/code]
switch() its MUCH faster then if()elseif() ing anything more then 1ce

[Vampen]

[quote author=Hypnos link=topic=121150.msg497582#msg497582 date=1168024486]
NONE of the posted scripts are secure. Anyone with mild knowledge could delete any user.

If this system uses cookies or sessions, why not check that the user is logged in, and that he/she has the permission to delete what he/she is trying to?
[/quote]

Yes the users are loggen in with sessions. Can you give me an example? Thanks again!

[Vampen]

[quote author=Vampen link=topic=121150.msg497600#msg497600 date=1168025348]
[quote author=Hypnos link=topic=121150.msg497582#msg497582 date=1168024486]
NONE of the posted scripts are secure. Anyone with mild knowledge could delete any user.

If this system uses cookies or sessions, why not check that the user is logged in, and that he/she has the permission to delete what he/she is trying to?
[/quote]

Yes the users are loggen in with sessions. Can you give me an example? What im thinking is that they only can delete their own posts. Thanks again!


Here is all my code:

[code]<?php
ob_start();
session_start();
$_adresse = "index.php"; 
?>
<?php include("include/include_funksjon.php");

$_brukernavn = $_SESSION['bruker'];
$tilkobling = kobleTil("bruker"); //Her hentar eg fram igjen funksjonen
$sql = "SELECT * FROM bruker WHERE brukernavn='$_brukernavn'"; // Inneheld kva eg vil hente ut og korleis eg vil presentere det
$resultat = mysql_query($sql, $tilkobling);
$rad = mysql_fetch_array( $resultat );
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title><?PHP echo($rad['fornavn'] . " " . $rad['etternavn'] . " si bloggside" )?></title>
<link href="include/css/css.css" rel="stylesheet" type="text/css" />
<script language="JavaScript" type="text/javascript" src="include/javascripts/swap.js"></script>
<script language="JavaScript" type="text/javascript" src="include/javascripts/popup.js"></script>


</head>
<body onload="MM_preloadImages('images/knapp2.jpg')">
<div id="ramma">

<div id="menu">
<?php include("include/topp.php");?><!-- Her har en en meny som eg kan ta i bruk dersom det vert nødvendig  -->
</div>
<div id="main">
<div id="main_tekst_head">

<?php
$_brukernavn = $_SESSION['bruker'];
if($_SESSION['logged'] != 'agk8gjf38834j2')
{
header("location:" . $_adresse);
}
echo "<br>";
$_brukernavn = $_SESSION['bruker'];
$tilkobling = kobleTil("bruker"); //Her hentar eg fram igjen funksjonen
$sql = "SELECT * FROM bruker WHERE brukernavn='$_brukernavn'"; // Inneheld kva eg vil hente ut og korleis eg vil presentere det
$resultat = mysql_query($sql, $tilkobling);
$rad = mysql_fetch_array( $resultat );
?>

</div>
<div id="main_tekst">
<?php /*
if($rad['adm'] == 'ja')
{
*/?>
<a href="save_post.php?&vis=<?PHP echo($rad['idbruker']);?>"><div id='blog_subject'>Legg til blogg her</div></a>
<?php /* Den her må du hugsa å ha med for å avslutte IF setninga! Eller blir det berre tull.
}
*/?>

[/code]

The last four lines is where my problem lies.. Save_post then the ID. If someone changes the ID here the info gets posted in antoher users blog..

Hopy you understad what im saying here...

[ikmyer]

i think you would have to pull out the id for $delete first and see who put it there... check which user posted it.  Then compare that user to the user that is currently trying to delete it.  If users are the same, go ahead with the delete... if not the same then someone is trying to delete someone elses post.