Daney11 Posted March 7, 2008 Share Posted March 7, 2008 Hey guys, Im using if($_GET["cmd"]=="delete") { $errors = array(); if ($member_level == '5') { $errors[] = 'Member Level Too High'; } if (empty($errors)) { $member_id = $_GET['member_id']; $sql = "DELETE FROM members WHERE member_id=$member_id AND member_teamid=$team_url"; $result = mysql_query($sql, $connect) or die(mysql_error()); But i can delete a member with level 5 access. Quote Link to comment Share on other sites More sharing options...
Naez Posted March 7, 2008 Share Posted March 7, 2008 I ran your code (but modified it slightly to take out the DB stuff) <?php // dont use this, this is just what i did to test your structure if($_GET["cmd"]=="delete") { $member_level = $_GET['u']; $errors = array(); if ($member_level == '5') { $errors[] = 'Member Level Too High'; } if (empty($errors)) { echo "HAHA DELETED"; } } ?> I called it from http://localhost/test.php?cmd=delete&u=5 ... worked fine... MY GUESS: You didn't set $member_level = $_GET['member_level'] Quote Link to comment Share on other sites More sharing options...
haku Posted March 7, 2008 Share Posted March 7, 2008 Either that, or you have some other value in the $errors array, in which case it would be empty and enter the delete conditional. As a side note, I would suggest that after you get this conditional working, you go back and look at the code that brings you to this page, and make it so that anyone with a members_level of 5 does not even appear in the list of players to be deleted. That will make this check redundant, although building redundancy like that into the system can be a good thing in case of an unexpected error sometime in the future. Quote Link to comment Share on other sites More sharing options...
Naez Posted March 7, 2008 Share Posted March 7, 2008 Or if someone maliciously makes their own HTML form directed to your form processor. Validation is always good. Quote Link to comment Share on other sites More sharing options...
Daney11 Posted March 7, 2008 Author Share Posted March 7, 2008 Ok thanks guys, im $_GET TING $member_id which im deleting from and im not setting a member level. however im setting the member_level var in the script. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.