Delete

[Daney11]

Hey guys,

 

Im using

 

if($_GET["cmd"]=="delete")

{

$errors = array();

if ($member_level == '5') {
   $errors[] = 'Member Level Too High';
       }

if (empty($errors)) {

    $member_id = $_GET['member_id'];
    $sql = "DELETE FROM members WHERE member_id=$member_id AND member_teamid=$team_url";
    $result = mysql_query($sql, $connect) or die(mysql_error());

 

But i can delete a member with level 5 access.

[Naez]

I ran your code (but modified it slightly to take out the DB stuff)

 

<?php

//  dont use this, this is just what i did to test your structure

if($_GET["cmd"]=="delete")
{
$member_level = $_GET['u'];

$errors = array();

if ($member_level == '5') 
{
   		$errors[] = 'Member Level Too High';
    }

if (empty($errors)) 
{

    	echo "HAHA DELETED";
}
}
?>

 

I called it from http://localhost/test.php?cmd=delete&u=5 ... worked fine...

 

 

MY GUESS: You didn't set $member_level = $_GET['member_level']

[haku]

Either that, or you have some other value in the $errors array, in which case it would be empty and enter the delete conditional.

 

As a side note, I would suggest that after you get this conditional working, you go back and look at the code that brings you to this page, and make it so that anyone with a members_level of 5 does not even appear in the list of players to be deleted. That will make this check redundant, although building redundancy like that into the system can be a good thing in case of an unexpected error sometime in the future.

[Naez]

Or if someone maliciously makes their own HTML form directed to your form processor.

 

Validation is always good.

[Daney11]

Ok thanks guys, im $_GET TING $member_id which im deleting from and im not setting a member level. however im setting the member_level var in the script.