I have created a forum where people can register/login to post topics and replies.
Now I added a Delete link next to each topic that if pressed will go to deletetopic.php and if the user has created this topic it will be deleted, if not, it will say You Didn't create this topic.
this is the deletetopic.php
<?php
session_start();
include("config.php");
if(!isset($_SESSION['uid'])){
echo "<p><b>ERROR: Please log in to delete a topic.";
}
if(isset($_SESSION['username']))
{
$uid = $_SESSION['uid'];
$id=$_GET['id'];
$query1=mysql_query("delete FROM topics WHERE id='$id' and uid='$uid'");
if($query1){
header('location:index.php');
}
else{
echo "<p><b>ERROR: You didnt make this topic.";
}
}
It doesnt work, it just gives me the else {error}
here are my tables:
CREATE TABLE `users` (
`id` INT(11) NOT NULL AUTO_INCREMENT,
`firstname` VARCHAR(255) NOT NULL,
`lastname` VARCHAR(255) NOT NULL,
`email` VARCHAR(255) NOT NULL,
`username` VARCHAR(255) NOT NULL,
`password` VARCHAR(100) NOT NULL,
PRIMARY KEY (`id`)
CREATE TABLE `topics` (
`id` INT(11) NOT NULL AUTO_INCREMENT,
`categoryID` TINYINT(4) NOT NULL,
`topicTitle` VARCHAR(150) NOT NULL,
`topicCreator` INT(11) NOT NULL,
`topicLastUser` INT(11) NOT NULL,
`topicDate` DATETIME NOT NULL,
`topicReplyDate` DATETIME NOT NULL,
`topicViews` INT(11) NOT NULL DEFAULT '0',
PRIMARY KEY (`id`)
EDIT:
uid comes from here I think: login.php
if (isset($_POST['username'])){
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM users WHERE username='".$username."' AND password='".$password."' LIMIT 1";
$result = mysql_query($sql) or die(mysql_error());
if (mysql_num_rows($result) == 1){
$row = mysql_fetch_assoc($result);
$_SESSION['uid'] = $row['id'];
$_SESSION['username'] = $row['username'];
header("Location: index.php");
exit();
}else{
echo "<p>Invalid information. Please return to the previous page.";
exit();
}
}
Update
if(isset($_SESSION['username']))
{
$uid = $_SESSION['uid'];
$id=$_GET['id'];
$check = mysql_query("SELECT * FROM topics WHERE id = '$id' AND topicCreator = '$uid'");
if($check){
$query1=mysql_query("delete FROM topics WHERE id='$id' AND topicCreator='$uid'");
header('location:index.php');
}
else{
echo "<p><b>ERROR: You didnt make this topic.";
}
}
Still doesnt work, just goes back to index
There is no uid column in table topics, it is probably topicCreator:
$query1=mysql_query("delete FROM topics WHERE id='$id' and topicCreator='$uid'");
You should consider the comments left here about changing from mysql to mysqli or PDO. And use of prepared statements to prevent SQL injections.
There is another problem. You need to check if the user is the topicCreator BEFORE deleting the topic.
$check = mysql_query("SELECT * FROM topics WHERE id = '$id' AND topicCreator = '$uid'");
if($check){
// Allow deletion
}
else{
// Don't allow deletion
}
Related
I have a problem logging into a domain admin panel that is connected to my app.
I get wrong username and password, even though I have copying the username and password from tbl_admin from phpmyadmin.
this is from my phpmyadmin SQL Structure.
CREATE TABLE `tbl_admin` (
`id` int(11) NOT NULL,
`full_name` varchar(255) NOT NULL,
`username` varchar(100) NOT NULL,
`password` varchar(100) NOT NULL,
`email` varchar(200) NOT NULL,
`phone` varchar(255) NOT NULL,
`image` varchar(255) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
/////////////////////code below is my function.php from filemanager////////////////////////////////////
#Admin Login
function adminUser($username, $password)
{
global $mysqli;
$sql = "SELECT id,username FROM tbl_admin where username = '".$username."' and password = '".md5($password)."'";
$result = mysqli_query($mysqli,$sql);
$num_rows = mysqli_num_rows($result);
if ($num_rows > 0)
{
while ($row = mysqli_fetch_array($result))
{
echo $_SESSION['ADMIN_ID'] = $row['id'];
echo $_SESSION['ADMIN_USERNAME'] = $row['username'];
return true;
}
}
}
At your query
$sql = "SELECT id,username FROM tbl_admin where username = '".$username."' and password = '".md5($password)."'";
you compares your password to password coded to md5 at database row.
If you try to copy a password directly from table tbl_admin remove md5 command at you query
$sql = "SELECT id,username FROM tbl_admin where username = '".$username."' and password = '".$password."' LIMIT 1;" ;
Then you can copy a password from your tbl_admin.
If you want to keep md5 command at you query you have to know a password before coding to md5 string.
LIMIT 1
is for faster mysql preformance
I am trying to build a friend system in php I have the tables, database and the logic in place. I am having trouble getting the friend request receiver's id.
I have registeredusers friends updates table. The registeredusers table looks like this,
CREATE TABLE `registeredusers` (
`id` int(11) NOT NULL,
`FirstName` varchar(50) NOT NULL,
`LastName` varchar(50) NOT NULL,
`UserName` varchar(50) NOT NULL,
`Email` varchar(50) NOT NULL,
`Password` varchar(255) NOT NULL,
`ResetPassword` int(7) DEFAULT NULL,
`friends` int(255) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
friends
CREATE TABLE `friends` (
`friend_one` int(11) NOT NULL,
`friend_two` int(11) NOT NULL,
`status` enum('0','1','2') DEFAULT '0'
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
The requester's ID would be INSERTED into friend_two and receiver's ID would get into friend_one. here's my code
<?php
include 'dbh.php';
$sql = "SELECT * FROM registeredusers";
$result = mysqli_query($connection,$sql);
$row = mysqli_fetch_assoc($result);
$username = $row['UserName'];
$requesterU = $_GET['user'];
echo "the requester is ".$requesterU;
while($row=mysqli_fetch_array($result)){
$id = $row[0];
$username = $row[1];
echo "
<form action='list of users.php'>
$id $username<input type='submit' value='send request' name='friendsbanalo'></input></form>";
}
$sql = "SELECT * FROM registeredusers WHERE UserName = '$requesterU'";
$result = mysqli_query($connection,$sql);
$row = mysqli_fetch_assoc($result);
$requester_id = $row['id'];
echo "requester's id ".$requester_id;
if(isset($_POST['friendsbanalo'])){
$sql = "INSERT INTO friends (friend_one,friend_two) VALUES('$requester_id','$reciver_userid')";
$result = mysqli_query($connection, $sql);
}else{
echo "error";
}
?>
I am not able to get the receiver's ID, can anyone tell me how can I get receiver's ID? I tried searching for the solution and the answers were too complicated for me to understand. I tried (on a separate file) INNER JOIN but I couldn't get it to work.
<?php
include_once 'db.php';
session_start();
if(!$_SESSION['logged_in']) {
die('You are unauthorized to be here. 1');
}
$old_password = md5($_POST['old_password']);
$new_password = md5($_POST['new_password']);
$sql = "UPDATE users SET pass='?' WHERE user='?' AND pass='?'";
$q = $db->prepare($sql);
$q->bindParam(1, $new_password);
$q->bindParam(2, $_SESSION['username']);
$q->bindParam(3, $old_password);
$q->execute();
header('location: ../?page=account');
?>
Here's my 'users' table scheme:
`users` (`active` int(1) NOT NULL DEFAULT '1',
`user` varchar(200) NOT NULL,
`pass` varchar(200) NOT NULL,
`admin` int(1) NOT NULL,
`date` varchar(150) NOT NULL DEFAULT 'error',
`Paid` varchar(200) NOT NULL DEFAULT 'None',
KEY `user` (`user`) )
ENGINE=MyISAM DEFAULT CHARSET=latin1;
Its simply not updating the values at all... Any ideas?
Remove quotes from your placeholders.
$sql = "UPDATE users SET pass='?' WHERE user='?' AND pass='?'";
change it to
$sql = "UPDATE users SET pass=? WHERE user=? AND pass=?";
Assuming that your code does not have a typo or other bug (not tested), logically the only explanation is that either the username or old password are not matching
i am trying to let a user login here is my login script atm im just checking if the username exists but for some reason its not finding any records even though the user name is right
<?php if(isset($_POST)){
print_r($_POST);
//Variables from the table
$usernamelogin = $_POST['usernamelogin'];
$passwordlogin = $_POST['passwordlogin'];
//Prevent MySQL Injections
$usernamelogin = stripslashes($usernamelogin);
$passwordlogin = stripslashes($passwordlogin);
$usernamelogin = mysqli_real_escape_string($con, $usernamelogin);
$passwordlogin = mysqli_real_escape_string($con, $passwordlogin);
$loginquery = mysqli_query($con,"SELECT * FROM reg_users WHERE user ='$usernamelogin' AND authorised ='1'") or die("Can not query DB.");
$logincount = mysqli_num_rows($loginquery);
if($logincount == 1){
echo "user exists";
} else {
echo "User doesnt exist";
}
}
?>
my table is called reg_users and user is the column the username goes into. i am doing the same thing on register and that works
Any ideas guys?
table is
`reg_users` (
`id` int(100) NOT NULL AUTO_INCREMENT,
`firstname` varchar(30) DEFAULT NULL,
`surname` varchar(30) DEFAULT NULL,
`user` varchar(255) DEFAULT NULL,
`password` varchar(512) DEFAULT NULL,
`email` varchar(50) DEFAULT NULL,
`banned` int(1) DEFAULT '0',
`authorised` int(1) DEFAULT '0',
`activationcode` varchar(255) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=18 DEFAULT CHARSET=latin1;
And the sqlfiddle is here
Here is the config.php which is called in the header of the page
<?php //Information to connect to your MySQL Server AND DB
$hostdb = "localhost";
$userdb = "test_nathan";
$passworddb = "xxxxx";
$db = "test_nathan";
//Connect to MySQL Server
$con = mysqli_connect($hostdb,$userdb,$passworddb,$db) or die ("could not connect");
session_save_path('../login/sessions');
require_once('functions.php');
?>
Figured out the problem guys for some reason when i was storing the variables on escaping the string there was spaces attached to the variable. thanks for the help guys.
I am using this code for registering users, but it is not working. It always echos "Registration failed." I tried many times but nothing works
if(isset($_POST['sub']))
{
$uname = $_POST['uname'];
$email = $_POST['email'];
$pass_hash = PassHash::hash($_POST['pass']);
$sq="SELECT * FROM user WHERE username='$uname'";
//echo $sq;
$re=mysqli_query($link,$sq);
if(mysqli_num_rows($re)>0)
{
echo "Username already taken !";
}
else
{
$SQ = "SELECT * FROM user WHERE email='$email'";
//echo $SQ;
$res=mysqli_query($link,$SQ);
if(mysqli_num_rows($res)>0)
{
echo "Email already taken !";
}
else
{
$SQL = "INSERT INTO user(username,email,password) VALUES('$uname','$email','$pass_hash')";
//echo $SQL;
$result = mysqli_query($link,$SQL);
if(!$result)
{
echo "Registration failed !";
}
else
{
echo"register done";
}
}
}
}
below is table structure
CREATE TABLE `user` (
`id` int(11) NOT NULL auto_increment,
`username` varchar(20) NOT NULL,
`password` varchar(100) NOT NULL,
`email` varchar(20) NOT NULL,
`status` int(11) default '0',
`sdate` date NOT NULL,
`s_type` varchar(2) NOT NULL,
`amount` decimal(10,2) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
Does anyone know what the problem is?
You have a bunch of not null fields in your table, but you're not assigning them any values, so your insert query fails.