I want to delete columns in my sql, which is going with succes. But there is another problem, I need to solve. I've tried and checked here around. All with any kind of succes I will try to explain my problem.
I've a member system where you can add your content, edit you submitted content and now I'm creating to delete your content. My script can delete now post which are created by the same user as logged in. For example my account is called Bobby and someone is called Alex I cannot delete the content of Alex only mimes, thats what I want.
For example my content link of bobby : category.php?nameID=cat2&id=22 And the delete link is deletepost.php?id=22
EX. content link Alex:
category.php?nameID=cat2&id=23 And the delete link is deletepost.php?id=23
When I'm logged in as Bobby and I go to deletepost.php?id=23 and receive a message like You cannot delete this content!
And When I go to mimes deletepost.php?id=22 I need to receive a message like: Your content has been delete succesfully!
I'm only receive NO!
<?php
$user = new User();
if (isset($_GET['id'])) {
$id = mysql_real_escape_string($_GET['id']);
if(!$user->isLoggedIn()) {
Redirect::to('index.php');
}
if($user->isLoggedIn()) {
$pakuser = $user->data()->username;
$sql = mysql_query("DELETE FROM post
WHERE post.id = '$id' AND post.add = '$pakuser'")
or die(mysql_error());
if (!$sql) {
echo 'NO';
}
if ($sql) {
echo 'YES';
}
}
}
?>
Beside from the possible sql injections in your code, you can try this format for a delete query to determine the mistake:
<?php
$sql = "
DELETE FROM
post
WHERE
post.id = ".$id." AND post.add = '".$pakuser."'
";
if(!$res = mysql_query($sql))
{
trigger_error(mysql_error().'<br />In query: '.$sql);
}
elseif(mysql_affected_rows() == 0)
{
echo 'No records Deleted. <br />Query: '.$sql;
}
else
{
echo 'There are '.mysql_affected_rows().' records deleted.';
}
?>
Are you also sure that post.add is the username?
Related
I have news_Category and news table, here every news comes under one category,so before deleting new_category I want to display user a msg that child news exists in this category so u are not allowed to delete, If there are no child news than a confirm alert to user that "do u really want to delete".If he confirms the news category gets deleted.
HTML STUFF
<?php echo "<a style='color:red;''
href='delete.php?delete=$values[category_id]&
img=$values[category_image]'><i class='fas fa-trash-alt'></i></a>"; ?>
if ($_GET['msgError']) {
echo "<script>alert('First Delete The News Than Category');</script>";
}
if ($_GET['msg']) {
?>
<?php
}
?>
DELETE.PHP
if (isset($_GET['delete'])) {
$id= $_GET['delete'];
$img=$_GET['img'];
$obj=new commands();
$obj->delete_category($id,$img);
}
Delete Function
function delete_category($id,$img)
{
$stmt = $this->con->prepare("SELECT category_id FROM nm_news where category_id='$id'");
$stmt->execute();
$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
if ($result) {
header('Location: news_category.php?msgError=' . urlencode(base64_encode("First Delete The News Than Category")));
} else {
$sql = $this->con->prepare("DELETE FROM `nm_category` WHERE category_id=:id");
$sql->bindParam(':id', $id);
$sql->execute();
unlink("uploads/" . $img);
header('Location: news_category.php?msg="confirm"');
$this->con = null;
}
}
I am not able to make to logic here, how can I check whether the child news exists so i can display error msg and if there is no child news how to show confirm alert to allow delte
You need to check to see if the result is empty.
Something like this:
function delete_category($id,$img)
{
$stmt = $this->con->prepare("SELECT category_id FROM nm_news where category_id='$id'");
$stmt->execute();
$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
if (empty($result)) {
header('Location: news_category.php?msgError=' . urlencode(base64_encode("First Delete The News Than Category")));
} else {
$sql = $this->con->prepare("DELETE FROM `nm_category` WHERE category_id=:id");
$sql->bindParam(':id', $id);
$sql->execute();
unlink("uploads/" . $img);
header('Location: news_category.php?msg="confirm"');
$this->con = null;
}
}
Edit due to extra details request
On the front end you just need to display the GET msgError like this:
<?php isset($_GET['msgError']) ? echo url_decode(base64_decode($_GET['msgError'])) : '' ?>
Where you want to show the message text.
I wrote this code to comment system on my webpage. But i want to keep showing all data on web page while another people do comment and see another people's comment
include 'connection.php';
$con1= new connection();
$db=$con1-> open();
$qry= "INSERT INTO post (content) VALUES ('".$_POST["commentEntered"]."')";
$db->exec($qry);
if(isset($_POST['Submit'])) {
if ($con1->query($qry) === TRUE) {
echo "Your Comment Successfull Submited";
} else {
echo "Error: " . $qry . "<br>" . $con1->error;
}
$sql = 'SELECT * FROM post';
$q = $db->query($sql);
$q->setFetchMode(PDO::FETCH_ASSOC);
$con1->close();
}
if ($_POST)
echo "<h2> Your Comment Successfully Submitted</h2> <br> ".$_POST['commentEntered']."<br>";
}
?>
after your select, inside your if($_POST) write this
while ($row = $q->fetch()) {
foreach($row as $key=>$val){
if (!is_numeric($key)) echo "<p>$key=>$val</p>";
}
}
EDIT i'm not 100% sure you can close the connection and still do a ->fetch, (I think you can but i've never tried it) so you may have to move your connection close after this (but I think you'll be alright), also I am not sure if setFetchMode will return duplicate numbered keys or not so as a precaution I have filtered for them you may not need to
I’m working on a blog website where the idea is that the current user that is logged in can edit and delete their own posts. I finally got it to work, but my question is how I can prevent that a user can write the following input in the URL and do the same actions as my delete.php action.
(Example) Manual URL input with topic_id:
/delete.php?del=133
Do anyone know how I can edit my existing code or know a better solution to the problem I will be much grateful!
This is how my code looks:
Profile.php:
if (#$_GET['id']) {
$check_d = mysql_query("SELECT * FROM users WHERE id ='".$_GET['id']."'");
while ($row_d = mysql_fetch_assoc($check_d)) {
echo "<div class='spacer'></div><h2 class='headertext'>Inlägg skapade av : ".$row_d['username']."</h2>";
$check_u = mysql_query("SELECT * FROM topics WHERE topic_creator='".$row_d['username']."' ORDER BY topic_id DESC");
while ($row_u = mysql_fetch_assoc($check_u)) {
$id = $row_u['topic_id'];
echo "<tr>";
echo "<td class='postmain'><a href='topic.php?id=$id' class='links'>".$row_u['topic_name']."<br /></a></td>";
echo "<td class='postmain'><p class='text'>".$row_u['topic_creator']."</p><br /></td>";
echo "<td class='postmain'><p class='text'>".$row_u['date']."</p><br /></td>";
if($_SESSION['username'] === $row_u['topic_creator']) {
echo "<td class='postmain'><a href='edit.php?edit=$id'><button>Redigera</button></a>";
echo "<a href='delete.php?del=$id'><button>Ta bort</button></a></td>";
}
echo "</tr>";
}
}
}
The highlighted code shows that only the current session (user) who made the post can edit and delete their own posts.
Delete.php:
if (isset($_GET['del'])) {
//getting id of the data from url
$id = $_GET['del'];
//deleting the row from table
$sql = "DELETE FROM topics WHERE topic_id='$id'";
$res = mysql_query( $sql );
//redirecting to the display page
header("Location:admin.php");
}
Using isset function is solution here . The isset function will check that whether user clicked the delete/modify link or not(i.e he pasted delete.php directly in link) . So your code will only execute when user clicks the link .
if (isset($_GET['del']))
{
// your profile.php code here
}
else
{
// error message
}
You can use the same $_SESSION logic to ensure anyone accessing the delete.php has the appropriate permissions.
if (isset($_GET['del'])) {
//getting id of the data from url
$id = $_GET['del'];
// Get the author for the specified post to ensure they are permitted to do so
// TODO
// Check that the author is the same as the $_SESSION user
if($_SESSION['username'] === $postAuthor) {
//deleting the row from table - FIX THIS (see below)
$sql = "DELETE FROM topics WHERE topic_id='$id'";
$res = mysql_query( $sql );
} else {
// User is not authorized, create error handling
// TODO
}
//redirecting to the display page
header("Location:admin.php");
}
Unrelated, beware of SQL injection. Bobby Tables is a good guide and you should not be using the mysql_ functions and should be using prepared statements.
I have this code that allows a user to only delete his own topics. It's working but in the case that the user is not the one who posted the topic, he is still getting the message: Topic has been deleted, whereas he should get: You didnt make this topic.
The else statement isnt running.
if(isset($_SESSION['username']))
{
$uid = $_SESSION['uid'];
$id=$_GET['id'];
$check = mysql_query("SELECT * FROM topics WHERE id = '$id' AND topicCreator = '$uid'");
if($check){
$query1=mysql_query("delete FROM topics WHERE id='$id' AND topicCreator='$uid'");
echo "<p>Topic has been successfully deleted. <a href='index.php'>Click here to return to home page.</a>";
}
else{
echo "<p><b>ERROR: You didnt make this topic.";
}
}
I dont know why the else statement wont run.
$check is to see if the user who is logged in is the one who created the topic.
(PS: I'll switch to mysqli once this works.)
As the comments suggest, you can't check against the resource itself. Try:
if(isset($_SESSION['username'])) {
$uid = $_SESSION['uid'];
$id=$_GET['id'];
$check = mysql_query("SELECT * FROM topics WHERE id = '$id' AND topicCreator = '$uid'");
$count = mysql_num_rows($check);
if($count) {
// $count is greater than 1 hence TRUE
$query1=mysql_query("delete FROM topics WHERE id='$id' AND topicCreator='$uid'");
echo "<p>Topic has been successfully deleted. <a href='index.php'>Click here to return to home page.</a>";
} else{
// $count is 0 or FALSE - no rows returned
echo "<p><b>ERROR: You didnt make this topic.";
}
}
I'm trying to delete records from my database using a form. Can't get this to work.
Any ideas?
include 'newsconnect.php';
$Id = $_POST['Id'];
if (empty($Id) === true {
echo 'please input an Post ID.';
} else {
if(!$_POST['Submit']) {
header('Location: http://www.hidensecrets.yourwebsolution.net/forum.php');
} else {
mysql_query("DELETE * FROM forum WHERE id = '$Id'") or die(mysql_error());
header('Location: http://www.hidensecrets.yourwebsolution.net/forum.php') ;
echo "Deleted!";
}
}
I seem to land on this page which displays no errors.
Any help is really appreciated.
Missing a closing bracket:
include 'newsconnect.php';
$Id = $_POST['Id'];
if (empty($Id)) {
//-^
echo 'please input an Post ID.';
} else {
if (!$_POST['Submit']) {
header('Location: http://www.hidensecrets.yourwebsolution.net/forum.php');
} else {
mysql_query("DELETE FROM forum WHERE id = '$Id'") or die(mysql_error());
header('Location: http://www.hidensecrets.yourwebsolution.net/forum.php');
echo "Deleted!";
}
}
Not sure which IDE you're using but most of them would show this error. You're also open to sql injection. Find out more.
What sort of issue are you facing? You're missing a closing parenthesis for if (empty($Id) === true in case the you're getting syntax error
I think that you must omit the asterisk in your delete query ! Try it and tell me the result :)
your code must use this query :
mysql_query("DELETE FROM forum WHERE id = '$Id'") or die(mysql_error());
instead of this one :
mysql_query("DELETE * FROM forum WHERE id = '$Id'") or die(mysql_error());
Hope this it will be the solution :)