I am writing a script that allows users to create teams, send contracts to others that are registered, so on and so forth. I want the logged in user to be able to withdraw from a team. The html tables are dynamically populated from mysql using php. I can get it to apply my delete option to all the users within the <td></td> but not just the one that is logged in. Here is some code snippets to help I hope. Basically I want only the user that is logged in to have the delete option.
Id Player
1 User 1 - No Delete Option
2 User 2 - Delete Option (Is the logged in user)
3 User 3 - No Delete Option
session_start();
$get_users_name = $_SESSION['username_u'];
$sql = ("SELECT id, username FROM user WHERE username='$get_users_name'");
$result = mysql_query($sql) or die(mysql_error());
while ($row = mysql_fetch_array($result)) {
$grab_id = $row['id'];
$grab_user = $row['username'];
//the rest of the table generation done here such as <tr> etc
echo "<td>";
if ($grab_user == $get_users_name) {
echo ''.$grab_user.'';
}
else
{
echo $grab_user;
}
echo "</td>";
//the rest of the table generation done here such as </tr> etc
}
**Edited to fix echo problem caught by #easteregg
Just be sure you will style your code for readability ,then you will notice that you have your if condition inside the echo ;)
Try this it should work!
echo "<td>";
if ($grab_user == $get_users_name) {
echo ''.$grab_user.'';
} else {
echo $grab_user;
}
echo "</td>";
Be aware of the fact, that you should check again in the user_delete.php if a user has the right to delete something , otherwise you will run into some strange sort of trouble ;)
Related
I want to show some titles for two users in each of their "profile div".
Let's say there are five titles belonging to user 1 and only two titles belonging to user 2.
The titles are in a table which I joined through user id.
How can I know when the titles foreign key (the user id) switches from one to two? in other words, how can I check for when I start echoing titles for a new user.
I want to implement a new div when the switch is made, so that the titles belonging to user one can be found in his div, and so on for the other user(s)
Below is my query, it works fine showing my data.
For the sake of simplicity I used an example of two users, but in the future I would have more than two users.
$result = mysqli_query($con,$sqltwo)or die(mysqli_error());
while($row = mysqli_fetch_array($result)) {
echo $row['title'];
echo $row['user_id'];
//I want to echo a new div here when the user_id switches to new
value
//and then echo the new titles data for the new user_id.
echo "<br>";
}
EDIT: A succesful scenario would be an output that looked something like this:
<div class="userone">
title1<br>
title2<br>
title3<br>
title4<br>
title5<br>
</div>
<div class="usertwo">
title6<br>
title7<br>
</div>
It can be done with a basic algorithm :
$current_id = '';
while ($row = mysqli_fetch_array($result)) {
if ($current_id != $row['user_id']) {
//new user detected
$current_id = $row['user_id'];
}
}
And so to fit your needs :
$current_id = '';
while ($row = mysqli_fetch_array($result)) {
if ($current_id != $row['user_id']) {
//ignore the first instance where no div has been created yet
if ($current_id != '') {
echo '</div>';
}
echo '<div class = "user'.$row['user_id'].'">';
$current_id = $row['user_id'];
}
//fill your div with your stuff from current user
echo $row['title'] . '<br>';
}
//check if you have at least one row to deal with, and then close the last opened div
echo '</div>';
i'm a newbie and I just built a CRUD system but its not secure at all. The edit page has the ID number in the URL and users can simple just randomly type ID's to access other records in the database.
http://example.com/example_edit.php?id=2
<?php
include_once("connection.php");
$result = mysqli_query($mysqli, "SELECT * FROM mkregistrationchecklists WHERE login_id=".$_SESSION['id']." ORDER BY id DESC");
?>
<tbody>
<?php
while($res = mysqli_fetch_array($result)) {
echo "<tr>";
echo "<td>".$res['id']."</td>";
echo "<td><span class='label ".$res['labelwarning']."'>".$res['status']."</span></td>";
echo "<td>".$res['todaysdatetime']."</td>";
echo "<td>".$res['tag']."</td>";
echo "<td>".$res['serialnumber']."</td>";
echo "<td>".$res['currentequipment']."</td>";
echo "<td>".$res['company']."</td>";
if ($res['status'] == "Submitted") {
echo "<td><a href='page_read.php?id=$res[id]' class='btn btn-default glyphicon glyphicon-eye-open'></a></td>";
} else{
echo "<td></td>";
}
echo "</tr>";
}
?>
</tbody>
What is the best approach in securing this?
Should i encrypt like this?
$secure_id = $_GET['id'];
$decryped_id = base64_decode($secure_id);
I updated my code, im saving the records according to the login_id but it still looks unprofessional with the id tag in the urls.
You have to add user / record owner unique identification into all SQL queries, typically :
$query = "SELECT * FROM table WHERE id = 1 AND user_id = 2";
with this approach you can be sure that user access only his records. Id of logged in user can be placed somewhere in SESSION.
Hiding or hashing ids is not recommended, it's a anti-pattern and security through obscurity.
I'm creating a website where users will need to be able to upload images, and I'd like them to be able to delete those images. Right now, I have a page that will display all of the images that that user has uploaded, and I have a php set up to delete an image from the database. It just needs to be given the id of the image. I have it functioning with the GET method, but I'm concerned a user could find the URL for my delete php and put in random ids, deleting everyone's images. Is there a way I can adjust my code to make it safer?
<?php
$sql = "SELECT id, userid, name, image FROM images";
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
// output data of each row
while($row = mysqli_fetch_assoc($result)) {
if ($imageUser == $row["userid"]){
echo "<tr>";
echo "<th>".$row["userid"]."</th>";
echo "<th>".$row["name"]."</th>";
echo "<th><img src='showimage.php?id=".$row["id"]."'></th>";
echo "<th><a href='imgdelete.php?id=".$row["id"]."'>delete</a></th>";
echo "</tr>";
}
}
} else {
echo "0 results";
}
?>
The delete.php simply deletes the entry WHERE id=$_GET['id'];
In a RESTful API, a GET request should never modify the data. If you want to delete items, you should use a POST or a DELETE request.
I found a problem in my code, when I want to remove a user from database, it has to remove him, the code for removing works perfect, but afterwards, the if condition shows that the user has been removed and I have a Back button there, I click on it and it should redirect me back to the classroom with the rest of the users in it. Classroom is identified by ID of course, but when I click on Back, it shows me classroom without an ID of a class...so its not getting ID...
// get value of id that sent from address bar
$id_student=$_GET['id_student'];
$id_trieda = $_GET['id_triedy'];
// Delete data in mysql from row that has this id
$zmaz='DELETE FROM $tbl_name WHERE id_student="'.$id_student.'" AND id_triedy="'.$id_trieda.'"';
mysqli_real_escape_string($prip, $zmaz);
$row = mysqli_query($prip,$zmaz);
// if successfully deleted
if($row){
echo "Študent bol úspešne vymazaný.";
echo "</br>";
echo "<a href='./trieda.php?id_triedy=".$_GET['id_triedy']."'>Späť do triedy<a/>";
}
else {
echo "Chyba";
}
?>
EDIT:
// get value of id that sent from address bar
$id_student=$_GET['id_student'];
// Delete data in mysql from row that has this id
$zmaz="DELETE FROM $tbl_name WHERE id_student='$id_student'";
$result=mysql_query($zmaz);
// if successfully deleted
if($result){
$id_trieda = $_GET['id_triedy'];
echo "Študent bol úspešne vymazaný.";
echo "</br>";
echo "<a href='./trieda.php?id_triedy=".$id_trieda."'>Späť do triedy<a/>";
}
else {
echo "Chyba";
}
here is edited code which is similar to one that is working when I add a student into the class and then there is a Back button again, but it works....so problem will be in deleting the student, it cant find the ID of class he was in..i think..but I have no idea how to get the ID of the class before he is removed..
Looking at the page you linked to in your comment, I see the problem - you aren't passing id_triedy in your zmazat link. It reads:
http://www.xxx.xx/project/zmazat_studenta.php?id_student=15
Where it should read:
http://www.xxxx.xx/project/zmazat_studenta.php?id_student=15&id_triedy=18
(or whatever the relevant id_triedy is).
Then the $_GET['id_triedy'] in your question code actually has something to get.
You should really build in a check for this kind of thing:
if(isset($_GET['id_triedy'])){
$id_trieda = $_GET['id_triedy'];
} else {
echo 'No trieda ID';
}
This will check the URL for id_triedy and tell you if it's not there.
Is the trieda.php the file that contains the Classroom? If so, this line should be amended:
echo "<a href=\"./trieda.php?id_triedy=".$_GET['id_triedy']."&id_student=".$_GET['id_student']."\">Späť do triedy<a/>";
It looks like you left out the id_student in the URL
Hello i am new to php and i have tried to find a piece of code that i can use to complete the task i need, i currently have a page with a form set out to view the criteria of a course. also i have a dropdown menu which currently holds all the course codes for the modules i have stored in a database. my problem is when i select a course code i wish to populate the fields in my form to show all the information about the course selected. The code i am trying to get to work is as follows:
<?php
session_start();
?>
<? include ("dbcon.php") ?>
<?php
if(!isset($_GET['coursecode'])){
$Var ='%';
}
else
{
if($_GET['coursecode'] == "ALL"){
$Var = '%';
} else {
$Var = $_GET['coursecode'];
}
}
echo "<form action=\"newq4.php\" method=\"GET\">
<table border=0 cellpadding=5 align=left><tr><td><b>Coursecode</b><br>";
$res=mysql_query("SELECT * FROM module GROUP BY mId");
if(mysql_num_rows($res)==0){
echo "there is no data in table..";
} else
{
echo "<select name=\"coursecode\" id=\"coursecode\"><option value=\"ALL\"> ALL </option>";
for($i=0;$i<mysql_num_rows($res);$i++)
{
$row=mysql_fetch_assoc($res);
echo"<option value=$row[coursecode]";
if($Var==$row[coursecode])
echo " selected";
echo ">$row[coursecode]</option>";
}
echo "</select>";
}
echo "</td><td align=\"left\"><input type=\"submit\" value=\"SELECT\" />
</td></tr></table></form><br>";
$query = "SELECT * FROM module WHERE coursecode LIKE '$Var' ";
$result = mysql_query($query) or die("Error: " . mysql_error());
if(mysql_num_rows($result) == 0){
echo("No modules match your currently selected coursecode. Please try another coursecode!");
} ELSE {
Coursecode: echo $row['coursecode'];
Module: echo $row['mName'];
echo $row['mCredits'];
echo $row['TotalContactHours'];
echo $row['mdescription'];
echo $row['Syllabus'];
}
?>
however i can only seem to get the last entry from my database any help to fix this problem or a better way of coding this so it works would be grateful
Thanks
The main error is in your final query, you're not actually fetching anything from the query, so you're just displaying the LAST row you fetched in the first query.
Some tips:
1) Don't use a for() loop to fetch results from a query result. While loops are far more concise:
$result = mysql_query(...) or die(mysql_error());
while($row = mysql_fetch_assoc($result)) {
...
}
2) Add another one of these while loops to your final query, since it's just being executed, but not fetched.
For me i would use some javascript(NOTE: i prefer jQuery)
An easy technique would be to do this(going on the assumption that when creating the drop downs, your record also contains the description):
Apart from creating your dropdown options like this <option value="...">data</option>, you could add some additional attributes like so:
echo '<option value="'.$row['coursecode'].'" data-desc="'.$row['description'].'">.....</option>
Now you have all your drop down options, next is the javascript part
Let's assume you have included jQuery onto your page; and let's also assume that the description of any selected course is to be displayed in a <div> called description like so:
<div id="course-description"> </div>
<!--style it how you wish -->
With your javascript you could then do this:
$(function(){
$("#id-of-course-drop-down").change(function(){
var desc = $(this).children("option").filter("selected").attr("data-des");
//now you have your description text
$("#course-description").html(desc);
//display the description of the course
}
});
Hope this helps you, even a little
Have fun!
NOTE: At least this is more optimal than having to use AJAX to fecch the description on selection of the option :)