0

Hi guys I'm working on simple BBS in PHP and I have problem with it. I wanted to get delete and edit button if user logged in BBS. For example if person A logged in BBS I want to show delete and edit button only for person A that posted article but I don't want show them for other users. I tried to make code but it didn't work and first of all I'm not sure this code is correct or not... If you have any advice or idea I really appriciate! Thank you!

<?php include "common/db.php"; ?>
  <?php include "common/header.php"; ?>
    <?php include "common/navigation.php"; ?>
     <?php include "common/url_validation.php"; ?>
      <?php ob_start(); ?>


<!-- Main Content -->
    <div class="container px-4 px-lg-5 ">
        <div class="row gx-4 gx-lg-5 justify-content-center">
            <div class="col-md-10 col-lg-8 col-xl-7">
<!-- Search -->
            <div class="well">
                <h4>Search</h4>
                    <form action="search.php" method="post">
                        <div class="input-group">
                            <input name="search" type="text" class="form-control" placeholder="serach title">
                            <span class="input-group-btn">
                                <button name="submit" class="btn btn-default" type="submit">
                                    <span class="glyphicon glyphicon-search"></span>
                                </button>
                            </span>
                        </div>
                    </form>
                </div>
<?php 
        $query = "SELECT * FROM posts ORDER BY post_date DESC ";
        $select_all_posts = mysqli_query($connection,$query);
                        
            while($row = mysqli_fetch_assoc($select_all_posts)){
            $post_id = $row['post_id'];
            $post_title = $row['post_title'];
            $post_user = $row['post_user'];
            $post_date = $row['post_date'];
            $post_image = $row['post_image'];
            $post_contents = substr($row['post_contents'],0,100);
    
?>
                    <!-- Post preview-->
                    <div class="post-preview">
                        <a href="post.php?p_id=<?php echo $post_id; ?>">
                            <h2 class="post-title"><?php echo $post_title; ?></h2>
                        </a>
                        <p class="post-meta">
                            Posted by
                            <a href="#"><?php echo $post_user; ?></a>
                            <?php echo "<p><img width='500' src='./images/$post_image'></p>"; ?>
                            <a><h4 class="post-subtitle"><?php echo $post_contents; ?></h4></a>
                            <p><?php echo $post_date; ?></p>
                            
                            <?php
                            if(isset($_GET['login'])){
                                
                                $user_email = $_GET['user_email'];
                                $user_password = $_GET['user_password'];
                                
                                $user_email = mysqli_real_escape_string($connection, $user_email);
                                $user_password = mysqli_real_escape_string($connection, $user_password);
                                
                                $query = "SELECT * FROM users WHERE user_email = '{$user_email}' ";
                                $login_user = mysqli_query($connection, $query);
                                if(!$login_user){
                                    die("Failed". mysqli_error($connection));
                                }
                                
                                while($row = mysqli_fetch_array($login_user_query)){
    
                                $db_user_email = $row['user_email'];
                                $db_password = $row['user_password'];
                                }
                                
                                if($user_email === $db_user_email && $user_password === $db_password){
                         
                                echo "<a href='edit_post.php?=edit_post&p_id={$post_id}'>edit</a>"  ."|".  "<a href='home.php?delete={$post_id}'>delete</a>";
                                
                                }else{
                                    echo "";
                                    }
                                }
                            ?>
                            
                        </p>
                    </div>
                    <!-- Divider-->
                    <hr class="my-4" />
            <?php } ?>
            </div>
        </div>
    </div>
    
    
    
    
    
    
    
<!-- Edit Post -->
        <?php 
        
        if(isset($_GET['edit'])){
            $the_post_id = $_GET['edit'];
            $query = "UPDATE posts SET FROM posts WHERE post_id= {$the_post_id}";
            $delete_query = mysqli_query($connection, $query);
            header("Location:./home.php"); 
        }
        ?>

<!-- Delete Post -->
        <?php 
            if(isset($_GET['delete'])){
            $delete_post_id = $_GET['delete'];
            
            $query = "DELETE FROM posts WHERE post_id= {$delete_post_id}";
            $delete_query = mysqli_query($connection, $query);
            header("Location:./home.php"); 
        }
        ?>
        

<?php include "common/footer.php"; ?>
John
  • 11
  • 2
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Sep 11 '21 at 11:46

0 Answers0