[D_tunisia]

I've written this code:

PHP Code:

<html>



<body>



<?php



include ("dbConfig.php");



mysql_select_db("ittechni_main");



// display individual record



if ($id) {



   $result = mysql_query("SELECT * FROM posts WHERE id=$id");



   $myrow = mysql_fetch_array($result);



   printf("Title: %s\n<br>", $myrow["title"]);



   printf("Text: %s\n<br>", $myrow["text"]);



} else {



    // show employee list



   $result = mysql_query("SELECT * FROM posts");



    if ($myrow = mysql_fetch_array($result)) {



      // display list if there are records to display



      do {



        printf("<a href=\"%s?id=%s\">%s %s</a><br>\n", $PHP_SELF, $myrow["id"], 



$myrow["title"], $myrow["text"]);



      } while ($myrow = mysql_fetch_array($result));



    } else {



      // no records to display



      echo "Sorry, no records were found!";    



    }



}







?>







</html>

The code displays a posted message from a news script which is linked from a members area. The issue I have though is that, with the code in its present form, it means that someone could type in the URL with the ?=$postid and modify someone elses post.

Do you guys know of a way to ensure that only the user who posted the message can modify it?

Thanks.

[Frank]

You can check if the username and password saved in the session or cookie matches the ones saved in the database and then print the data.


You can add this after "if ($id) {" and then modify your code to make it work with my code.

PHP Code:

$query_user = mysql_query("SELECT * FROM users"); // choose your user table

$check_user = mysql_fetch_array($query_user);



if (($check_user['username'] == $_SESSION['username']) && ($check_user['password'] == $_SESSION['password'])) {



echo 'you\'re in members\' section, smile!';



} else {

    echo 'You are not yet a member!';

    } 

Frank