From the interface, both versions are PDO and OOP - but you did not even change the query. If you wish to use bind_param you can do that. Didn’t you try your code?
Cant make it work even people in stackflow forum cant handle it
$sql = “DELETE FROM articles WHERE article_id = ? AND user_id = ?”;
if($stmt = $conn->prepare($sql)){
$stmt->bind_param(“ii”, $param_article_id, $param_user_id);
$param_article_id = trim($_POST[“article_id”]);
$param_user_id = trim($_SESSION[“user_id”]);
Your $_SESSION variable seems to have changed names - it started out being called id, now it seems to be called user_id.
I don’t use mysqli myself, but I can’t see anything wrong with your code. Have you checked that the values you are trying to use in the query are what you expect them to be?
this code is for users who need to edit or delete their own posts, so I need to check session control and yes all values are full, session name is same session[id] I was playing with it for tests
Hi budd
nope : nothing would change.
here is total working cod.
it goes to delete page and locks the button so wrong owner cant delete that post.
but still goes to post page
I wanted to valide url if its wrong url then redirect to error page not to delete page.
<?php
if(isset($_POST["article_id"]) && !empty($_POST["article_id"])){
if($_POST["user_id"] == $_SESSION['id']){
$sql = "DELETE FROM articles WHERE article_id = ?";
if($stmt = $conn->prepare($sql)){
$stmt->bind_param("i", $article_id);
$article_id = trim($_POST["article_id"]);
if($stmt->execute()){
// Records deleted successfully. Redirect to landing page
header("location: index.php");
exit();
} else{
echo "Oops! Something went wrong. Please try again later.";
}
}
$stmt->close();
$conn->close();
}
} else{
if(empty(trim($_GET["article_id"]))){
// URL doesn't contain id parameter. Redirect to error page
header("location: error.php");
exit();
}
}
?>
If this is how you are accessing the page, then the variables will be in $_GET, not $_POST. But you said that they were showing the correct values so that can’t be the problem. And yet your latest code mixes the two.
Can you clarify that a bit please, I’m not really sure I understand what you’re saying. “I wanted to valide URL” presuming you meant validate the URL, I don’t see anywhere you have a URL, just the article id and the user id.
My question is how to check if userID in link is equal to sessionID,
to see if its real owner of the post, if not then redirect to error page,
otherwise a member from userlvl2 can steal a same lvl userId or postID and edit or delete their posts.
it was like this in mysql $sql = “select * from posts where postId = postId AND userID = sessionId”;
But prepared statments are giving me headache, I am trying hard to learn been away long time.
My question is how to correct userId (which is session UID) in link is equal to userId in post table.
Simple, need to add $userId["userId"] == SESSION['id']
to this code
**EDIT:**
Conditions added need to redirect to error.php if link is invalid, .
`Note:` link changed to <a href="page.php?article_id=article_id">Edit Post</a>
<?php
if(isset($_POST["article_id"]) && !empty($_POST["article_id"])){
// Prepare a delete statement
$sql = "DELETE FROM articles WHERE article_id = ?";
if($stmt = $conn->prepare($sql)){
$stmt->bind_param("ii", $param_store_id, $param_article_id);
$param_article_id = trim($_POST["article_id"]);
$param_userId = trim($_SESSION["id"]);
if($stmt->execute()){
// Records deleted successfully. Redirect to landing page
header("location: index.php");
exit();
} else{
echo "Oops! Something went wrong. Please try again later.";
}
}
$stmt->close();
$conn->close();
} else{
// Check existence of id parameter
if(empty(trim($_GET["article_id"]))){
// URL doesn't contain id parameter. Redirect to error page
header("location: error.php");
exit();
}
}
?>
this the confirm form
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
<div class="alert alert-danger fade in">
<input type="hidden" name="article_id" value="<?php echo trim($_GET["article_id"]); ?>"/>
<p>Are you sure you want to delete this record?</p><br>
<p>
<input type="submit" value="Yes" class="btn btn-danger">
<a href="index.php" class="btn btn-default">No</a>
</p>
</div>
</form>
I tried several methods but didnt work and I asked on stackflow today a few tried to do it,
didnt work.
But you are now back to the query with a single condition, a single parameter, yet you’re passing two parameters into it. Doesn’t that give you an error, or does mysqli just ignore the “spare” one? (I use PDO so I’m not sure how it would react).
Do you mean that you want to check for the matching user ID? Because that line of code will set the user ID, not check it, and I don’t see a need for an array in the code you posted. The key thing, though, is that the user-id that comes in as part of the $_GET array to your confirmation page doesn’t get passed on to the code that actually does the deleting. You need to add another hidden variable in your form to pass that through, the same way that you have with the article id. So duplicate this line
Once you get to the deletion, you just need to check that it all matches.
$sid = $_SESSION['id']; // your stored user id
if ($_POST['user_id'] != $sid) {
// user-id has changed
header(redirect); // go to error page
exit();
}
// if it gets here, the user id matches, you can do the rest.
