I have 2 tables in my DB: users(id, pass, email) and messages(id, ownerid, text)
I want to allow each user to edit his own message(via ajax, but that doesn't matter right now).
The question is, after accessing all of an user's message
$STH = $DBH->prepare( "SELECT * FROM messages WHERE ownerid=:ownerid " );
//bind
$data = array( 'ownerid' => $_SESSION['id'] );
//exec
$STH->execute( $data );
while ( $results = $STH->fetch() ) {
echo $results['text'];
}
I want to display them in editable textfields. The problem is that on clicking a certain textfield, how can I get the id of the message? I was thinking about including it in the html output, but that is not the most secure option.
It is a secure option. When a user edit's his comment, you issue a GET-request. Upon receiving the GET-request you check the validity of the user owning the comment:
SELECT ownerid FROM messages WHERE id = $_GET['id']
(Though, make sure to protect yourself from mysql injection (using PDO), the above example is NOT safe).