Basically I have a site where people can post topics or discussions, I have added a edit_post feature which is working fine, but in testing I realized by changing the URL people could edit other peoples posts, I have tried to implement a check so that only the person who made the post can edit it, but not having luck, I'm not getting any errors, but it's now not letting other users edit, but it's not letting the topic creator edit either.
if ( isset($_GET['edit'])) {
$id = $_GET['edit'];
$res = mysql_query("SELECT users.user_id, users.username, users.profile, topics.topic_id, topics.category, topics.sub_category, topics.subsub_category, topics.topic_data,
topics.posted_by, topics.posted, topics.view, topics.invisipost
FROM `topics`
JOIN `users` on topics.posted_by = users.user_id WHERE topic_id='$id'");
$rows = mysql_fetch_array($res);
}
if ( isset($_POST['topic_data'])) {
$topic_data = $_POST['topic_data'];
$id = $_POST['id'];
$sql = "UPDATE topics SET topic_data='$topic_data' WHERE topic_id='$id' AND '".$_SESSION['user_id']."'='$posted_by'";
$res = mysql_query($sql) or die("Could not update".mysql_error());
header("Location: view_topic.php?topic_id=$id");
}
Your query should be like this:
"UPDATE topics SET topic_data='$topic_data' WHERE
topic_id='$id' AND posted_by ='".$_SESSION['user_id']."'";
because posted_by is column...
It should be,
AND posted_by='".$_SESSION['user_id']."'"; //posted_by is column name
instead of
AND '".$_SESSION['user_id']."'='$posted_by'";
try this
if ( isset($_POST['topic_data']) and $_SESSION['user_id']==$posted_by) {
$topic_data = $_POST['topic_data'];
$id = $_POST['id'];
$sql = "UPDATE topics SET topic_data='$topic_data' WHERE topic_id='$id' ";
$res = mysql_query($sql) or die("Could not update".mysql_error());
header("Location: view_topic.php?topic_id=$id");
}