Here is what the address bar looks like (as you can see any evid can be passed):
http://postareus.us/admin/cal_edit.php?evid=11
I currently have a SQL statement saying pull from the posting table where their username = their session username. This isn't enough though because I can put any evid in the paremeter in the address bar and update information from a posting that is not mine.
Here is my code. Any help will be appreciated in creating a method that will redirect a user to an error message instead of still allowing them to update a posting.
Code: Select all
if($_GET['evid']) {
$event_id = $_GET['evid'];
$username = $_SESSION['username'];
$sql = "SELECT * FROM posting WHERE id='$event_id' AND user = '$username'";
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
echo "<h3>Event Details</h3>";
?>
<form action="cal_edit.php" method="post">
<input type="hidden" name="id" value="<?php echo $row['id']; ?>" />
<label>Name</label><input type="text" name="name" value="<?php echo stripslashes($row['event']);?>" /><br />
<label>Descrption</label><textarea name="desc" class="tinymce" cols="30" rows="10"/><?php echo stripslashes($row['description']);?></textarea>
<br /><br />
<label>Location</label><input type="text" name="location" value="<?php echo stripslashes($row['location']);?>" />
<br />
<label>Date</label><input type="text" name="date" id="datepicker" value="<?php echo $row['day'].'/'.$row['month'].'/'.$row['year'];?>" /><br /><br />
<?php
$from = str_split($row['time_from']);
$until = str_split($row['time_until']);
?>
<label>Time From (24hr)</label>
<select name="from">
<option selected value="<?php echo $from[0].$from[1]?>"><?php echo $from[0].$from[1]?></option>
<option value="00">00</option>
<option value="01">01</option>
<option value="02">02</option>
<option value="03">03</option>
<option value="04">04</option>
<option value="05">05</option>
<option value="06">06</option>
<option value="07">07</option>
<option value="08">08</option>
<option value="09">09</option>
<option value="10">10</option>
<option value="11">11</option>
<option value="12">12</option>
<option value="13">13</option>
<option value="14">14</option>
<option value="15">15</option>
<option value="16">16</option>
<option value="17">17</option>
<option value="18">18</option>
<option value="19">19</option>
<option value="20">20</option>
<option value="21">21</option>
<option value="22">22</option>
<option value="23">23</option>
<option value="24">24</option>
</select>:
<select name="from2">
<option selected value="<?php echo $from[2].$from[3]?>"><?php echo $from[2].$from[3]?></option>
<option value="15">15</option>
<option value="30">30</option>
<option value="45">45</option>
<option value="00">00</option>
</select>
<br />
<label>Time Until (24hr)</label>
<select name="until">
<option selected value="<?php echo $until[0].$until[1]?>"><?php echo $until[0].$until[1]?></option>
<option value="01">01</option>
<option value="02">02</option>
<option value="03">03</option>
<option value="04">04</option>
<option value="05">05</option>
<option value="06">06</option>
<option value="07">07</option>
<option value="08">08</option>
<option value="09">09</option>
<option value="10">10</option>
<option value="11">11</option>
<option value="12">12</option>
<option value="13">13</option>
<option value="14">14</option>
<option value="15">15</option>
<option value="16">16</option>
<option value="17">17</option>
<option value="18">18</option>
<option value="19">19</option>
<option value="20">20</option>
<option value="21">21</option>
<option value="22">22</option>
<option value="23">23</option>
<option value="24">24</option>
</select>:
<select name="until2">
<option selected value="<?php echo $until[2].$until[3]?>"><?php echo $until[2].$until[3]?></option>
<option value="15">15</option>
<option value="30">30</option>
<option value="45">45</option>
<option value="00">00</option>
</select>
<br />
<div class="error_message">Delete this event? (Cannot be undone!) <input type="checkbox" class="checkbox" name="delete" value="delete_evid"></div>
<input type="submit" value="Confirm" name="do_edit" />
</form>
<?php
}