User Permissions
Posted: Mon Nov 29, 2010 1:18 pm
I have a method for users to be able to edit postings that have made. It works fine except I do not have a control to keep the user from changing the address parameter in the address bar. I need to hide this parameter if possible as well as add an else statement somewhere that directs them to a file that lets them know this is not their posting to edit if the parameter is hacked.
Here is what the address bar looks like (as you can see any evid can be passed):
http://postareus.us/admin/cal_edit.php?evid=11
I currently have a SQL statement saying pull from the posting table where their username = their session username. This isn't enough though because I can put any evid in the paremeter in the address bar and update information from a posting that is not mine.
Here is my code. Any help will be appreciated in creating a method that will redirect a user to an error message instead of still allowing them to update a posting.
Here is what the address bar looks like (as you can see any evid can be passed):
http://postareus.us/admin/cal_edit.php?evid=11
I currently have a SQL statement saying pull from the posting table where their username = their session username. This isn't enough though because I can put any evid in the paremeter in the address bar and update information from a posting that is not mine.
Here is my code. Any help will be appreciated in creating a method that will redirect a user to an error message instead of still allowing them to update a posting.
Code: Select all
if($_GET['evid']) {
$event_id = $_GET['evid'];
$username = $_SESSION['username'];
$sql = "SELECT * FROM posting WHERE id='$event_id' AND user = '$username'";
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
echo "<h3>Event Details</h3>";
?>
<form action="cal_edit.php" method="post">
<input type="hidden" name="id" value="<?php echo $row['id']; ?>" />
<label>Name</label><input type="text" name="name" value="<?php echo stripslashes($row['event']);?>" /><br />
<label>Descrption</label><textarea name="desc" class="tinymce" cols="30" rows="10"/><?php echo stripslashes($row['description']);?></textarea>
<br /><br />
<label>Location</label><input type="text" name="location" value="<?php echo stripslashes($row['location']);?>" />
<br />
<label>Date</label><input type="text" name="date" id="datepicker" value="<?php echo $row['day'].'/'.$row['month'].'/'.$row['year'];?>" /><br /><br />
<?php
$from = str_split($row['time_from']);
$until = str_split($row['time_until']);
?>
<label>Time From (24hr)</label>
<select name="from">
<option selected value="<?php echo $from[0].$from[1]?>"><?php echo $from[0].$from[1]?></option>
<option value="00">00</option>
<option value="01">01</option>
<option value="02">02</option>
<option value="03">03</option>
<option value="04">04</option>
<option value="05">05</option>
<option value="06">06</option>
<option value="07">07</option>
<option value="08">08</option>
<option value="09">09</option>
<option value="10">10</option>
<option value="11">11</option>
<option value="12">12</option>
<option value="13">13</option>
<option value="14">14</option>
<option value="15">15</option>
<option value="16">16</option>
<option value="17">17</option>
<option value="18">18</option>
<option value="19">19</option>
<option value="20">20</option>
<option value="21">21</option>
<option value="22">22</option>
<option value="23">23</option>
<option value="24">24</option>
</select>:
<select name="from2">
<option selected value="<?php echo $from[2].$from[3]?>"><?php echo $from[2].$from[3]?></option>
<option value="15">15</option>
<option value="30">30</option>
<option value="45">45</option>
<option value="00">00</option>
</select>
<br />
<label>Time Until (24hr)</label>
<select name="until">
<option selected value="<?php echo $until[0].$until[1]?>"><?php echo $until[0].$until[1]?></option>
<option value="01">01</option>
<option value="02">02</option>
<option value="03">03</option>
<option value="04">04</option>
<option value="05">05</option>
<option value="06">06</option>
<option value="07">07</option>
<option value="08">08</option>
<option value="09">09</option>
<option value="10">10</option>
<option value="11">11</option>
<option value="12">12</option>
<option value="13">13</option>
<option value="14">14</option>
<option value="15">15</option>
<option value="16">16</option>
<option value="17">17</option>
<option value="18">18</option>
<option value="19">19</option>
<option value="20">20</option>
<option value="21">21</option>
<option value="22">22</option>
<option value="23">23</option>
<option value="24">24</option>
</select>:
<select name="until2">
<option selected value="<?php echo $until[2].$until[3]?>"><?php echo $until[2].$until[3]?></option>
<option value="15">15</option>
<option value="30">30</option>
<option value="45">45</option>
<option value="00">00</option>
</select>
<br />
<div class="error_message">Delete this event? (Cannot be undone!) <input type="checkbox" class="checkbox" name="delete" value="delete_evid"></div>
<input type="submit" value="Confirm" name="do_edit" />
</form>
<?php
}