[solved] Delete a private message securely without get/post?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
robster
Forum Contributor
Posts: 360
Joined: Wed Jul 16, 2003 8:28 am
Location: Sunshine Coast, Australia

[solved] Delete a private message securely without get/post?

Post by robster »

Hi all, this is one i'm stuck on:

I have a PM (Private message) from my forum scripts that I access via a function, and I want to delete it (the PM). That's cool as there's this sweet as function, it runs like so:

Code: Select all

if ($SDK->delete_pm("2")) 
 {
       echo 'Message Deleted.';
 }
2 is the message I want to delete in this example. I have the message number, it is in a var called $i['mt_id'] but how can i create a HTML link on the page to execute the said $SDK>delete_pm function? (ie 'DELETE PM' link) IF I put it out there as a $_GET in an <a href> then anyone can change the 2 to whatever and delete loads of peoples pm's!!!!

If anyone has any ideas I'd really appreciate some advice.

Thanks so much,

Rob
Last edited by robster on Fri Dec 02, 2005 4:34 am, edited 1 time in total.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Not the answer you're looking for but I would do it via the URL personally. All you have to do as to check if that message ID belongs to the currently logged in member before you allow the delete to occur. You could either add some code to the existing method to do that check or you could write a new method "is_pm_owner($message_id)" that returns a boolean and use that to check ;)

Without GET or POST requests sent to the server you're pretty stuck :)
User avatar
robster
Forum Contributor
Posts: 360
Joined: Wed Jul 16, 2003 8:28 am
Location: Sunshine Coast, Australia

Post by robster »

That sounds like a good option. I like it :) Thanks so much, I'll get onto it now (sigh, now it's confirmed I have to DO it! :))


EDIT: WORKED A TREAT! THANKS AGAIN :)

rob
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

You can secure the URL further by hashing the number with a secet passphrase. It would look like this

?id=002&hash=afe5ea4.........

Then you can test the hash with your passphrase for additional security.
Post Reply