Page 1 of 1

[solved] Delete a private message securely without get/post?

Posted: Fri Dec 02, 2005 3:26 am
by robster
Hi all, this is one i'm stuck on:

I have a PM (Private message) from my forum scripts that I access via a function, and I want to delete it (the PM). That's cool as there's this sweet as function, it runs like so:

Code: Select all

if ($SDK->delete_pm("2")) 
 {
       echo 'Message Deleted.';
 }
2 is the message I want to delete in this example. I have the message number, it is in a var called $i['mt_id'] but how can i create a HTML link on the page to execute the said $SDK>delete_pm function? (ie 'DELETE PM' link) IF I put it out there as a $_GET in an <a href> then anyone can change the 2 to whatever and delete loads of peoples pm's!!!!

If anyone has any ideas I'd really appreciate some advice.

Thanks so much,

Rob

Posted: Fri Dec 02, 2005 4:24 am
by Chris Corbyn
Not the answer you're looking for but I would do it via the URL personally. All you have to do as to check if that message ID belongs to the currently logged in member before you allow the delete to occur. You could either add some code to the existing method to do that check or you could write a new method "is_pm_owner($message_id)" that returns a boolean and use that to check ;)

Without GET or POST requests sent to the server you're pretty stuck :)

Posted: Fri Dec 02, 2005 4:26 am
by robster
That sounds like a good option. I like it :) Thanks so much, I'll get onto it now (sigh, now it's confirmed I have to DO it! :))


EDIT: WORKED A TREAT! THANKS AGAIN :)

rob

Posted: Fri Dec 02, 2005 7:43 am
by AGISB
You can secure the URL further by hashing the number with a secet passphrase. It would look like this

?id=002&hash=afe5ea4.........

Then you can test the hash with your passphrase for additional security.