Allowing poster to delete their post or topic?
Moderator: General Moderators
-
metroid87706
- Forum Newbie
- Posts: 17
- Joined: Sat Jul 14, 2007 12:06 pm
Allowing poster to delete their post or topic?
Hi. Im making a forum from this tutorial (http://www.phpeasystep.com/workshopview.php?id=12) and wanted to ask if someone can help.
Is there a way I can make it so if a user posts a topic, or a reply, they have the option next to THEIR posts and topics to delete it?
I hope i am explaining what I need well.
Thanks for your help.
Is there a way I can make it so if a user posts a topic, or a reply, they have the option next to THEIR posts and topics to delete it?
I hope i am explaining what I need well.
Thanks for your help.
Yes there is a way (of course there is a way)
But for that you will need to have a log in, or something else to make sure if the user is the user who posted the post.
No but really it is almost the same as to make a like pm (you know in formus theres a pm button). Its almost the same as placing a pm button in every post.
But for that you will need to have a log in, or something else to make sure if the user is the user who posted the post.
No but really it is almost the same as to make a like pm (you know in formus theres a pm button). Its almost the same as placing a pm button in every post.
-
metroid87706
- Forum Newbie
- Posts: 17
- Joined: Sat Jul 14, 2007 12:06 pm
-
metroid87706
- Forum Newbie
- Posts: 17
- Joined: Sat Jul 14, 2007 12:06 pm
Well, it's quite easy 
Here is the logic
Here is the logic
Code: Select all
if($user_who_made_post == $user_who_is_logged_in)
{
echo '<a href="deletepost.php?post_id=' . $post_id . '">delete this post</a>';
}Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
-
metroid87706
- Forum Newbie
- Posts: 17
- Joined: Sat Jul 14, 2007 12:06 pm
-
metroid87706
- Forum Newbie
- Posts: 17
- Joined: Sat Jul 14, 2007 12:06 pm
A few points..
1. deletepost.php should verify that the user who is logged in actually made the post before processing the deletion.
2. You'll want to check if anyone has replied to the post and act accordingly.
3. deletepost.php should not perform any actions based on get requests as this is a security risk. Instead it should only accept requests via post data.
1. deletepost.php should verify that the user who is logged in actually made the post before processing the deletion.
2. You'll want to check if anyone has replied to the post and act accordingly.
3. deletepost.php should not perform any actions based on get requests as this is a security risk. Instead it should only accept requests via post data.
Not really. As long as you check user is logged in, post exists, author of post == to user logged in. There won't be a problem.astions wrote:
3. deletepost.php should not perform any actions based on get requests as this is a security risk. Instead it should only accept requests via post data.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
This would be the page that actually deletes the postmetroid87706 wrote:ahhh, newbie here, lol.
what do I put Into deletepost.php ?
Sorry, lol.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Not exactly. As long as you use the verification methods you should already be using (and hopefully a confirmation before deletion!), using GET requests would be fine.astions wrote:3. deletepost.php should not perform any actions based on get requests as this is a security risk. Instead it should only accept requests via post data.
-
metroid87706
- Forum Newbie
- Posts: 17
- Joined: Sat Jul 14, 2007 12:06 pm
Those of you who are saying it is not a security risk should read about CSRF (cross site request forgeries). Although unlikely, it can and does allow you to perform actions on other sites on behalf of the currently logged in user through the use of get requests. Think image tags...
Using get requests to perform actions is also a violation of the HTTP specifications. (Section 9.1.1 of RFC 2616).
See http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
Code: Select all
<img src="deletepost.php?post_id=1234" />
See http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
That risk would then be transferred to the authentication mechanism used, not necessarily that of the $_GET request.
Suppose I made a hidden form with a tricky button "Click here to go to home page". Could just as easily be spoofed.
Although, the $_GET request in this instance should be used to show a form to confirm the deletion, which would then send post data.
Suppose I made a hidden form with a tricky button "Click here to go to home page". Could just as easily be spoofed.
Although, the $_GET request in this instance should be used to show a form to confirm the deletion, which would then send post data.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.