Allowing poster to delete their post or topic?
Moderator: General Moderators
-
metroid87706
- Forum Newbie
- Posts: 17
- Joined: Sat Jul 14, 2007 12:06 pm
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
It is perfectly fine to use the GET method to specify which post should be deleted. The deletion itself would be performed through a POST method in which the user is given a choice of "Delete" or "Cancel." Upon clicking "Delete," the deletion would take place, but it wouldn't be prone to XSS.astions wrote:Those of you who are saying it is not a security risk should read about CSRF (cross site request forgeries). Although unlikely, it can and does allow you to perform actions on other sites on behalf of the currently logged in user through the use of get requests. Think image tags...
Using get requests to perform actions is also a violation of the HTTP specifications. (Section 9.1.1 of RFC 2616).Code: Select all
<img src="deletepost.php?post_id=1234" />
See http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
It's not very complicated... Have you even tried yet?metroid87706 wrote:So, um, yea. Does anyone have a easy way to tell it to a newbie in PHP to get this to work?
So far as I can see I need:
Code for deletepost.php
The variable to get who posted the reply
I think thats it.
If you can make a code for me, thanks a lot, if not, its fine.
Code: Select all
if(deletion has been confirmed && user is logged in && the post belongs to the user)
{
delete the post;
}-
metroid87706
- Forum Newbie
- Posts: 17
- Joined: Sat Jul 14, 2007 12:06 pm
Um, yes iv tried, but i have almost no knowlege of php compared to you guys.
I know the
if {
-----------
}
else {
-----------
}
kinda stuff, and how to dselete, change, add stuff to mysql, but i dont know how to use it in the way i am doing it.
I dont know how to specify the posters name, to get it from the post, i dont knok how to do most of the stuff your suggeting.
*sigh* Nevermind, I guess this isnt mandatory, but I wanted this feature. Oh well.
I know the
if {
-----------
}
else {
-----------
}
kinda stuff, and how to dselete, change, add stuff to mysql, but i dont know how to use it in the way i am doing it.
I dont know how to specify the posters name, to get it from the post, i dont knok how to do most of the stuff your suggeting.
*sigh* Nevermind, I guess this isnt mandatory, but I wanted this feature. Oh well.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
-
metroid87706
- Forum Newbie
- Posts: 17
- Joined: Sat Jul 14, 2007 12:06 pm
Here is the database:
http://img59.imageshack.us/img59/1150/databasepy3.png
http://img59.imageshack.us/img59/1150/databasepy3.png
-
metroid87706
- Forum Newbie
- Posts: 17
- Joined: Sat Jul 14, 2007 12:06 pm
-
metroid87706
- Forum Newbie
- Posts: 17
- Joined: Sat Jul 14, 2007 12:06 pm