Page 1 of 2

Allowing poster to delete their post or topic?

Posted: Sat Jul 14, 2007 12:10 pm
by metroid87706
Hi. Im making a forum from this tutorial (http://www.phpeasystep.com/workshopview.php?id=12) and wanted to ask if someone can help.
Is there a way I can make it so if a user posts a topic, or a reply, they have the option next to THEIR posts and topics to delete it?
I hope i am explaining what I need well.

Thanks for your help.

Posted: Sat Jul 14, 2007 12:42 pm
by ankhmor
Yes there is a way (of course there is a way)

But for that you will need to have a log in, or something else to make sure if the user is the user who posted the post.

No but really it is almost the same as to make a like pm (you know in formus theres a pm button). Its almost the same as placing a pm button in every post.

Posted: Sat Jul 14, 2007 1:06 pm
by metroid87706
Oh, i forgot to mention. I added myself a login system.

Posted: Sat Jul 14, 2007 1:33 pm
by impulse()
Sounds as simple as deleting the post from the database.


Is there any reason why that wouldn't give the desired results?

Posted: Sat Jul 14, 2007 1:39 pm
by metroid87706
Well yes, but how can I make a script in PHP to make it so a delete link will only show if its the current logged in users post? I dont want people deleting others posts.

Posted: Sat Jul 14, 2007 1:42 pm
by s.dot
Well, it's quite easy ;)

Here is the logic

Code: Select all

if($user_who_made_post == $user_who_is_logged_in)
{
    echo '<a href="deletepost.php?post_id=' . $post_id . '">delete this post</a>';
}

Posted: Sat Jul 14, 2007 1:52 pm
by metroid87706
hmm, il try it. Ill have to hunt down (since i didnt make the forum tutorial) what varaibel to use for who made the post. I know that logged in user is $myusername; so, yea.
Thanks.

If anyone look in the tutorial supplied and finds the user who posted variable, plese let me know.

Thanks!

Posted: Sat Jul 14, 2007 1:55 pm
by metroid87706
ahhh, newbie here, lol.

what do I put Into deletepost.php ?

Sorry, lol.

Posted: Sat Jul 14, 2007 2:03 pm
by Benjamin
A few points..

1. deletepost.php should verify that the user who is logged in actually made the post before processing the deletion.
2. You'll want to check if anyone has replied to the post and act accordingly.
3. deletepost.php should not perform any actions based on get requests as this is a security risk. Instead it should only accept requests via post data.

Posted: Sat Jul 14, 2007 2:06 pm
by s.dot
astions wrote:
3. deletepost.php should not perform any actions based on get requests as this is a security risk. Instead it should only accept requests via post data.
Not really. As long as you check user is logged in, post exists, author of post == to user logged in. There won't be a problem.

Posted: Sat Jul 14, 2007 2:07 pm
by s.dot
metroid87706 wrote:ahhh, newbie here, lol.

what do I put Into deletepost.php ?

Sorry, lol.
This would be the page that actually deletes the post ;) Or, a confirmation of deleting the post (preferred).

Posted: Sat Jul 14, 2007 2:10 pm
by superdezign
astions wrote:3. deletepost.php should not perform any actions based on get requests as this is a security risk. Instead it should only accept requests via post data.
Not exactly. As long as you use the verification methods you should already be using (and hopefully a confirmation before deletion!), using GET requests would be fine.

Posted: Sat Jul 14, 2007 2:19 pm
by metroid87706
Thanks for the replies. But, I am a mere newbie at this, so I know almost 0 coding, unless I see it and learn from it.
I hope someone wouldn't mind coding something for me to help accomplish this?

Thanks.

Sorry if Im asking for a lot.

Posted: Sat Jul 14, 2007 2:19 pm
by Benjamin
Those of you who are saying it is not a security risk should read about CSRF (cross site request forgeries). Although unlikely, it can and does allow you to perform actions on other sites on behalf of the currently logged in user through the use of get requests. Think image tags...

Code: Select all

<img src="deletepost.php?post_id=1234" />
Using get requests to perform actions is also a violation of the HTTP specifications. (Section 9.1.1 of RFC 2616).

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

Posted: Sat Jul 14, 2007 2:24 pm
by s.dot
That risk would then be transferred to the authentication mechanism used, not necessarily that of the $_GET request.

Suppose I made a hidden form with a tricky button "Click here to go to home page". Could just as easily be spoofed.

Although, the $_GET request in this instance should be used to show a form to confirm the deletion, which would then send post data.