Some session trouble
Posted: Mon Mar 03, 2008 12:03 pm
Hi there, I'm grateful for discovering this forum, and I hope you guys can help me solve a few problems here.
I've got a script on my website http://www.criticaldepth.net where users can upload their original music, through the site, it automatically renames the filename and adds it to a mysql database which an embedded flash mp3 player will play the songs. I've also created a delete music option where the members can delete certain songs they want to. My problem is, the page they visit to delete the songs lists all of there songs as a link with "Delete" at the end of the link.
This works fine when you login and visit the page, but say i was to visit another person's profile. These profiles are in the format of http://www.criticaldepth.net/index.php? ... ile&uid=25
Somehow this seems to be setting the userid to 25 or whatever you click on. Which means, when someone is logged in on their own user account and want to delete a song, it displays the songs from userid 25. This is not acceptable, as they're accessing other people's music.
The delete music code can be found here:
I also have a profile page which seems to be setting the global userid variable which can be found here:
And then the music page:
I can explain in much more detail and give more examples if need be, please help me out as this site is taking a long time to complete and I'm very close to finishing. Thanks for the help!
Kevin
I've got a script on my website http://www.criticaldepth.net where users can upload their original music, through the site, it automatically renames the filename and adds it to a mysql database which an embedded flash mp3 player will play the songs. I've also created a delete music option where the members can delete certain songs they want to. My problem is, the page they visit to delete the songs lists all of there songs as a link with "Delete" at the end of the link.
This works fine when you login and visit the page, but say i was to visit another person's profile. These profiles are in the format of http://www.criticaldepth.net/index.php? ... ile&uid=25
Somehow this seems to be setting the userid to 25 or whatever you click on. Which means, when someone is logged in on their own user account and want to delete a song, it displays the songs from userid 25. This is not acceptable, as they're accessing other people's music.
The delete music code can be found here:
Code: Select all
<?php include ('../includes/DBConnect.php');
$userid = $_SESSION['userid'];
echo ("<strong>");
echo $_SESSION['artist_name'];
echo (" Delete tracks: <br /><br /></strong>");
if(!isset($cmd))
{
$result = mysql_query("select * from tracks where userid='$userid' order by title");
while($r=mysql_fetch_array($result))
{
$title=$r["title"];
$trackid=$r["trackid"];
echo "<a href='editmusic.php?cmd=delete&trackid=$trackid'>$title - Delete</a>";
echo "<br>";
}
}
?>
<?
if($_GET["cmd"]=="delete")
{
$creator = mysql_result(mysql_query("Select creator from tracks where trackid = $trackid;"),'creator');
$title = mysql_result(mysql_query("Select title from tracks where trackid = $trackid;"),'title');
$filepath = "audio/uploads";
$buffer = $filepath."/".$creator."-".$title.".mp3";
$buffer = str_replace(" ", "", $buffer );
chmod($buffer,0777);
if(is_writable($buffer)){ unlink($buffer); } else { echo 'cannot delete file'; }
$sql = "DELETE FROM tracks WHERE trackid=$trackid";
$result = mysql_query($sql);
echo "Song Deleted!";
} ?>
I also have a profile page which seems to be setting the global userid variable which can be found here:
Code: Select all
$userid = $_GET['uid'];
include ('../includes/DBConnect.php');
$userprofile = mysql_fetch_array(mysql_query("Select * from users where userid='$userid'"));
if (!$userid) { header( 'Location: http://www.criticaldepth.net/music.php' ) ;}Code: Select all
<?
include ('../includes/DBConnect.php');
$usernames = mysql_query("Select userid,username,artist_name from users where user_level > 1 Order by username");
if ($username = mysql_fetch_array($usernames))
{
do
{
$usernameURL=str_replace(' ','_',str_replace("'",'',str_replace('&','and',$username['username'])));
echo '<a href="http://www.criticaldepth.net/index.php?page=profile&uid='.$username['userid'].'">'.$username['artist_name'].'</a><br />';
} while ($username = mysql_fetch_array($usernames));
}
?>Kevin