Ok , this sounds easy , but due to the nature of the issue ( deleting accounts ) i want to make sure i get this one right.
I have a script , that allows admin's to delete user accounts.
What im trying to do is write a script that will enable the user to click a Link to delete his account , the script will first validate that the user is logged in with check_user_login() its a function that i use. Ok once the script says yes , the user is logged in , i then want it to verifiy that the account that is issuing the _POST request is the same account that IS Logged in. So not just anyone logged in could delete anyone elses account, get it?
Ok once thats done , i need the user's info deleted from about 20 tables.
The admin script has the values already in the script that i need deleted.
Im going to paste the admin script here. What it does it issue a pop-up box saying "Are you sure you want to delete this account" , But i cant get it to work right for the members. Ive tried to modify the data in almost every way i can think of. Please help.
<?php
include("config.php");
include("$include_path/common.php");
global $HTTP_POST_VARS,$HTTP_GET_VARS,$HTTP_SESSION_VARS;
global $_SESSION;
if ($HTTP_POST_VARS!="")
$_POST=$HTTP_POST_VARS;
if ($HTTP_GET_VARS!="")
$_GET=$HTTP_GET_VARS;
if ($HTTP_SESSION_VARS!="")
$_SESSION=$HTTP_SESSION_VARS;
include("$include_path/$table_file");
if(isset($_POST['delete_user']) && isset($_POST['userid']) && isset($_POST['sure'])){
$d_sql = "
delete from
$tb_users
where
id = '$_POST[userid]'
";
$d_query = mysql_query($d_sql) or die(mysql_error());
$dc_sql = "
delete from
$tb_comments
where
user_id = '$_POST[userid]'
";
$dc_query = mysql_query($dc_sql) or die(mysql_error());
$dac_sql = "
delete from
$tb_comments
where
author_id = '$_POST[userid]'
";
$dac_query = mysql_query($dac_sql) or die(mysql_error());
$dbu_sql = "
delete from
$tb_users_blocked
where
user_id = '$_POST[userid]'
";
$dbu_query = mysql_query($dbu_sql) or die(mysql_error());
$dabu_sql = "
delete from
$tb_users_blocked
where
blocked_user = '$_POST[userid]'
";
$dabu_query = mysql_query($dabu_sql) or die(mysql_error());
$dr_sql = "
delete from
$tb_ratings
where
rater_id = '$_POST[userid]'
";
$dr_query = mysql_query($dr_sql) or die(mysql_error());
$df_sql = "
delete from
$tb_favourites
where
fav_user_id = '$_POST[userid]'
";
$df_query = mysql_query($df_sql) or die(mysql_error());
$df_sql = "
delete from
$tb_favourites
where
user_id = '$_POST[userid]'
";
$dp_sql = "
delete from
$tb_posts
where
userid = '$_POST[userid]'
";
$dp_query = mysql_query($dp_sql) or die(mysql_error());
$dpm_sql = "
delete from
$tb_pms
where
user_id = '$_POST[userid]'
";
$dp_query = mysql_query($dpm_sql) or die(mysql_error());
$dpm_sql = "
delete from
$tb_pms
where
author_id = '$_POST[userid]'
";
$dp_query = mysql_query($dpm_sql) or die(mysql_error());
$df_query = mysql_query($df_sql) or die(mysql_error());
del_image($_POST[userid]);
$delete_success = true;
}
$final_output = <<<EOF
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Delete User</title>
EOF;
if(isset($delete_success) && $delete_success){
$final_output .= <<<EOF
<script>window.opener.window.document.location.reload();</script>
EOF;
}
if((isset($delete_success) && $delete_success) || isset($_POST['not_sure'])){
$final_output .= <<<EOF
<script>window.close();</script>
EOF;
}
include("$include_path/styles.php");
$final_output .= <<<EOF
</head>
<body bgcolor="$page_bg_color" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0">
EOF;
$table = <<<EOF
<table cellpadding="0" cellspacing="0" border="0" width="100%">
<tr>
<td>
<table cellpadding="5" cellspacing="0" border="0" width="100%">
EOF;
if(isset($dm)) $table .= $dm;
$userid = isset($_POST['userid']) ? $_POST['userid'] : 0;
$userid = isset($_GET['userid']) ? $_GET['userid'] : $userid;
$table .= <<<EOF
<tr>
<td class="regular" align="center" colspan="2">Are you sure?</td>
</tr>
<tr><form method="post" action="$base_url/admin/delete_user.php"><input type="hidden" name="delete_user" value="1"><input type="hidden" name="userid" value="$userid">
<td class="regular" align="right"><input class="button" type="submit" name="sure" value="Yes"></td>
</form><form method="post" action="$base_url/admin/delete_user.php">
<td class="regular"><input class="button" type="submit" name="not_sure" value="No"></td></form>
</tr>
</table>
</td>
</form></tr>
</table>
EOF;
$final_output .= table("Delete User", $table);
$final_output .= <<<EOF
</body>
</html>
EOF;
echo $final_output;
?>
What am i doing wrong? What needs to be changed? Thats just an example of the admin script , But what do i need to change for the user's to be able to use that to delete thier own accounts?
