how can a logged-in user delete ONLY his own specific records

Adr64

Hello, All:

I keep having this issue.. I want to make it possible so that a logged member is able to delete ONLY his own records... I have the following related tables:

ACCOUNTS table:
id email pw date
1 user1@site.com 123 10-01-08
2 user2@site.com 456 10-01-08

NOTEPAD table:
noteid custid subject note notedate completed
4 1 Links user-1-note 10-05-08 no
5 2 Contacts user-2-note 10-04-08 no

As you can see the common-relationship in the tables are the id and the custid fields which refer to the username (his email) when logged in. So when I want to echo each user's respective "records" I use the following sql, which seems to work fine, by selecting ONLY a logged-in user's respective "note" records:

SELECT
FROM NOTEPAD, ACCOUNTS
WHERE NOTEPAD.custid = ACCOUNTS.id AND email = colname
ORDER BY NOTEPAD.notedate DESC

*colname refers to logged-in user's "session" username.

But again, I cant figure out how to structure an if/else and sql statement so that a logged user is able to DELETE ONLY his own records. I was able to make it so a logged-in user can delete his own records (by calling his record thru the URL), but then, when I forced a record-id into the url coinciding with another user's record, it DELETED IT!!!

Appreciate any help...

coldwerturkey

when the user logs in, make a session of his/hers unique id,

before you delete, make a query of the about-to-be-deleted record to see if the users id matches that of the author of the record to be delete, if they match proceed the deletion..

Adr64

hey, Coldturkey...

thanks for the feedack... yeah, that's what I was thinking.. but still cant seem to get it right..
The user logs in and Dreamweaver sets a "MM_Username" session for the member's Username,, right.. so, I got this so far:

<?php
if ($SESSION['MM_Username'] == $row_records_RS['email']) {
mysql_query ("DELETE FROM NOTEPAD WHERE noteid = '".$GET['delete']."'");
}

But, it still deletes other member's records when I forced a different record-id in teh url...
Isnt that what I am doing here, matching to see if "MM_Username" matches my member's username in the db, which corresponds to their email. Do I need to somehow link the noteid o the custid fields??? (Those are the 2 common fields in the 2 tables)

Thanks for yor help..!

Adr64

Hey, ColdTurkey... OK, I actually did the reverse...

<?php
if ($SESSION['MM_Username'] != $row_records_RS['email']) { echo "record not deleted";
}
else {
mysql_query ("DELETE FROM NOTEPAD WHERE noteid = '".$GET['delete']."'");
}

So, in other words, if session-username doesnt match user's db "email" field dont delete, ELSE proceed with Delete command... and looks like it worked! I realized that in my earlier try I was filtering to see if they matched, which they did, and then it obviosuly would always return "True" and therefore always perform any deletions...logged or unlogged...

But let me ask you, is this the correct way to do it at all, or is it really amateurish? are there any safety, security issues with it?

coldwerturkey

it's not what I would do, but if it works the way you want it to then it can be considered correct.

safety/security, you should be verifying and escaping your variables that are being used in your querys with mysql_real_escape_string() to prevent mysql injections

Adr64

well.. I much appreciate your feedback.. it got me in the right track really quick...
Yeah, I figured now I need to do a bit of sanitation to the url variable (I usually use htmlentities though most often..)

Thanks a lot!!