PHP, MYSQL checking if a user is owner of a page

Question

I am trying to check if a user is the owner of a profile page so that i can display a text box for entering twitter similar posts.

The code

$id=mysql_query("SELECT id FROM users WHERE`username`='".$_GET['username']."'");

$ultimatum_form ='';
if(isset($_SESSION['id'])){
    if($_SESSION['id']==$id){
        $ultimatum_form = 'Write an ultimatum!(220 char max)<br/>
        <form action="profile.php" method="post" enctype="multipart/form-data" name="ultimatum_form">
        <textarea name="ultimatum_field" rows="3" style="width:97%;"></textarea>
        </form>';
    }
}
print "$ultimatum_form";

in my DB i have a table called "users", the table users has the columns "firs", "last", "username", "password", "email" and "id".

If i set $ultimatum_form outside of the session check it outputs the text-field and it works. The problem is that if i then go to another persons profile i can see the text-field and write posts for them.

William N · Accepted Answer · 2013-02-11T00:13:42.673

1

You need to get data from the query:

$id=mysql_query("SELECT id FROM users WHERE`username`='".$_GET['username']."'");
$r = mysql_fetch_assoc($id);
$id = $r['id'];

then $id contains the row "id" value.
look into pdo/mysqli, mysql won't wrok in next php version.

here, better:

  $id=mysql_query("SELECT id FROM users WHERE`username`='".$_GET['username']."'");
    $r = mysql_fetch_assoc($id);
    $id = $r['id'];


    if(isset($_SESSION['id']))
    {
        if($_SESSION['id']==$id)
        {
            echo '
             Write an ultimatum!(220 char max)<br/>
            <form action="profile.php" method="post" enctype="multipart/form-data" name="ultimatum_form">
            <textarea name="ultimatum_field" rows="3" style="width:97%;"></textarea>
            </form>';
        }
        else
        {
            // Not users profile page
        }
    }

edited Feb 11 '13 at 00:13

answered Feb 10 '13 at 23:54

William N

432
4
12

Thanks! i am kind of new to both php and mysql. – user1732713 Feb 10 '13 at 23:57
Also, what is mysqli and why wont mysql work in the next php version? – user1732713 Feb 10 '13 at 23:58
Then maybe you could click the checkmark and this will be marked as the correct answer? :) – William N Feb 10 '13 at 23:59
mysql is outdated, mysqli is safer, better to use and allow object oriented coding. – William N Feb 11 '13 at 00:00
I will as soon as i can, still telling me i have to wait 3 minutes. – user1732713 Feb 11 '13 at 00:01
see the red box here to learn more: http://php.net/manual/en/function.mysql-connect.php – William N Feb 11 '13 at 00:01
Thanks a lot! I will look into this asap! It does not look like it is much different :) I am currently using php myadmin with xampp. Is it possible to upgrade MySQL to MySQLi? – user1732713 Feb 11 '13 at 00:06
you dont have to modify your database, mysqli is only an update of mysql, it works with your database. Read this: http://php.net/manual/en/book.mysqli.php – William N Feb 11 '13 at 00:11

score 0 · Answer 2 · answered Feb 10 '13 at 23:55

0

You can't exactly do what you're doing. You need to fetch the records.

$results = mysql_fetch_array(mysql_query("SELECT id FROM users WHERE`username`='".$_GET['username']."'"));

Then you can do:

if($_SESSION['id']==$results['id']){

answered Feb 10 '13 at 23:55

SeanWM

16,789
7
51
83

PHP, MYSQL checking if a user is owner of a page

2 Answers2