How to let users delete their own comments?

Question

I am having a problem with my deleting comment form. I want to create somehow users to delete their own comments, but so far I only manage to create deleting for all comments. It doesn't matter if it's their own or not.

Here is my form:

<form action="<?php echo $editFormAction; ?>" method="POST" name="CommentForm">
<table>
<tr><td colspan="2"></td></tr><tr><td><input type="hidden" name="name" value="<?php     
    echo $_SESSION['MM_Username']; ?>" /></td></tr>  

 <tr><td colspan="2">Заглавие:</td></tr><tr><td><input type="text" name="title"  
 style="width:300px; height:20px;" /></td></tr>
 <tr><td colspan="2">Коментар</td></tr>
 <tr><td colspan="2"><textarea name="comment" style="width:450px; height:150px;"> 
   </textarea></td></tr>
  <tr><td colspan="2"><input type="submit" name="submit" value="Коментирай"                     
    style="padding:5px; color:#069"/></td></tr>

</table>
   <input type="hidden" name="MM_insert" value="CommentForm" />


   </form><br /><br  />
<?php

  $getquery=mysql_query("SELECT * FROM comments ORDER BY id DESC");

  while($rows=mysql_fetch_assoc($getquery))
   {
 $id=$rows['id'];
 $title=$rows['title'];
 $comment=$rows['comments'];
 $MM_Username=$rows['name'];
 $dellink="<a href=\"delete.php?id=" . $id . "\">ИЗТРИЙ</a>";

 echo '<b><p   style="background-color:#6CC; border-radius:10px; te"
     ;border:1px solid;"> &nbsp Потребител:</b> ' . $MM_Username . ' <br /><b>&nbsp   
     Тема:</b> ' . $title . '</b><br /><b>&nbsp Коментар:</b><br />&nbsp ' . $comment .
      '<br />' . $dellink .'</p><br />' ;

    }

  ?>

and this is my delete.php :

 <?php
  include 'Connections/localhost.php';
  mysql_query("DELETE FROM comments WHERE id = $_GET[id]")or die(msql_error()) ;
  header('location: komentari.php');
 ?>

Answer 1

I would assume that a user is logged in and you have some information about that user stored in a session. If it is not there already, you should add the users ID so that you can do in your delete.php:

<?php
session_start();

// Here you should kick out any visitors that are not logged in


// proceed with the delete
include 'Connections/localhost.php';

$id = (int) $_GET[id];
$uid = (int) $_SESSION['user_id'];    // or something similar

mysql_query("DELETE FROM comments WHERE id = $id AND owner_id = $uid")or die(msql_error()) ;
                                                     ^^^^^^^^ or something similar
// etc.

And you should really switch to PDO or mysqli and prepared statements as you have an sql injection problem now and the mysql_* functions are deprecated.

Answer 2

The simplest solution would be to add AND owner = ? to the end of the DELETE query. Populate the value from wherever you store the ID of the current user (probably the session). You will need to store the id of the user who made the comment in an owner column on the table.

You'll probably want to add some code to test if the delete was successful, and possibly to make some more queries to find out why if it isn't so you can give good error reporting.

You can avoid generating the delete link inappropriately by comparing the owner value you get out of the database with the one for the current user.

Answer 3

You're going to have to fix two problems here. First, your 'delete.php' should only process where the owner of the comment is equivalent to the logged in user. For this you're going to need to add

" AND [owner] = $_SESSION['CurrentUser']"

Note that this depents on your datastructure.

The second point you're going to need to put in some logic is around the definition of

$dellink="<a href=\"delete.php?id=" . $id . "\">ИЗТРИЙ</a>";

At this point, you're going to want to add:

IF ([owner] == $_SESSION['CurrentUser'])
   $dellink="<a href=\"delete.php?id=" . $id . "\">ИЗТРИЙ</a>";
ELSE
   $dellink=""

Or the PHP equivalent. Sorry, I haven't programmed in PHP in a while. But both the other current answers don't seem to fix both issues.