1

I have this code that allows a user to only delete his own topics. It's working but in the case that the user is not the one who posted the topic, he is still getting the message: Topic has been deleted, whereas he should get: You didnt make this topic. The else statement isnt running.

if(isset($_SESSION['username']))
{
    $uid = $_SESSION['uid']; 
    $id=$_GET['id'];

    $check = mysql_query("SELECT * FROM topics WHERE id = '$id' AND topicCreator = '$uid'");
    if($check){
        $query1=mysql_query("delete FROM topics WHERE id='$id' AND topicCreator='$uid'");
        echo "<p>Topic has been successfully deleted. <a href='index.php'>Click here to return to home page.</a>";
    }
    else{
        echo "<p><b>ERROR: You didnt make this topic.";
    }
}

I dont know why the else statement wont run.

$check is to see if the user who is logged in is the one who created the topic.

(PS: I'll switch to mysqli once this works.)

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Johnny
  • 63
  • 1
  • 7
  • 1
    If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jun 19 '15 at 16:18
  • [Your script is at risk for SQL Injection.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Jun 19 '15 at 16:19
  • 1
    `$check` is an object. It will always be truthy even if the query returns nothing. – Jonathan M Jun 19 '15 at 16:21
  • The variable `$check` will be a result resource, hence it will evaluate to `true`. – Crackertastic Jun 19 '15 at 16:21
  • Then what should I do to make it false? – Johnny Jun 19 '15 at 16:23
  • Need to use a `mysql_fetch_*` type of function to have it provide you the results from the resource. – Twisty Jun 19 '15 at 16:24
  • Ok thanks it worked. I did if(mysql_fetch_assoc($check)) – Johnny Jun 19 '15 at 16:28
  • Great I added an answer that might be more helpful for you too. – Twisty Jun 19 '15 at 16:28

1 Answers1

1

As the comments suggest, you can't check against the resource itself. Try:

if(isset($_SESSION['username'])) {
    $uid = $_SESSION['uid']; 
    $id=$_GET['id'];
    $check = mysql_query("SELECT * FROM topics WHERE id = '$id' AND topicCreator = '$uid'");
    $count = mysql_num_rows($check);
    if($count) {
        // $count is greater than 1 hence TRUE
        $query1=mysql_query("delete FROM topics WHERE id='$id' AND topicCreator='$uid'");
        echo "<p>Topic has been successfully deleted. <a href='index.php'>Click here to return to home page.</a>";
    } else{
        // $count is 0 or FALSE - no rows returned
        echo "<p><b>ERROR: You didnt make this topic.";
    }
}
Twisty
  • 30,304
  • 2
  • 26
  • 45