Delete Individual Conversations Between Users

Question

I have created a private message system for my social media network for my users, which is similar to Facebook.

Pretty much, I want it to work like Facebook... Click on the user and view the conversation, and be able to delete just that conversation with just that user.

I tried several ways, and my first php script deletes ALL private coversations, between ALL users they've had a conversation with instead of individual conversations...

Here's my php that deletes ALL conversations:

   <?php
   error_reporting(0);
   include "assets/includes/config.php";
   $conn=mysql_connect($sql_host,$sql_user,$sql_pass);
   mysql_select_db($sql_name,$conn);
   $query1=mysql_query("DELETE FROM messages where  timeline_id='".$_REQUEST['timelineID']."'");
   $query1=mysql_query("DELETE FROM messages where  recipient_id='".$_REQUEST['timelineID']."'");
   header("location:index.php?tab1=messages");
   ?>

But, like I said, I need a way for a user to delete individual conversations, so I tried doing it this way, but it doesn't work:

Here's my php:

 <?php
  error_reporting(0);
  include "assets/includes/config.php";
  $conn=mysql_connect($sql_host,$sql_user,$sql_pass);
  mysql_select_db($sql_name,$conn);
  $query1=mysql_query("DELETE FROM messages where timeline_id='".$_REQUEST['timelineID']." AND recipient_id=" .  $_REQUEST['recipientID']);
   header("location:index.php?tab1=messages");
   ?>

Any ideas, or am I doing something wrong? Thanks!

With your code as it stands, a knowledgeable user could craft a request that deletes all messages. In fact, they may be able to trash your whole DB. See [this question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for some good advice. You should prioritise fixing your injection vulnerability over adding new features. — vascowhite, Sep 29 '15 at 22:25
@Jeff, When I say it "doesn't work", I mean it doesn't delete any of the messages. Thanks — KraZeD, Sep 29 '15 at 22:29
firstly, you're not helping yourself by turning off error reporting. Check for errors against your query while you're setting it back on and to display. — Funk Forty Niner, Sep 29 '15 at 22:37

score 1 · Answer 1 · answered Sep 30 '15 at 00:57

1

You got a mysql syntax error because you are half-wrapping the arguments inside with only one single quotation mark.

Replace this line

$query1=mysql_query("DELETE FROM messages where timeline_id='".$_REQUEST['timelineID']." AND recipient_id=" .  $_REQUEST['recipientID']);

with this

$query1=mysql_query("DELETE FROM messages where timeline_id='".$_REQUEST['timelineID']."' AND recipient_id='" .  $_REQUEST['recipientID']."'");

answered Sep 30 '15 at 00:57

Ivan De Paz Centeno

3,595
1
18
20

Thanks, Ivan! That worked like a charm—thanks so much. – KraZeD Sep 30 '15 at 17:15

Delete Individual Conversations Between Users

1 Answers1