0

I recently built an account system where it displays posts posted by that account,

it works when a post is created it the adds the post id to the account-posts in another table and what I aim to do is when the user requests delete that post

So what I have done is if account-posts does not contain a comma (which is splits between multiple posts, when its empty and a post is created it simply adds the id but if not empty it will add a comma and space then the id so it looks like 345, 678) it deletes it but if it does it scans for the requested delete post id then replaces ", 678" for example however when i remove the second post all of my tests remove the whole var to empty

//$_GET['id'] is the post id and $_SESSION['id'] is the account id

$query = "SELECT * FROM `accounts` WHERE id = '".mysqli_real_escape_string($link, $_SESSION['id'])."'";

$result = mysqli_query($link, $query);

$row = mysqli_fetch_array($result);

//above is getting the `account-posts`

if (strpos($row['posts'], ',') !== false) {

    //the `account-posts` has only one post eg(345 not 345, 678)

    if (strpos($row['posts'], $_GET['id'].', ') !== false) {

        //if the requested delete is in the middle of `account-posts`
        $newposts = preg_replace($_GET['id'].", ", "", $row['posts']);
    }
    if (strpos($row['posts'], ', '.$_GET['id']) !== false) {

        //if the requested delete is at the end of `account-posts`
        $newposts = preg_replace(", ".$_GET['id'], "", $row['posts']);
    }

    //below it updates the `account-posts` to the new removed id

    $query = "UPDATE `accounts` SET `posts` = '".mysqli_real_escape_string($link, $newposts)."' WHERE `id` = ".mysqli_real_escape_string($link, $_SESSION['id'])." LIMIT 1";

    mysqli_query($link, $query);  

    //below it deletes the post

    $query = "DELETE FROM `listing` WHERE `ID` = '".mysqli_real_escape_string($link, $_GET['id'])."' LIMIT 1";

    if ($link->query($query) === TRUE ) {

        header("Location: account.php");
    }
} else {

    $newposts = null;

    $query = "UPDATE `accounts` SET `posts` = '".mysqli_real_escape_string($link, $newposts)."' WHERE `id` = ".mysqli_real_escape_string($link, $_SESSION['id'])." LIMIT 1";

    mysqli_query($link, $query);


    $query = "DELETE FROM `listing` WHERE `ID` = '".mysqli_real_escape_string($link, $_GET['id'])."' LIMIT 1";

    if ($link->query($query) === TRUE ) {

        header("Location: index.php");
    }
}

Any help is graciously appreciated!!!

Alex
  • 73
  • 5
  • 4
    Don't use comma-separated lists in table columns. Normalize your data. – Barmar Feb 10 '20 at 21:35
  • 3
    See https://stackoverflow.com/questions/3653462/is-storing-a-delimited-list-in-a-database-column-really-that-bad – Barmar Feb 10 '20 at 21:35
  • 1
    And when you are at it, you should read thes https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php and use **prepared statements** – nbk Feb 10 '20 at 22:17
  • All of the above is good advice. You probably won't get a direct answer to your question because the real answer is "don't do it like that to start with". 1) Don't store multiple values in a single field. 2) use prepared statements and parameters to keep your data secure. – ADyson Feb 10 '20 at 23:54

0 Answers0