Home/ Questions/Q 8490107
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-10T22:01:07+00:00

Currently i have a working PHP edit script, which allows users to edit ads

  • 0

Currently i have a working PHP edit script, which allows users to edit ads they have posted, but I have realized that users can modify the ?id= number to bring up another set of data then edit someone else data and save it in the database.

Is there any way I can make it so that when the user clicks on their advert they have posted to edit, it is only their own ads that they access to, that they wont be able to edit other peoples ads by adjusting the id?= and a way of protecting the form from manipulation?

Here is my current code:

<?php
/* 
EDIT.PHP
Allows user to edit specific entry in database
*/

// creates the edit record form
// since this form is used multiple times in this file, I have made it a function that is      easily reusable
function renderForm($id, $fname, $lname, $contact, $price, $error)
{
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Edit Record</title>
 <link rel="stylesheet" type="text/css" href="stylesheet.css">

 <style type="text/css">

#page-wrap                  {
position:absolute;
top: 206px;
left: 288px;
width: 50%;
text-align:left;
background-color:#FFF;
padding: 10px;
border-radius: 10px;
box-shadow: 1px 2px 2px #888888;
     }
     
    </style>
    <script type = "text/javascript">

    function myfunction(url)
    {
    window.location.href = url;
    }
   </script>


</head>
<body>

  <div class="container">

  <div id="imagelogo" onclick = "window.location.href = 'index.html'" > 

  <p> Buy and sell stuff around University</p>
   </div>

   <ul id="navigation" name="navigation">
  <li id="nav-home"><a href="index.html">Home</a></li>
  <li id="nav-search"><a href="search.php">Search</a></li>
  <li id="nav-selling"><a href="#">Selling</a></li>
  <li id="nav-buying"><a href="#">Buying</a></li>
   <li id="nav-FAQ"><a href="#">FAQ</a></li>
  <li id="nav-contact"><a href="#">Contact</a></li>

  <p>&nbsp;</p>
  <p>&nbsp;</p>
  <p>&nbsp;</p>
  <p>Sponsors</p>
  </ul>
  <div id="account">

  <?php
  if( isset( $_SESSION['username'] ) ){

  echo "<a href='securedpage1.php'>My Account</a><img src='images/uni-icon.png' width='30'        height='18' style='vertical-align: middle;'/>";

  }else{

 echo "<a href='login.php' >Login</a><img src='images/uni-icon.png' width='30' height='18'    style='vertical-align: middle;'/>";
}
?>

</div>

<div id="registerlogout">
<?php
if( isset( $_SESSION['username'] ) ){
echo "<a href='logout.php'>Logout</a>";

}else{

echo "<a href='register.php'> Register</a>";
}
?>
</div>

<div id="social">
<img src="images/fb-logo.png" width="22" height="20" />     

 <img src="images/twitter-logo.png" width="24" height="25" />
  </div>

 <div id="page-wrap">
 <?php 
 // if there are any errors, display them
 if ($error != '')
 {
 echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
 }
 ?> 

 <form action="" method="post">
 <input type="hidden" name="id" value="<?php echo $id; ?>"/>
 <div>
 <strong>Ad Title: *</strong> <input type="text" name="fname" style="width: 60%; box-    sizing: border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box;"value="<?php      echo $fname; ?>"/><br/>
  <strong>Description: *</strong> <textarea name="lname" cols="45" rows="5"><?php echo     $lname; ?></textarea><br/>
 <strong>Contact*</strong> <input type="text" name="contact"  style="width: 60%; box-    sizing: border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box;" value="<?php     echo $contact; ?>"/><br/>
<strong>Price*</strong> <input type="text" name="price"  style="width: 60%; box-sizing:    border-box; -moz-box-sizing: border-box; -webkit-box-sizing: border-box;" value="<?php echo    $price; ?>"/><br/>
 <p>* Required</p>
 <input type="submit" name="submit" value="Submit">
 </div>
 </form>
 </div>
 </div>
 </body>
 </html> 
 <?php
  }

// Inialize session
    session_start();


 // connect to the database
 include('conn.php');

 // check if the form has been submitted. If it has, process the form and save it to the    database
 if (isset($_POST['submit']))
  { 
 // confirm that the 'id' value is a valid integer before getting the form data
 if (is_numeric($_POST['id']))
 {
 // get form data, making sure it is valid
 $id = $_POST['id'];
 $fname = mysql_real_escape_string(htmlspecialchars($_POST['fname']));
 $lname = mysql_real_escape_string(htmlspecialchars($_POST['lname']));
 $contact = mysql_real_escape_string(htmlspecialchars($_POST['contact']));
 $price = mysql_real_escape_string(htmlspecialchars($_POST['price']));

 // check that firstname/lastname fields are both filled in
 if ($fname == '' || $lname == '' || $contact == '' || $price == '' )
 {
 // generate error message
 $error = 'ERROR: Please fill in all required fields!';

 //error, display form
 renderForm($id, $fname, $lname, $contact, $price, $error);
 }
else
 {
 // save the data to the database
 mysql_query("UPDATE people SET price='$price', contact='$contact', fname='$fname',      lname='$lname' WHERE id='$id'")
 or die(mysql_error()); 

 // once saved, redirect back to the view page
 header("Location: view.php"); 
 }
 }
 else
 {
 // if the 'id' isn't valid, display an error
 echo 'Error!';
 }
 }
 else
 // if the form hasn't been submitted, get the data from the db and display the form
 {

 // get the 'id' value from the URL (if it exists), making sure that it is valid (checing   that it is numeric/larger than 0)
 if (isset($_GET['id']) && is_numeric($_GET['id']) && $_GET['id'] > 0)
 {
 // query db
 $id = $_GET['id'];
 $result = mysql_query("SELECT * FROM people WHERE id=$id")
 or die(mysql_error()); 
$row = mysql_fetch_array($result);

 // check that the 'id' matches up with a row in the databse
 if($row)
 {

 // get data from db
 $fname = $row['fname'];
 $lname = $row['lname'];
 $contact = $row['contact'];
 $price = $row['price'];

 // show form
 renderForm($id, $fname, $lname, $contact, $price, '');
 }
 else
 // if no match, display result
 {
 echo "No results!";
 }
 }
 else
 // if the 'id' in the URL isn't valid, or if there is no 'id' value, display an error
 {
 echo 'Error!';
 }
 }
 ?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You need to record, in the database, the poster of each advert. This is just another column.

    When an attempt is made to edit an advert (either for displaying the form or saving the result) you need to check that the owner of the advert matches the currently logged in user.

    e.g. UPDATE adverts SET text=? WHERE id=? AND user=?

    • 0