删除论坛帖子

Question

I have a table with the following fields: wall_posts, group_id, id, and user_id.

Wall_posts is user entries, group_id is imported from another table and is just a unique group id, id is just a simple counter, and user_id gets the user id from the session.

My code gets rid of all the wall_posts if you press the delete button by comparing the user id to the user in session. I'm trying to find a way to delete individual posts and not all the posts by the user.

Here is the code:

if (isset($_POST['delete'])) {
    $current_user = $_SESSION['user_id'];
    $result = mysql_query("SELECT * FROM group_posts");
    while ($user_id = mysql_fetch_array($result)) {
        $id = $user_id['user_id'];
    }
    if ($current_user == $id) {
        mysql_query("DELETE FROM group_posts WHERE $current_user = $id") or die(mysql_error());
    }
}

How can I bound the delete button to individual posts instead of deleting all the posts made by the user currently in session?

Answer 1

Your SQL query above doesn't make sense - the WHERE statement should be in the form WHERE column_name = value .

Assuming id is the primary key for group_posts, as you're displaying posts, create a link for each post created by the author, eg <a href="delete.php?delete=3">Delete This Post</a> for post with id 3. Then you'd do a query like this:

DELETE FROM group_posts WHERE id = postIdValueHere

Using the code pattern you have above:

if (isset($_POST['delete']) && $_POST['delete'] > 0) {
$current_user = $_SESSION['user_id'];
$post_id = (int) $_POST['delete'];

if ($current_user == $id) {
    mysql_query("DELETE FROM group_posts WHERE id = $post_id AND user_id = $id") or die(mysql_error());
}

That query ensures that only posts with a given ID, created by the current author, can be deleted.

Does that answer your question?

Once you get more comfortable with SQL, you might also want to look into using prepared statements with mysqli or PDO . That will help your code clean and secure.

Answer 2

I'm assuming your delete buttons are simple links. Your links must contain all the information to delete a post. One way would be to pass a post id as a GET variable (eg link="myurl.com/posts/delete?id=#").

Your script would then at first make sure the current user is allowed to delete the post. For example:

$user_id = $_SESSION['user_id'];
$post_id = (int) $_GET['id'];
if(canDelete($user_id, $post_id))
{
    // assuming post_id is unique for every post
    $sql = sprintf("DELETE FROM group_posts WHERE id = %d", $post_id);
    mysql_query($sql);
}

Of course, you'd have to implement canDelete($user_id) yourself.

By the way, "DELETE FROM group_posts WHERE $current_user = $id" always deletes every record in your table. At first you're comparing if $current_user equals $id and if they do happen to be equal, your query would look something like WHERE 1 = 1 . I think you mean "DELETE FROM group_posts WHERE user_id = '$id'"

EDIT : It seems you want to use ajax for deleting your posts. I recommend using jQuery or any other proper javascript framework as it saves you time. Here is a link from the jQuery documentation describing how to make an ajax call to the server and a similar question to help you understand better.