I have two tables user and news_table. I want to ban user with type 1 from editing and deleting news posted by user with type 9. Right now as it stands with my code user type 1 is capable of editing and deleting news posted by user type 9. I need a new query to fix it.
user:
id int primary key auto_increment,
username varchar(255),
password varchar(255),
type int
news_table:
id int primary key auto_incremnet,
title varchar(255),
news text,
author varchar(50),
time date,
authorid int,
image varchar(255) NULL
if(isset($_POST['editsubmit'])){
$oldtitle=htmlentities($_POST['oldtitle']);
$newtitle=htmlentities($_POST['newtitle']);
$newtext=htmlentities($_POST['newtext']);
$oldtitle=mysqli_real_escape_string($conn,$oldtitle);
$newtitle=mysqli_real_escape_string($conn,$newtitle);
$newtext=mysqli_real_escape_string($conn,$newtext);
if($oldtitle){
if($newtitle){
if($newtext){
$query=mysqli_query($conn,"SELECT*FROM news_table JOIN user ON news_table.authorid=user.id WHERE title='$oldtitle' AND user.type!=9 OR news_table.image IS null");
$numrows=mysqli_num_rows($query);
if($numrows==1){
mysqli_query($conn,"UPDATE news_table set title='$newtitle',news='$newtext' WHERE title='$oldtitle'");
$query=mysqli_query($conn,"SELECT*FROM news_table WHERE title='$newtitle'");
$numrows=mysqli_num_rows($query);
if($numrows==1){
$errormsg2="News edited";
}else
$errormsg2="An error occurred.News not edited";
}else
$errormsg2="That news do not exist";
}else
$errormsg2="Please enter new text";
}else
$errormsg2="Please enter new title";
}else
$errormsg2="Please enter old news title";
}
I commented your code, it appears that you will allow any user who's user.type does not equal 9 to perform the edit, perhaps you should change that to = 9 so only the user.type 9 will be able to make the modifications.
if(isset($_POST['editsubmit'])){
// Post Variables
$oldtitle=htmlentities($_POST['oldtitle']);
$newtitle=htmlentities($_POST['newtitle']);
$newtext=htmlentities($_POST['newtext']);
$oldtitle=mysqli_real_escape_string($conn,$oldtitle);
$newtitle=mysqli_real_escape_string($conn,$newtitle);
$newtext=mysqli_real_escape_string($conn,$newtext);
// If there is an oldtitle
if($oldtitle){
// If there is a newtitle
if($newtitle){
// If there is newtext
if($newtext){
// Perform this query, JOIN and WHERE has user.type EQUALS 9
$query=mysqli_query($conn,"SELECT*FROM news_table JOIN user ON news_table.authorid=user.id WHERE title='$oldtitle' AND user.type = 9 OR news_table.image IS null");
// Get the Data
$numrows=mysqli_num_rows($query);
// If we actually received a row with the matching criteria
if($numrows==1){
// Perform the update
mysqli_query($conn,"UPDATE news_table set title='$newtitle',news='$newtext' WHERE title='$oldtitle'");
// New query to refresh the data from the edit
$query=mysqli_query($conn,"SELECT*FROM news_table WHERE title='$newtitle'");
$numrows=mysqli_num_rows($query);
// Verify the edit was completed
if($numrows==1){
$errormsg2="News edited";
}else
$errormsg2="An error occurred.News not edited";
}else
$errormsg2="That news do not exist";
}else
$errormsg2="Please enter new text";
}else
$errormsg2="Please enter new title";
}else
$errormsg2="Please enter old news title";
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.