DELETE AND EDIT POST!

General PHP Help
#1

I’m making a Forum (Message Board) for my project in school and I want the users to delete their own post or edit their post. I’m wondering how, please help!

<?php include 'connect.php'; include 'header.php'; 
$sql = "SELECT
			topic_id,
			topic_subject,
			topic_cat
		FROM
			topics
		WHERE
			topics.topic_id = " . mysql_real_escape_string($_GET['id']);

$result = mysql_query($sql);
$row = mysql_fetch_assoc($result);

if($_SESSION['signed_in'] == false) {
	echo 'You must be signed in to see the topic.';
									}

else {

if(!$result) {
	echo 'The topic could not be displayed, please try again later.';
			 }
			 
else {
	if(mysql_num_rows($result) == 0) {
		echo 'This topic doesn&prime;t exist.';
									 }
									 
else {
	  { 
	echo '<table class="topic">
                <tr>
                    <th colspan="2">' . $row['topic_subject'] . '</th>
                </tr>';

	$posts_sql = "SELECT
					posts.post_topic,
					posts.post_content,
					posts.post_date,
					posts.post_by,
					posts.post_id,
					users.ID,
					users.USN,
					users.First_Name,
					users.Middle_Name,
					users.Last_Name,
					users.Course,
					users.User_Level
				  FROM
					posts
				  LEFT JOIN
					users
				  ON
					posts.post_by = users.ID
				  WHERE
					posts.post_topic = " . mysql_real_escape_string($_GET['id']);

	$posts_result = mysql_query($posts_sql);

	if(!$posts_result) {
		echo '<TR><TD>The posts could not be displayed, please try again later.</TR></TD></table>';
					   }
					   
	else {
		while($posts_row = mysql_fetch_assoc($posts_result)) {
			echo '<TABLE>
					<TR>
						<TD>
							<DIV>
								<B>'. $posts_row['USN'] .'</B><BR/>'. $posts_row['First_Name'] . ' '. $posts_row['Middle_Name'] .' '. $posts_row['Last_Name'] .'<B><BR/>'. $posts_row['Course'] .'</B><BR/><B>'. $posts_row['User_Level'] .'</B>
							</DIV>
							
							<BR/>
							<BR/>
							
							<form method="post" action="delete.php?id=' . $row['topic_id'] .'">
							<button name="delete" id=' . $row['topic_id'] .'">
							DELETE POST
							</button>
							</form>
EDIT POST 
							<BR/>
							
							Posted on: '. date('F d, Y / h:iA', strtotime($posts_row['post_date'])) .'
						</TD>
				  
						<TD class>
							<a name="postid=' . $posts_row['post_id'] . '"></a>
							' . htmlentities(stripslashes($posts_row['post_content'])) .
					   '</TD>
					</TR>';
															 }
         }
		 
						
			echo '<TR>
					<TD colspan="2">
						<H2>
							Reply:
						</H2>
				  
				  <form method="post" action="reply.php?id=' . $row['topic_id'] .'">
				  <textarea name="reply-content" COLS = "50" ROWS = "10"></textarea><br /><br />
				  <BUTTON TYPE = "Submit"><IMG SRC = "Reply.jpg"></BUTTON>
				  </form></TD></tr>';

		echo '</table>';
      }
	 }
   }
}

include 'footer.php';

?>

This is where I want the button. Problem is, I don’t know how to code the delete and edit php. Please help!
NOTE: Edit Post is optional, but if o can, help me with it.

DELETE POST EDIT POST
#2

The mysql_* api in PHP has been deprecated and will soon be removed, I suggest you learn the “new” way of doing things when learning this stuff. With “new” in quotes since the replacement was released over 10 years ago. Use Mysqli or PDO.

You’re on the right track here

[php]<form method="" action=“delete.php?id=”">
<button name=“delete” id=’ . $row[‘topic_id’] .’">
DELETE POST

EDIT POST [/php]

You could change it to this

[php]
Delete post<∕input>

Edit post<∕input> [/php]

Then create delete.php and edit.php
check if $_GET[‘id’] is set
if not: show an error
check if $_GET[‘id’] is a valid id
if not: show an error
check if the current user is allowed to edit/delete $_GET[‘id’]
if not: show an error
show edit form / delete post if all is ok

#3

Warning
The following post contains a lot of info

You don’t have to make all these changes, actually you don’t even have to read them all.

I would suggest you do though, as it’s a few changes that can make your code a lot better structured. It also is a start in helping to think about code more structured with some separation of concern.

Warning 2
In order for your to actually try this out and use it I have not changed to use Mysqli or PDO. If it isn’t for some obscure reason required from the school to use mysql_* I would strongly advise to change to either of them to learn a proper db api.

Comments:
It’s considered good practise to separate logic and view. This means separating the “programming stuff” like functions, db-queries etc, and the actual template showing the data.

Here I’ve moved the view (html) into its own file, and use short php tags to echo data

<?= is the same as <?php echo You should escape everything in the view. Don't trust any data. Added Full_Name to the db query, it's just easier to get it as part of the result set than to add it in later. One could probably argue forever about using single or double quotes. But whichever you choose, use one of them (same goes for all standards). You don't need (want) to end php files with ?> why: http://stackoverflow.com/q/4410704/1078488

Moved the includes for the views into a separate function, as this would probably be repeated in every page

render 400/403/404 etc are http status codes, it’s normal to have some error message page for these. https://en.wikipedia.org/wiki/List_of_HTTP_status_codes

You seem to be duplicating names in your DB schema

Consider
posts.post_topic, posts.post_content, posts.post_data, posts.post_by, posts.post_id

VS
post.id, post.topic_id, post.user_id, post.content, post.data

When reading the table name + the column name you can clearly see having “post” in both is unnecessary.

It’s considered bad practise to:

Echo html in PHP, for one if you do like below then the text editor will hightlight the html for you :slight_smile:

Use tables for layout . Tables are for displaying tables of data, nothing else.

Use
for layout. Use lists, paragraphs etc with css instead to get the layout you want.

common.php
[php]<?php

require ‘connect.php’;

function render($template) {
include ‘views\header.php’;
include ‘views’’ . $template . ‘.php’;
include ‘views\footer.php’;
exit();
}

function sanitize($data, $type = ‘string’) {
if ($type == ‘string’) {
return htmlspecialchars($data, ENT_QUOTES);
}

if ($type == 'number') {
    return (int) $data;
}

if ($type == 'bool') {
    return !!$data;
}

}[/php]

topic.php
[php]<?php

require ‘common.php’;

// Must be authenticated to view topic
if(!isset($_SESSION[‘signed_in’])) {
render(‘403’);
}

// Must supply a topic id to view
if (!isset($_GET[‘id’])) {
$message = ‘topic id missing’;
render(‘400’);
}

// Fetch topic from DB
$sql = 'SELECT
topic_id,
topic_subject,
topic_cat
FROM
topics
WHERE
topics.topic_id = ’ . mysql_real_escape_string($_GET[‘id’]);

$result = mysql_query($sql);
$topic = mysql_fetch_assoc($result);

// Show 404 if topic was not found
if (!$result) {
$message = ‘topic could not be found’;
render(‘404’);
}

// Fetch posts from DB
$posts = array();

$sql = 'SELECT
posts.post_topic,
posts.post_content,
posts.post_date,
posts.post_by,
posts.post_id,
users.ID,
users.USN,
users.First_Name,
users.Middle_Name,
users.Last_Name,
CONCAT_WS(" ", users.First_Name, users.Middle_Name, users.Last_Name) AS Full_Name,
users.Course,
users.User_Level
FROM
posts
LEFT JOIN
users
ON
posts.post_by = users.ID
WHERE
posts.post_topic = ’ . mysql_real_escape_string($_GET[‘id’]);

$result = mysql_query($sql);

// add individual posts to the array we will display in the view
while ($post = mysql_fetch_assoc($result)) {
$posts[] = $post;
}

// tell our function to render views/topic.php, the parameters in this file will be accessible in the view
// (we’re interested in $topic and $posts)
render(‘topic’);[/php]

views/topic.php
[php]<?php

// Make sure we have the necessary data for the view.
if (!isset($topic) || !isset($posts)) { {
$message = ‘Missing parameter(s) to view topic’;
render(‘500’);
}

?>

<?= sanitize($topic['topic_subject']) ?>
<?php foreach ($posts as $post) { ?>
<?= sanitize($post['USN']) ?>
<?= sanitize($post['Full_Name']) ?>
<?= sanitize($post['Course']) ?>
<?= sanitize($post['User_Level']) ?> 
        <BR/>
        <BR/>

        <form action="delete.php?id=<?= sanitize($row['topic_id'], 'number') ?>">
            <input type="submit">Delete post<∕input>
        </form>

        <form action="edit.php?id=<?= sanitize($row['topic_id'], 'number') ?>">
            <input type="submit">Edit post<∕input>
        </form>

        <BR/>

        Posted on: <?= date('F d, Y / h:iA', strtotime($post['post_date'])) ?>
    </TD>

    <TD class>
        <a name="postid=<?= sanitize($post['post_id'], 'number') ?>"></a>
        <?= sanitize($posts_row['post_content']) ?>
    </TD>
</TR>
<?php } ?>
<TR>
    <TD colspan="2">
        <H2>Reply:</H2>

        <form method="post" action="reply.php?id=<?= $topic['topic_id'] ?>">
            <textarea name="reply-content" COLS = "50" ROWS = "10"></textarea><br /><br />
            <BUTTON TYPE = "Submit"><IMG SRC="Reply.jpg"></BUTTON>
        </form>
    </TD>
</tr>
[/php]
Sponsor our Newsletter | Privacy Policy | Terms of Service