PROTECT BUGGING LIKES

Beginners - Learning PHP
#1

So hello thats again me xd
this time i have made everything but it have some bugs like

http://localhost/GrabPoints/like.php?id=1&myid=1

it adds 1 like from me to post where id=1

problem is users can easily change myid=2 or other number they can add another like from other user account how can i make
if session id = myid then it lets user get next
code:

[php]<?php
include(“connect.php”);
session_start();
if (!isset($_SESSION[‘id’])) {
header(‘Location: login.php’);
}
else
{

}
if( isset($_GET[‘id’],$_GET[‘myid’]) )
{

	$pid = $_GET['id'];
	$myid = $_GET['myid'];
	$query = mysqli_query($conn,"SELECT * FROM likes WHERE pid='$pid' AND myid='$myid'");

$numrows = mysqli_num_rows($query);

if($numrows!==0)
{
	while($row = mysqli_fetch_assoc($query))
	{
		$dbpid = $row['pid'];
		$dbmyid= $row['myid'];
	}
     
	if($pid==$dbpid&&$myid==$dbmyid)
	{
	
	header("Location: topic.php?id=".$_GET['id'].""); 
	}

	
}else
{
	$id = $_GET['id'];
	$myid = $_GET['myid'];
	$sql= "INSERT INTO likes (pid,myid) VALUES ('$id','$myid')";
	mysqli_query($conn, $sql);
	header("Location: topic.php?id=$id"); 
}

	
}
	?>[/php]

i dont know how to modify this part…
[php]if (!isset($_SESSION[‘id’])) {[/php]
i tried
[php]if ($_SESSION[‘id’]!==$_GET[‘myid’]) {[/php]

#2

Don’t pass the session id value into the string. It is still available.

You need to focus on prepared statements as well.

"SELECT * FROM likes WHERE pid='$pid' AND myid='$myid'"

Is a bad idea to begin with. I would tell you want to run, but it would kill your database and I don’t know if you know how to do a dump/ backup.

#3

I know how to do db backup but why it would kill it? cant make it without killing it xd

#4

Why even have a separate id for admin or what have you? Just have a security levels where sysop or admin levels can change anything. That way if someone changes the id, you can then just redirect them back to the home page or have a message that says tsk, tsk, tsk! :smiley:

#5

no no this is not about change everyone can change id if he is enough smart he can bug likes
i have made if he is not logged in he cant do nothing but if he is logged in and he do post
http://localhost/GrabPoints/like.php?id=1&myid=1
he adds 1 like
if i change http://localhost/GrabPoints/like.php?id=1&myid=2 i can add like from someone else account i need
disable it i need make every user can add like from his account even if he change myid= to other id it doesn’t change because script knows it is not his session id and he cant change that stuff

#6

Just use their session id and don’t pass it into the url.
[php]
$sql= “INSERT INTO likes (pid,myid) VALUES (?,?)”;
… execute([$id, $_SESSION[‘id’]]);[/php]

#7

i dont know how to do that right cuz i am always passing it into new url
my code
[php] <a class=‘like’ href=‘like.php?id=$row[id]&myid=".$_SESSION[‘id’]."’> $likes [/php]
i dont know how to make something working when i press or button i am using POST or passing it to new url

#8

You don’t need to pass the session id into anything, it is globally accessible everywhere that is using the session.

#9

can you make code for me? or Example I will learn from that, thats how i am learning…

#10

I showed you an example… When you insert into the table, you grab the session id of the current logged in user.

#11

but then i have to make form action=“post” and then when isset POST then stuff happening?

#12

No… $_SESSION has nothing to do with forms at all.

#13

[member=78357]artis23[/member] , you really need to take some time and learn the basics. You are going to drag these threads out forever expecting to be spoon fed everything. There are numerous tutorials available. You can start here https://www.codecademy.com/

Sponsor our Newsletter | Privacy Policy | Terms of Service