onestopplay
07-06-2009, 02:04 PM
I have a database with all my members messages in it.
id | to | from | subject | message
When someone replies to a message, the URL is reply.php?id=(whatever id the initial message was)
The problem is, someone could randomy type in the url reply.php?id=55 if they have a user and pass.
They don't nessacarily have to be the replier of the message.
I have:
$result = mysql_query("SELECT * FROM `messages` WHERE `to` = '$username'");
$row = mysql_fetch_array($result)
So is it possible to have an if else statement. (This obviously doesn't work, I am just trying to show you what I mean.)
if ($_GET['id'] != an id that belongs to this user in the field to)
{echo "You are on the wrong page;"}
else
{
//php reply form
}
I think I have to change $row = mysql_fetch_array to some other string but I'm not sure.
Sorry this is a bit confusing, but I hope you understand.
id | to | from | subject | message
When someone replies to a message, the URL is reply.php?id=(whatever id the initial message was)
The problem is, someone could randomy type in the url reply.php?id=55 if they have a user and pass.
They don't nessacarily have to be the replier of the message.
I have:
$result = mysql_query("SELECT * FROM `messages` WHERE `to` = '$username'");
$row = mysql_fetch_array($result)
So is it possible to have an if else statement. (This obviously doesn't work, I am just trying to show you what I mean.)
if ($_GET['id'] != an id that belongs to this user in the field to)
{echo "You are on the wrong page;"}
else
{
//php reply form
}
I think I have to change $row = mysql_fetch_array to some other string but I'm not sure.
Sorry this is a bit confusing, but I hope you understand.