I have a database with all my members messages in it.
id | to | from | subject | message
When someone replies to a message, the URL is reply.php?id=(whatever id the initial message was)
The problem is, someone could randomy type in the url reply.php?id=55 if they have a user and pass.
They don't nessacarily have to be the replier of the message.
I have:
$result = mysql_query("SELECT * FROM `messages` WHERE `to` = '$username'");
$row = mysql_fetch_array($result)
So is it possible to have an if else statement. (This obviously doesn't work, I am just trying to show you what I mean.)
if ($_GET['id'] != an id that belongs to this user in the field to)
{echo "You are on the wrong page;"}
else
{
//php reply form
}

I think I have to change $row = mysql_fetch_array to some other string but I'm not sure.

Sorry this is a bit confusing, but I hope you understand.

yes, you can have the conditional prior to loading the reply section being built




$sql statement()
if (validation of user matches id of the intended receiver in that message) {
while{
build good reply statement.
}
else
{
hey buddy you don't belong to this PM - GET OUT! - ADMIN OF SITE NOTIFIED!!!
send email to admin of attempted user information leak.
}

Thanks for the reply. I see what your saying, but obviously I can't use "validation of user matches id of the intended receiver in that message"
So what would I use is what I'm stuck on.
If I say:

if($to != $id)
it allows say id 1 but not id 2.
Thanks
P.S. I like the send Admin an email alert idea!!

so, your sql statement should be comparing the user sumbitted via the link (via cookie login info stored?) to the original destination user id of the Message...

the if statement uses that condtional for it's evaluation


$sql statement
if row('newuser') = row('originaluser') {
build out the reply page you could include the orginal sql in here to build out the reply page. or modify the sql to ensure its got the right user in here.
}
else
{
$error = "you arent allowed to see this post. admin notified.";
// email admin account
email_error($row('newuser'),(timestamp), (ip), ... <whatever information you can get from the browser>)
// display the login page with message above.
rebuild_login_page($error);

}

Does the database keep user information for the PM's? meaning you have two tables your comparing

1 user
2 pm's

the user table obviously has user accounts, but does the PM's table? if it does, do a join based off the pm message id orginal user and the account of the poster, if they match build if not... admin email.

Yes I have the same two tables and no I am using sessions not cookies.
But what do you mean by 'build' and 'join'? I'm not sure what you mean.