How can I check for the page owner with this code?

R

Ratami Sato2015-10-21 14:18:49

PHP

Ratami Sato, 2015-10-21 14:18:49

Of course, I understand that all this is g **** code, but this is my first project in php
. In general, the question is this. How can I make the write field on the page visible only to its owner?
Can this be done with my code? I just climbed on all sorts of forums, but everything is not right there ...

<?php
session_start();
include_once "core/engine/session.php";
include_once "core/connect/database.php";

if(!isset($_GET["id"])){
      $id = $_SESSION["user_id"];
    }
    else{
      $id = $_GET["id"];
    }
      $result = mysql_query("SELECT * FROM users WHERE id='$id'") or die(mysql_error()) ;
      $users = mysql_fetch_array($result);
      do{
         printf('
         
               <head>
               <title>%s</title>
               <meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
               <link rel="stylesheet" href="templates/Default/user/avatar.css" />
               <link rel="stylesheet" href="templates/css/style.css" />
               </head>
         
         <body style="background: url(%s); no-repeat; background-size: cover;">
            <div class="avatar_area">
            
              <img src="%s" />
              
              <div class="name">
              <a href="/user?id=%s">%s</a>
              </div>
              
              <div class="menu">
              
                <ul class="l1">
                  <li><a href="/settings">Настройки</a></li>
                  <li><a href="/news">Новости</a></li>
                  <li><a>Сообщения</a></li>
                  <li><a href="/mobile?act_logout=1">Выход</a></li>
                </ul>
              
              <div class="wall_post">
                <form method="post" action="send_post.php">
                  <table>
                    <tr>
                      <td><input type="text" name="wall_post" placeholder="Что нового?" required /></td>
                    </tr>
                    <tr>
                      <td><center><input type="submit" name="submit" value="Отправить" /></center></td>
                    </tr>
                  </table>
                </form>
              </div>
              
              </div>
            </div>
          </body>
          
         ',$users["username"], $users['background'], $users["avatar"], $users["id"], $users["username"]);
      }
      while($users = mysql_fetch_array($result));

?>

Sorry for the GK :3

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alexander Litvinenko, 2015-10-21
@edli007

It's not that this is shit code or in XSS, but that you are using functions that are no longer in PHP.
Do not output the entire html at once, in the place where you have the field to write, do another if with the owner check
. In general, they use not printf here, but the output buffer, but you can google it yourself.

N

Nikolay, 2015-10-21
@iNickolay

Duck just check if the given user is the owner :)

if($id == $author_id) { echo 'Это увидит только владелец'; }

where $author_id is the received (or given) owner id :)