S
S
SimBioT192015-09-29 16:45:36
PHP
SimBioT19, 2015-09-29 16:45:36

What is the correct way to delete a comment?

On my site, each user can easily delete his comment. Comments are deleted via ajax - the user id and comment id are simply sent to the delete.php file, and there is already a call to the database.
The problem is that the user can replace the comment id and delete any other. How to protect yourself from this? The idea comes to mind to send along with the user id also its unique hash, if the user id in the database and the hash do not match, the comment will not be deleted. Is this approach correct and how to make it so that the user cannot also change the id to the number of his other comment? How to know exactly on which comment the user clicked the "delete" button? And in general, how this part is organized on the toaster, For example? What data should the user send so that nothing can be changed?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
A
Alexander Taratin, 2015-09-29
@Taraflex

When authorizing, write the user id to the session.
When commenting, attach the user id to the comment.
When deleting, take the user id from the session and compare it with the user id from the comment.
If they match, delete the comment.

A
Alex Safonov, 2015-09-29
@elevenelven

Do not take the UserID data from what the user provides.
Take from the session or from the User object (depending on what framework you have, or CMS, or self-written engine)

if( $comment->getUserId() === $_SESSION['user']['id'] ){
   //doDelete
}else{
  Logger::log('Fraud attempt');
}

Although, by the wording of the question, I feel you do not have a comment tied to a user ID?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question