I am working with PHP and MYSQL, I have a very simple form for entering requests. Everything works fine, but I've been doing some validation and I noticed a detail that I haven't been able to solve. If I copy the address of my page delete_internship.php into the URL and give it parameters such as ?id=1, it immediately deletes the record, regardless of whether the user's profile does not have access to delete records. To delete I just update the status of the request from 1 to 0. Only users with ROL 1 and 2 can delete records, users with ROL 3 and 4 don't have access I need to prevent it from being deleted via URL. My PHP code is as follows:
/*--------------FUNCION PARA ACTUALIZAR ESTADO DE LA SOLICITUD---------------------------*/
function delete_by_id($id)
{
global $db;
if(tableExists($table))
{
$sql = "UPDATE pasantia SET estatus = '0'";
$sql .= "WHERE id=". $db->escape($id);
$db->query($sql);
return ($db->affected_rows() === 1) ? true : false;
}
}
/*--------------BOTON EN MI LISTA PARA ELIMINAR EL REGISTRO---------------------------*/
<div class="btn-group">
<a href="editar_pasantia.php?id=<?php echo (int)$data['id'];?>" class="btn
btn-info btn-xs" title="Editar" data-toggle="tooltip">
<span class="glyphicon glyphicon-edit"></span>
</a>
<a href="eliminar_pasantia.php?id=<?php echo (int)$data['id'];?>" class="btn
btn-danger btn-xs" title="Eliminar" data-toggle="tooltip">
<span class="glyphicon glyphicon-trash"></span>
</a>
</div>
/*--------------PAGINA ELIMINAR_PASANTIA.PHP---------------------------*/
if($_SESSION['rol'] == 3 or $_SESSION['rol'] == 4)
{
header("location: admin.php");
}
?>
<?php
$pasantia = find_by_id('pasantia',(int)$_GET['id']);
if(!$pasantia)
{
// $session->msg("d","ID vacío");
redirect('admin.php');
}
?>
<?php
$delete_id = delete_by_id((int)$pasantia['id']);
if($delete_id)
{
$session->msg("s","Solicitud Pasantia eliminada");
redirect('pasantia.php');
}
else
{
$session->msg("d","Eliminación falló");
redirect('pasantia.php');
}
?>
you can do it like this:
now to remove: