Hi,

In my website, Blog is a small portion. I have managed to make and insert the blog. In manage blog area I am giving a user this a authority to manage their written blogs. At this point I am getting a problem. When I am logged as 'A' (A represents as a login name) and write a blog and then signout, and login as 'B'. The blog recently written by 'A' is shown in 'Bs' Manage Profile portion. This means that there is no security what so ever. B can see and Delete A's blog.

I have an idea to play with two different tables and bring login as a foreign key in the blog table and then put it against the session variable in order to see if the blog was written by the same user.

I am new at PHP & MYSQL , I would appreciate any suggestions, any reading material and any help on this.

Regards,

Bilal A. Khan

when you click on logout, you must call some file say logout.php in which you must destroy session like

<?php
        session_start();

	session_unset('userid');
	session_unset('username');
			
	session_destroy();

	header("Location: login.php");
?>

when you click on logout, you must call some file say logout.php in which you must destroy session like

<?php
        session_start();

	session_unset('userid');
	session_unset('username');
			
	session_destroy();

	header("Location: login.php");
?>

Correct.. I agree. My Code is given Below:

$logoutAction = $_SERVER['PHP_SELF']."?doLogout=true";
if ((isset($_SERVER['QUERY_STRING'])) && ($_SERVER['QUERY_STRING'] != "")){
  $logoutAction .="&". htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_GET['doLogout'])) &&($_GET['doLogout']=="true")){
  //to fully log out a visitor we need to clear the session varialbles
  $_SESSION['MM_Username'] = NULL;
  $_SESSION['MM_UserGroup'] = NULL;
  $_SESSION['PrevUrl'] = NULL;
  unset($_SESSION['MM_Username']);
  unset($_SESSION['MM_UserGroup']);
  unset($_SESSION['PrevUrl']);
	
  $logoutGoTo = "index.php";
  if ($logoutGoTo) {
    header("Location: $logoutGoTo");
    exit;
  }
}

Now it is doing the same thing. But the question is that if I login as a different user how does my website prevent blogs that 'A' user has written from 'B' user?/ or the user has written. Right now it is showing me all the blogs.

Regards,

Bilal A. Khan

SELECT * FROM blogs WHERE username='".$_SESSION['MM_Username']."'

Use this code to only select the blogs written by the logged in user