User control using mysql query in PHP
Posted on 2010-11-19
I have 200 products, each user only has control of certain products that they can edit. I have 3 tables in my database.
I have a table for "users" that has the user_id (auto incrementing number), username, password and email.
Next table is "users_products" that has their up_user_id number and then up_product_id number.
Then I have products which has product_id, name, price.
I store their user id in a session.
Through the URL is how I pass my variables to each page. So for instance http://domain.com/edit_product.php?id=7
I want to make it so on edit_product.php that they can only edit product_ids that are listed with their user_id in "users_products". Or else they can simply manipulate the URL and change the id to some product that they aren't allowed to edit.
This is the query I use on the "view_products.php" page so they only see their products
SELECT product_id, name, price FROM users_products, products WHERE product_id=up_product_id AND up_user_id='20' GROUP BY product_id