Basically I have a site where people can post topics or discussions, I have added a edit_post feature which is working fine, but in testing I realized by changing the URL people could edit other peoples posts, I have tried to implement a check so that only the person who made the post can edit it, but not having luck, I'm not getting any errors, but it's now not letting other users edit, but it's not letting the topic creator edit either.
if ( isset($_GET['edit'])) {
$id = $_GET['edit'];
$res = mysql_query("SELECT users.user_id, users.username, users.profile, topics.topic_id, topics.category, topics.sub_category, topics.subsub_category, topics.topic_data,
topics.posted_by, topics.posted, topics.view, topics.invisipost
FROM `topics`
JOIN `users` on topics.posted_by = users.user_id WHERE topic_id='$id'");
$rows = mysql_fetch_array($res);
}
if ( isset($_POST['topic_data'])) {
$topic_data = $_POST['topic_data'];
$id = $_POST['id'];
$sql = "UPDATE topics SET topic_data='$topic_data' WHERE topic_id='$id' AND '".$_SESSION['user_id']."'='$posted_by'";
$res = mysql_query($sql) or die("Could not update".mysql_error());
header("Location: view_topic.php?topic_id=$id");
}
