ok if some one adds a friends it sends it to friend_requests table where it awaits for the request to be accepted...

from this users can accept the friends request by this page

Code:

<?php $id = $_SESSION['user_id'];
$get_username_value = get_username($id);
switch ($_GET[friends]) { //allows multiple pages
default:
$query = "SELECT * FROM friend_requests WHERE `by_user` = '$get_username_value' LIMIT 1";
if ($result = mysql_query($query)){
if (mysql_num_rows($result)) {
$array = mysql_fetch_assoc($result);
$puser = $array['username'];
$puser2 = $array['by_user'];
}}
?>
<?php echo ( "Friend Requests
$puser wants to be friends with you.
<a href='newfriends.php?friends=accept&user=$puser'>Accept</a><br/>
<a href='newfriends.php?friends=delete&user=$puser'>Delete</a>" ); //displays requests and shows accept delete links

break;

case 'accept': //accept page
if ($_GET[user]) { //get username
$get_username_value = get_username($id);
$add = mysql_query( "INSERT INTO `friends` (`friendname` , `username`) VALUES ('$_GET[user]' , '$get_username_value') "); // add to your friends list
$delete = mysql_query( "DELETE FROM `friend_requests` WHERE `by_user` = '$get_username_value' "); // deletes friend request
echo ( "$_GET[user] has been added as a friend and the request has been deleted" ); // echos the completion
}
break; //ends accept page

case 'delete': // delete page
if ($_GET[user]) { //gets username
$delete = mysql_query( "DELETE FROM `friend_requests` WHERE `by_user` = '$get_username_value'"); // deletes friend request
echo ( "$get_username_value's request has been deleted" ); // echos completion
}
break; //ends delete page
} // ends switch
?>



this bit of code is fine i suppose
Code:

<a href='newfriends.php?friends=accept&user=$puser'>Accept</a><br/>
<a href='newfriends.php?friends=delete&user=$puser'>Delete</a>" ); //displays requests and shows accept delete links

as the user needs to be shown in the link for it to be deleted..


but its this part of the code that i need changing some how
Code:

case 'delete': // delete page
if ($_GET[user]) { //gets username
$delete = mysql_query( "DELETE FROM `friend_requests` WHERE `by_user` = '$get_username_value'"); // deletes friend request
echo ( "$get_username_value's request has been deleted" ); // echos completion
}
break; //ends delete page
} // ends switch


because as the url is friends=accept&user=user it means all i have to do is change this url to anouther username to add any user i want! because the input to the db works both way if 1 is with 2 it inserts 2 with 1...

any ideas?

I'm assuming you mean this is the code that needs changing (based on your description of the problem)


case 'accept': //accept page
if ($_GET[user]) { //get username
$get_username_value = get_username($id);
$add = mysql_query( "INSERT INTO `friends` (`friendname` , `username`) VALUES ('$_GET[user]' , '$get_username_value') "); // add to your friends list
$delete = mysql_query( "DELETE FROM `friend_requests` WHERE `by_user` = '$get_username_value' "); // deletes friend request
echo ( "$_GET[user] has been added as a friend and the request has been deleted" ); // echos the completion
}


The solution is simple - you need to verify that a request exists before adding the friend. Also your delete statement deletes ALL requests from that person (not just the one to the current user) you should probable change that.

I would delete the request where user_by = $_GET[user] and user_to = $current_user and then use mysql_affected_rows() ==1 to check that there was a record to delete then do the insert