jatar_k
msg:4383804 | 1:17 pm on Nov 5, 2011 (gmt 0) |
you would need to pull it from the GET and put it into the form
<form action="<?=htmlentities($_SERVER['PHP_SELF']);?>" method="PO">
<input type="hidden" name="id" value="<?php echo $_GET['id']; ?>">
<input type="submit" name="Yes" value="yes" />
<input type="submit" name="No" value="no" />
</form>
then you should be able to get at it in the next step
|
Gilead
msg:4384406 | 3:26 pm on Nov 7, 2011 (gmt 0) |
I must have been too tired to see it. Thanks!
Although, after making the change, it still getting hung up in an infinite loop. Click on yes and nothing happens; click on no and nothing happens.
Checked the variables via GET and all seemed well.
address?id=0juD467jBbcbss3&Yes=yes.
I'll post the rest of it.
if (isset($_GET['yes']))
{
$result("DELETE FROM $table_name WHERE id= '".$_GET[id]."'" ) or die(mysql_error());
echo'Member Deleted';
header( 'Location: backtoviewpage.php'); want it to wait a few seconds here, just enough to read the message.
}
else if (isset($_GET['no']))
{
header('Location: viewpage.php');
}
Thanks for the help!
|
Gilead
msg:4384412 | 3:53 pm on Nov 7, 2011 (gmt 0) |
Update:
I took out everything else and just used the delete command
$result=("DELETE FROM $table_name WHERE contactid= '".$_GET[id]."'" ) or die(mysql_error());
Even changed the id to a variable. The entry will not delete!
What am i doing wrong?
|
Gilead
msg:4384425 | 4:33 pm on Nov 7, 2011 (gmt 0) |
I even tried hardcoding the contactid directlyand it STILL would not delete. Any thoughts? Anything?
|
rocknbil
msg:4384438 | 5:00 pm on Nov 7, 2011 (gmt 0) |
Try this. First, there is no method "PO"
method="PO">
So it's just defaulting to the GET method for the form which is alright I guess. Be mindful if you fix it
method="post">
you'll now need to look for $_POST variables instead of $_GET.
The difference is: GET changes the address bar URL, POST does not; GET has a limited size of input, POST has a much larger size. In the context of this small task, either is OK.
Second, unquoted array keys may be interpreted as constants so in effect it may be doing
delete from table where id=''
So start with
$_GET['id']; // note the quotes
Third, if your id field is numeric(int, etc., as it should be), the above query with the quotes will still run. It just won't do anything. Remove the quotes from numeric fields.
$query = "delete from table where id=" . $_GET['id'];
If $_GET['id'] is empty or not a number, your script will now error - which is what you really want, to alert you of the problem with input.
If you're still having trouble with it, do a lookup first (and these changes relate to the last comment below: )
$id = (isset($_GET['id']) and is_numeric($_GET['id') and ($_GET['id'] > 0))?:$_GET['id']:0;
if ($id > 0) {
$query = "select id from table where id=$id;
$result = mysql_query($query) or die("Cannot check for existing ID " . mysql_error());
if ($row = mysql_fetch_array($result)) {
$query = delete from table where id=$id;
mysql_query($query) or die("Cannot delete record with id $id ID " . mysql_error());
// Your redirect code here
}
else { echo "<p>There is no valid record with that id.</p>"; exit; }
}
else { echo "<p>Hmm. No valid id posted to script.<p>"; exit; }
If you're still having troubles, maybe your connected mysql user doesn't have delete privileges on the database.
Last, you should really look at cleansing your input and avoid using PHP_SELF (Google PHP_SELF vulnerabilities.) The approaches here are highly insecure.
|
Gilead
msg:4384476 | 6:33 pm on Nov 7, 2011 (gmt 0) |
yes, I found the PO, unfortunately, that wasn't the problem. You may be onto something about not having the privileges. I've emailed support to find out. Works fine under phpmyadmin
In this case the id is not numeric, but the member's id number; the data is alphanumeric and has both upper and lowercase as well. I chose that for the primary key since each is unique, unlike their account number which can be the same within the same company.
Just looked at the mysql user, all privileges are set.
I'll give the check a try. Once working, I'll sanitize the input. Thanks!
Will keep you up to date.
|
Gilead
msg:4384477 | 6:43 pm on Nov 7, 2011 (gmt 0) |
With so many examples out there, it's hard when are first learning, to know where and what type of quotes go where.
|
jatar_k
msg:4384489 | 6:49 pm on Nov 7, 2011 (gmt 0) |
sorry I did mean to mention the 'PO' originally
you say it works fine from phpmyadmin, if you are using the same user in your script then it shouldn't be a permissions issue.
did you try the line rocknbil posted here
| or die("Cannot delete record with id $id ID " . mysql_error()); |
|
that should spit out a more detailed error and if you don't have permission it will tell you that in the error
|
Gilead
msg:4384514 | 7:45 pm on Nov 7, 2011 (gmt 0) |
Kicked out an error--
$query = "SELECT contactid from $table_name where id=$id";
$result = mysql_query($query) or die("Cannot check for existing ID " . mysql_error());
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Has something to do with mysql_query, I think. Does that relate to an older version and has been deprecated?
|
jatar_k
msg:4384527 | 8:13 pm on Nov 7, 2011 (gmt 0) |
it means there is a syntax error, you could also spit out $query and look at it and see if it is properly constructed. Maybe one of the vars is not resolving properly
also is the id column an integer (I think you said it was alpha)? if not then it needs single quotes around the value
$query = "SELECT contactid from $table_name where id='$id'";
|
Gilead
msg:4384916 | 3:36 pm on Nov 8, 2011 (gmt 0) |
Update: thought it was going to work for sure, but it skipped to the final else saying the id doesn't exist. I just entered a new member and confirmed it on the view page. It must be some silly little thing, but I can't seem to find it. Here is the whole code:
include('config.php');
$table_name="users";
$id=$_POST['id']; // is showing up in the address bar
$query = "SELECT * FROM $table_name WHERE contactid='$id'";
$result = mysql_query($query) or die("Cannot check for existing ID " . mysql_error());
if ($row = mysql_fetch_array($result)) {
$query = "DELETE from $table_name WHERE contactid='$id'";
mysql_query($query) or die("Cannot delete record with id $id ID " . mysql_error());
echo 'member deleted';
}
else { echo "<p>There is no valid record with that id.</p>"; exit; }
It almost seems as it the post variable gets lost. How do I get it back?
|
rocknbil
msg:4384935 | 4:33 pm on Nov 8, 2011 (gmt 0) |
$id=$_POST['id']; // is showing up in the address bar
Then . . . your form is still submitting as GET. Post variables won't show up in the address bar.
add these two at the end.
echo "<p>POST</p>";
var_dump($_POST);
echo "<p>GET</p>";
var_dump($_GET);
that should tell you what's actually being submitted.
| the data is alphanumeric and has both upper and lowercase as well |
|
OK, well make sure it's got an index on the column. :-) You might make sure the user id is stripped of beginning/ending whitespaces before insertion.
|
Gilead
msg:4384943 | 4:44 pm on Nov 8, 2011 (gmt 0) |
PHEW! Thanks! It's working now.
|
|
