homepage Welcome to WebmasterWorld Guest from 54.242.231.109
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Delete Duldrums
Gilead




msg:4383646
 8:09 pm on Nov 4, 2011 (gmt 0)

I have an table set up so you can view all the people in the database with a link to either edit or delete.

The link is generated on the viewmember page: <a href="editmember.php?id=' . mysql_result($result, $i, 'contactid') . '">Edit</a></td>';

I want to confirm an admin's action so they do not delete by mistake. When I tried an ...onclick="confirm"... inside that link, I kept getting an error. I suspect there are too many ' or " and it's getting confused.

So I went to confirm via a form on the actual delete page
delete page:
<form action="<?=htmlentities($_SERVER['PHP_SELF']);?>" method="PO">
<input type="submit" name="Yes" value="yes" />
<input type="submit" name="No" value="no" />
</form>
<?php
/*
DELETE.PHP
Deletes a specific entry from the members table
*/

// connect to the database
include('connect.php');
$table_name="users";

if (isset($_GET['yes']))
{
$result("DELETE FROM $table_name WHERE id= '".$_GET[id]."'" ) or die(mysql_error());
echo'Member Deleted';
header( 'Location: viewmembers.php');

}
else if (isset($_GET['no']))

{
header('Location: viewmembers.php');
}
?>
The address initially shows that the id is being carried over in an page.php?id=#*$!x, but when they click on yes or no to confirm, the id is lost. I changed from post to get and it proved that it was lost.

Am I even using the right approach? Is there a better way to ask for confirmation in this setting?
Thanks!

 

jatar_k




msg:4383804
 1:17 pm on Nov 5, 2011 (gmt 0)

you would need to pull it from the GET and put it into the form

<form action="<?=htmlentities($_SERVER['PHP_SELF']);?>" method="PO">
<input type="hidden" name="id" value="<?php echo $_GET['id']; ?>">
<input type="submit" name="Yes" value="yes" />
<input type="submit" name="No" value="no" />
</form>

then you should be able to get at it in the next step

Gilead




msg:4384406
 3:26 pm on Nov 7, 2011 (gmt 0)

I must have been too tired to see it. Thanks!
Although, after making the change, it still getting hung up in an infinite loop. Click on yes and nothing happens; click on no and nothing happens.
Checked the variables via GET and all seemed well.
address?id=0juD467jBbcbss3&Yes=yes.

I'll post the rest of it.

if (isset($_GET['yes']))
{
$result("DELETE FROM $table_name WHERE id= '".$_GET[id]."'" ) or die(mysql_error());
echo'Member Deleted';
header( 'Location: backtoviewpage.php'); want it to wait a few seconds here, just enough to read the message.

}
else if (isset($_GET['no']))

{
header('Location: viewpage.php');
}
Thanks for the help!

Gilead




msg:4384412
 3:53 pm on Nov 7, 2011 (gmt 0)

Update:
I took out everything else and just used the delete command
$result=("DELETE FROM $table_name WHERE contactid= '".$_GET[id]."'" ) or die(mysql_error());
Even changed the id to a variable. The entry will not delete!
What am i doing wrong?

Gilead




msg:4384425
 4:33 pm on Nov 7, 2011 (gmt 0)

I even tried hardcoding the contactid directlyand it STILL would not delete. Any thoughts? Anything?

rocknbil




msg:4384438
 5:00 pm on Nov 7, 2011 (gmt 0)

Try this. First, there is no method "PO"

method="PO">

So it's just defaulting to the GET method for the form which is alright I guess. Be mindful if you fix it

method="post">

you'll now need to look for $_POST variables instead of $_GET.



The difference is: GET changes the address bar URL, POST does not; GET has a limited size of input, POST has a much larger size. In the context of this small task, either is OK.

Second, unquoted array keys may be interpreted as constants so in effect it may be doing

delete from table where id=''

So start with

$_GET['id']; // note the quotes

Third, if your id field is numeric(int, etc., as it should be), the above query with the quotes will still run. It just won't do anything. Remove the quotes from numeric fields.

$query = "delete from table where id=" . $_GET['id'];

If $_GET['id'] is empty or not a number, your script will now error - which is what you really want, to alert you of the problem with input.

If you're still having trouble with it, do a lookup first (and these changes relate to the last comment below: )

$id = (isset($_GET['id']) and is_numeric($_GET['id') and ($_GET['id'] > 0))?:$_GET['id']:0;


if ($id > 0) {
$query = "select id from table where id=$id;
$result = mysql_query($query) or die("Cannot check for existing ID " . mysql_error());
if ($row = mysql_fetch_array($result)) {
$query = delete from table where id=$id;
mysql_query($query) or die("Cannot delete record with id $id ID " . mysql_error());
// Your redirect code here
}
else { echo "<p>There is no valid record with that id.</p>"; exit; }
}
else { echo "<p>Hmm. No valid id posted to script.<p>"; exit; }


If you're still having troubles, maybe your connected mysql user doesn't have delete privileges on the database.

Last, you should really look at cleansing your input and avoid using PHP_SELF (Google PHP_SELF vulnerabilities.) The approaches here are highly insecure.

Gilead




msg:4384476
 6:33 pm on Nov 7, 2011 (gmt 0)

yes, I found the PO, unfortunately, that wasn't the problem. You may be onto something about not having the privileges. I've emailed support to find out. Works fine under phpmyadmin

In this case the id is not numeric, but the member's id number; the data is alphanumeric and has both upper and lowercase as well. I chose that for the primary key since each is unique, unlike their account number which can be the same within the same company.

Just looked at the mysql user, all privileges are set.
I'll give the check a try. Once working, I'll sanitize the input. Thanks!
Will keep you up to date.

Gilead




msg:4384477
 6:43 pm on Nov 7, 2011 (gmt 0)

With so many examples out there, it's hard when are first learning, to know where and what type of quotes go where.

jatar_k




msg:4384489
 6:49 pm on Nov 7, 2011 (gmt 0)

sorry I did mean to mention the 'PO' originally

you say it works fine from phpmyadmin, if you are using the same user in your script then it shouldn't be a permissions issue.

did you try the line rocknbil posted here
or die("Cannot delete record with id $id ID " . mysql_error());


that should spit out a more detailed error and if you don't have permission it will tell you that in the error

Gilead




msg:4384514
 7:45 pm on Nov 7, 2011 (gmt 0)

Kicked out an error--

$query = "SELECT contactid from $table_name where id=$id";
$result = mysql_query($query) or die("Cannot check for existing ID " . mysql_error());
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Has something to do with mysql_query, I think. Does that relate to an older version and has been deprecated?

jatar_k




msg:4384527
 8:13 pm on Nov 7, 2011 (gmt 0)

it means there is a syntax error, you could also spit out $query and look at it and see if it is properly constructed. Maybe one of the vars is not resolving properly

also is the id column an integer (I think you said it was alpha)? if not then it needs single quotes around the value
$query = "SELECT contactid from $table_name where id='$id'";

Gilead




msg:4384916
 3:36 pm on Nov 8, 2011 (gmt 0)

Update: thought it was going to work for sure, but it skipped to the final else saying the id doesn't exist. I just entered a new member and confirmed it on the view page. It must be some silly little thing, but I can't seem to find it. Here is the whole code:

include('config.php');
$table_name="users";
$id=$_POST['id']; // is showing up in the address bar


$query = "SELECT * FROM $table_name WHERE contactid='$id'";
$result = mysql_query($query) or die("Cannot check for existing ID " . mysql_error());

if ($row = mysql_fetch_array($result)) {
$query = "DELETE from $table_name WHERE contactid='$id'";
mysql_query($query) or die("Cannot delete record with id $id ID " . mysql_error());
echo 'member deleted';
}
else { echo "<p>There is no valid record with that id.</p>"; exit; }

It almost seems as it the post variable gets lost. How do I get it back?

rocknbil




msg:4384935
 4:33 pm on Nov 8, 2011 (gmt 0)

$id=$_POST['id']; // is showing up in the address bar

Then . . . your form is still submitting as GET. Post variables won't show up in the address bar.

add these two at the end.

echo "<p>POST</p>";
var_dump($_POST);
echo "<p>GET</p>";
var_dump($_GET);

that should tell you what's actually being submitted.

the data is alphanumeric and has both upper and lowercase as well


OK, well make sure it's got an index on the column. :-) You might make sure the user id is stripped of beginning/ending whitespaces before insertion.

Gilead




msg:4384943
 4:44 pm on Nov 8, 2011 (gmt 0)

PHEW! Thanks! It's working now.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved