checkbox delete items - PHP Server Side Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

checkbox delete items

kristof_v

2:47 pm on Nov 22, 2006 (gmt 0)

10+ Year Member

hi i have a list of reports.
users are able tick off a checkbox behind every report.

if they have selected multiple checkboxes and click on the 'delete selected' button the script deleted the ticked off reports.

this is already worjing brillinatly BUT i do with partly with JavaScript.
here's the code:

echo '<td><input type="checkbox" name="delete" onClick="deleteReport('. $row['id'] .')" /></td>';

so when they click on a checkbox the javascript function deleteReport(id) is called.

function deleteReport(id) {
window.location = "index.php?page=reports/mark_delete_report&id=" + id;
}

this script passes the id of the report to the mark_delete_report.php page and that page is updatign the reports table, marking the report with this id to be deleted.

the problem is that everyone can see this javascript function and can see how it works. so it's easy to paste the url end pass an id of a report to delete it.
so i would like to accomplish the same goal with only php.
is it possible? and how?

grtz

whoisgregg

3:51 pm on Nov 22, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

If the "delete a report" script checks the visitor's identity to confirm that they have the appropriate privileges to delete that particular report, then it doesn't matter if the URL is visible/public.

That script should check the session/cookies/whatever to ensure that the user is logged in and allowed to modify that report. Plus, to cover myself, I never allow an actual DELETE, I always build in "deleted" columns into every table definition and just toggle that value (you can also add a deleted timestamp and IP of the deleter columns). Then if there ever is an exploit of a public facing script, the worst that can happen is you have to undelete all the rows deleted by that user.

justgowithit

4:27 pm on Nov 22, 2006 (gmt 0)

10+ Year Member

I never allow an actual DELETE, I always build in "deleted" columns into every table definition and just toggle that value

Hmm... That's interesting. I would think about giving that approach a try but I would imagine that I'd end up with a pretty bloated DB after a while. Of course it wouldn't be hard to work in some kind of admin function where I could purge the rows flagged as deleted after a certain period of time?

Do you have anything like this in place?

whoisgregg

4:34 pm on Nov 22, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Yeah, I run cron jobs that clean up the "deleted" rows... sometimes they are deleted after a few days, sometimes after a month or more depending on what the db is for.

I'd rather have some extra rows than to lose them all because of a coding error. :)

justgowithit

4:40 pm on Nov 22, 2006 (gmt 0)

10+ Year Member

I'd rather have some extra rows than to lose them all because of a coding error.

No doubt! I think I'll give this approach a go. I suppose you also limit DB user permission to restrict DELETE to all but admin user too?

whoisgregg

6:27 pm on Nov 22, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Most of the time, I don't always remember to restrict that. :)

mcibor

9:08 pm on Nov 22, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Also moving the deleted data to corelated, but another table is one of the solutions - as the table is 3 files it doesn't influence the main table.

Also undeleting is quite easy, because id is stored as well.

Michal

kristof_v

8:17 am on Nov 23, 2006 (gmt 0)

10+ Year Member

that 's a very interesting approach indeed!

thx for the tips guys