Delete from sql functions

Question

matanc244 0 Newbie Poster

12 Years Ago

Hi this is my delete.php

<?php
 $con = mysql_connect("localhost","matanc_cmd","123123");
 if (!$con)
   {
   die('Could not connect: ' . mysql_error());
   }

mysql_select_db("matanc_cms", $con);

// check if the form was submitted

// get the ID (cast it to integer if it is supposed to be integer)
$id = (int) $_GET['id'];

mysql_query("DELETE FROM content WHERE id='$id'");



mysql_close($con);



 ?>

I want to make this to function so thet when i want to delete,
a page from sql i won't have to go to another page.
i try to made something but isn't working

the function:

function deletePage()
{

$id = (int) $_GET['id'];

mysql_query("DELETE FROM content WHERE id='$id'");



mysql_close($con);

}

The link to delete:

<A HREF=" ".deletePage()."= <? echo $rows['id']; ?>">Delete</A>

php

4 Contributors
3 Replies
93 Views
1 Hour Discussion Span
Latest Post 12 Years Ago Latest Post by Biiim

diafol

12 Years Ago

<A HREF=" ".deletePage()."= <? echo $rows['id']; ?>">Delete</A>

This may be your problem. All you need to do is:

<?php 
    $conf = md5("Sc00byD00" . $rows['id'] . "4n0th3r54lt"); //salted hash
?>
<a href="path/delete.php?id=<?php echo $rows['id'];?>&conf=<?php echo $conf;?>">Delete</a>

Where path is the path to the delete.php page from the calling page.

function deletePage($id)
{
    $r = mysql_query("DELETE FROM content WHERE id=$id");
    if(mysql_affected_rows() == 1){
        return "Record deleted successfully.";
    }else{
        return "This record could not be deleted or it does not exist. Contact the site admin.";
    }
}



if(isset($_GET['id']) && is_int($_GET['id']) && isset($_GET['conf']) && $_GET['conf'] == md5("Sc00byD00" . $_GET['id'] . "4n0th3r54lt")){
    $id = $_GET['id'];
    $output = deletePage($id);
}else{
    $output = "This is not a valid record. Your IP address has been logged.";
    //you can add IP logging if you like
}

echo $output;

This contains a confirmation hash, which should avoid malicious users from being able to delete records from your DB just by typing an id/value into the url. ALso you should use sessions to ensure that only somebody with admin level rights may delete from the DB. Possibly you could set up a general user for the DB, so that when you log in, only admin users get MySQL DELETE, INSERT and UPDATE rights in certain tables. Anyway, I'm going off-track with this. Deleting safely is the key - strength in depth wrt defence is essential.

Biiim commented: good security advice +5

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

stbuchok · Answer 1 · 2012-07-04T17:28:47+00:00

mysql_query("DELETE FROM content WHERE id='$id'");

Not familiar with PHP, however my guess is the following:

mysql_query("DELETE FROM content WHERE id='" + $id + "'");

Biiim 182 Junior Poster · Answer 2 · 2012-07-04T17:35:23+00:00

<?php
$con = mysql_connect("localhost","matanc_cmd","123123");
if (!$con){
    die('Could not connect: ' . mysql_error());
}
mysql_select_db("matanc_cms", $con);
// check if the form was submitted
// get the ID (cast it to integer if it is supposed to be integer)
$id = (int) $_GET['id'];
mysql_query("DELETE FROM content WHERE id='$id'");
mysql_close($con);
?>

Looks good

<?php
function deletePage($con,$id){//pass the id and db connection
    $id = (int) $id;
    if(mysql_query("DELETE FROM content WHERE id='$id'",$con)){
        $response = true;
    }else{
        $response = false;
    }
    //dont close db connection here
    return $response;//pass back if success or failure to calling script
}
?>

The problem is probably this:

The link to delete:
<A HREF=" ".deletePage()."= <? echo $rows['id']; ?>">Delete</A>

php is server side, a php function can't be called on click - that is client side.

A client side script would be javascript where you have to make an ajax call to a php page - which processes the delete and returns a response to say if it was successful or not.

Heres a copy of the code i use to do ajax(I've not got my head around using jquery yet)

<script type='text/javascript'>
function getXMLHTTPRequest() {
    var req =  false;
       try {
          /* for Firefox */
      req = new XMLHttpRequest(); 
   } catch (err) {
      try {
         /* for some versions of IE */
         req = new ActiveXObject("Msxml2.XMLHTTP");
      } catch (err) {
         try {
            /* for some other versions of IE */
            req = new ActiveXObject("Microsoft.XMLHTTP");
             } catch (err) {
                req = false;
             }
         }
       }

       return req;
}
function deletePage(obj,id){
    //obj is the 'a' tag, i usually change its background to red then green on success, eg
    obj.style.backgroundColor = '#ffcccc';
    //delete this alert just to check the id is passing into the function ok
    alert('Delete triggered for id:'+id);
    obj.updReq = getXMLHTTPRequest();
    var vars = 'id='+id;
    var url = 'delete.php';
    obj.updReq.open('POST', url, true);
    obj.updReq.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
    obj.updReq.onreadystatechange = function() {//Call a function when the state changes.
        if(obj.updReq.readyState == 4 && obj.updReq.status == 200) {
                alert(obj.updReq.responseText);
                //shows response from php page
                //can turn this into if(obj.updReq.responseText == 'Y'){//do something }else ... etc for more interactivity
                if(obj.updReq.responseText == 'Y'){
                    obj.style.backgroundColor = '#ccffcc';
                }else{
                    alert(obj.updReq.responseText);
                }
        }
    }
    obj.updReq.send(vars);
}
</script>

put that script as html code on the page then update the hyperlink to this:

<a href='javascript:' onclick=\"deletePage(this,'{$rows['id']}');\">Delete</a>