Delete (row in mysql) command not working

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
insight
Forum Commoner
Posts: 52
Joined: Tue Jul 07, 2009 9:12 am

Delete (row in mysql) command not working

Post by insight »

So I had been looking around on the internet for a good delete script (which I found) which will delete rows from a database table with a javascript confirmation first. Well I technically got it to work but it doesn't work and was wondering if anybody could help me out.

header.php

Code: Select all

<?php
 
$insight_name = "Insight";
$insight_slogan = "Racing";
$theme = "insight";
 
echo "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n"
.   "<html xmlns=\"http://www.w3.org/1999/xhtml\">\n"
.   "<link href=\"index.css\" rel=\"stylesheet\" type=\"text/css\" />\n"
.   "<head>\n"
.   "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n"
.   "<title>" . $insight_name . " :: " . $insight_slogan . "</title>\n"
.   "<script language=\"javascript\" type=\"text/javascript\" src=\"../js/collapsibletable.js\"></script>\n"
.   "<script language=\"javascript\" type=\"text/javascript\" src=\"../js/delnews.js\"></script>\n"
.   "<link id=\"text-css\" href=\"themes/" . $theme . "/style.css\" rel=\"stylesheet\" rev=\"stylesheet\" type=\"text/css\" media=\"screen\" />\n"
.   "</head>\n\n"
.   "<body onload=\"init()\">\n\n"
.   "<a name=\"top\"></a>\n\n";
?>
index.php

Code: Select all

<?php
 
include("includes/constants.php");
 
$sql=mysql_connect(DB_SERVER, DB_USER, DB_PASS) or die ("I cannot connect to the database because: " . mysql_error());
mysql_select_db(DB_NAME, $sql) or die ("I cannot select the database '$dbname' because: " . mysql_error());
 
$news = mysql_query("SELECT * FROM insight_news ORDER BY nid DESC") or die ('Error : ' . mysql_error()); 
 
while($fetchnews = mysql_fetch_array($news)) {
    
$id = $fetchnews['nid'];
$title = $fetchnews['title'];
$author = $fetchnews['author'];
$authorid = $fetchnews['author_id'];
$text = $fetchnews['text'];
$month = $fetchnews['month'];
$day = $fetchnews['day'];
$year = $fetchnews['year'];
$bbcodeoff = $fetchnews['bbcodeoff'];
$smileyoff = $fetchnews['smileyoff'];
 
    echo "<div style=\"padding-bottom:15px\">\n"
    .   "<table cellspacing=\"0\" width=\"100%\">\n";
    
    include("themes/insight/colors.php");
    
    echo "<thead><tr bgcolor=\"" . $bgcolor1 . "\"><td class=\"tnews\"><span style=\"float:right\">";
 
 
if(isset($_GET['delnews']))
{
 
   $query = mysql_query("DELETE FROM insight_news WHERE nid = '{$_GET['delnews']}'")or die('Error : ' . mysql_error());  
 
   header('Location: ' . $_SERVER['HTTP_REFERER']);
   exit;
}
 
    echo "<a href=\"javascript&#058;delnews('$fetchnews->$id','$fetchnews->$title')\"><img border=\"0\"  src=\"themes/insight/images/delete.png\" alt=\"Delete\" /> </a>";
    
    echo "<a href=\"#top\" onclick=\"toggleItem('" . $title . "_" . $id . "')\"><img border=\"0\" src=\"themes/insight/images/collapseobj.png\" alt=\"toggle\" /></a></span><img src=\"themes/insight/images/ticon.png\" alt=\"table icon\" /> " . $title . "</td></tr></thead>\n"
    .   "<tbody id=\"" . $title . "_" . $id . "\">\n"
    .   "<tr bgcolor=\"" . $bgcolor2 . "\"><td class=\"thead\">" . $date . " - " . $time . " - by " . $author . "</td></tr>\n"
    .   "<tr bgcolor=\"" . $bgcolor3 . "\" style=\"color:#FFF\"><td><table width=\"100%\"><tr bgcolor=\"" . $bgcolor4 . "\" style=\"color:#000\"><td>\n"
    .   "<div id=\"ttext\" style=\"padding-top:5px; padding-bottom:5px; padding-left:5px; padding-right:5px; width:100%\">" . $text . "</div>\n"
    .   "</td></tr></table><span style=\"color:#CCC\">...[Read More]</span></td></tr>\n";
    
    echo "<tr bgcolor=" . $bgcolor1 . "><td class=\"tfooter\">Hello</td></tr></tbody></table>\n"
    .   "</div>\n";
};
 
?>
delnews.js

Code: Select all

function delnews(nid, title)
{
   if (confirm("Are you sure you want to delete '" + title + "'"))
   {
      window.location.href = 'index.php?delnews=' + nid;
   }
}
Mind you the coding is a work-in-progress and there's a lot that needs to be done to fix it up. But anyways I was trying to get the delete script to delete a table in the page (table will be deleted when it's ID is removed from the database). The javascript confirmations works and it successfully get's the id and table name to be deleted. When I press OK it loads the page as index.php?delnews=Array->14 (14 being the tables ID number) and I get an error.

Code: Select all

 
Warning: Cannot modify header information - headers already sent by (output started at /home/insight/public_html/includes/header.php:18) in /home/insight/public_html/modules/news/index.php on line 36
 
So I figure OK I'll delete that line. I reload the index.php page (noticing the the table hadn't even been deleted). Go into Dreamweaver and delete the the content on line 36 which was:

Code: Select all

header('Location: ' . $_SERVER['HTTP_REFERER']);
And try again. I click on the delete button, I get the confirmation, I click OK and it reloads the page as index.php?delnews=Array->14 as per normal. Only problem is is that absolutely nothing (except the header) is showing in the webpage. I reload the index.php page and once again noticed the table hadn't been removed.

So can somebody please tell me what I've done wrong? How do I get it to reload the page once I've clicked the delete button and how do I get it to show all the content on the page? And why isn't it deleting the table from the database?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Delete (row in mysql) command not working

Post by superdezign »

If the query variable "delnews" is equal to "Array->14", then your database will be looking for an id with the value "Array->14." This, likely, doesn't exist. You want the URL to have "delnews=14," not "delnews=Array->14." Now, ignoring the fact that allowing deletion to be solely dependent on a GET variable instead of a combination of GET and POST variables is *insecure*, you need to ensure that your URL is at least correct. Look at the code that creates your URL.

Also, this is grossly insecure:

Code: Select all

$query = mysql_query("DELETE FROM insight_news WHERE nid = '{$_GET['delnews']}'")or die('Error : ' . mysql_error());
I could put anything at all into "delnews" in the URL, leaving you vulnerable to SQL injection and XSS. Google it if you need more info (or ask.. we're helpful :3). Verify all user input. It's a programmer's rule to live by.
insight
Forum Commoner
Posts: 52
Joined: Tue Jul 07, 2009 9:12 am

Re: Delete (row in mysql) command not working

Post by insight »

superdezign wrote:If the query variable "delnews" is equal to "Array->14", then your database will be looking for an id with the value "Array->14." This, likely, doesn't exist. You want the URL to have "delnews=14," not "delnews=Array->14." Now, ignoring the fact that allowing deletion to be solely dependent on a GET variable instead of a combination of GET and POST variables is *insecure*, you need to ensure that your URL is at least correct. Look at the code that creates your URL.

Also, this is grossly insecure:

Code: Select all

$query = mysql_query("DELETE FROM insight_news WHERE nid = '{$_GET['delnews']}'")or die('Error : ' . mysql_error());
I could put anything at all into "delnews" in the URL, leaving you vulnerable to SQL injection and XSS. Google it if you need more info (or ask.. we're helpful :3). Verify all user input. It's a programmer's rule to live by.
Thanks. I'm completely new to php and nobody other then myself (for the time being) will be using this site, it's purely for practise atm so couldn't care if someone stumbles across it and ruins it, I have a backup and will simply delete the database and create a new one.

And I also noticed the Array->14. Why is it doing that? why doesn't it just show the number 14. I also noticed it in the confirmation ("Are you sure you want to delete 'Array->Test'"). is there a way to get rid of it?

I will also be making a script so only admins will have privileges to use the delete button (it will be hidden to everyone else). But that can only help so much in terms of security. I have been reading up on SQL Injections and know they can be bad. But in my case how would I prevent that? Or how can I make it more secure?

And why doesn't it load the pages content after I press the delete button and it reloads the page?
insight
Forum Commoner
Posts: 52
Joined: Tue Jul 07, 2009 9:12 am

Re: Delete (row in mysql) command not working

Post by insight »

OK, I got the delete command to work :D . But can anyone tell me why the page isn't loading up the contents after I click on the delete button?

And can anyone tell me how I can make it more secure?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Delete (row in mysql) command not working

Post by superdezign »

insight wrote:OK, I got the delete command to work :D . But can anyone tell me why the page isn't loading up the contents after I click on the delete button?
What contents do you want your page to have? From the look of it, you load the page, it deletes the row from the database, and then redirects you to the last page you were on (assuming your client sends HTTP_REFERER to the server).
insight wrote:

Code: Select all

if(isset($_GET['delnews']))
{
   $query = mysql_query("DELETE FROM insight_news WHERE nid = '{$_GET['delnews']}'")or die('Error : ' . mysql_error());  
 
   header('Location: ' . $_SERVER['HTTP_REFERER']);
   exit;
}
The way that you have set this up, it is not possible to JavaScript validation. PHP is server-side and JavaScript is client-side, so everything that PHP does is done before JavaScript can do anything. It is not possible for JavaScript to delay PHP. In order to do so, you would need to make use of AJAX or create a form as confirmation, using GET and POST variables together to confirm deletion.
insight wrote:And can anyone tell me how I can make it more secure?
Input validation. Both GET and POST variables are potentially user inputted, and therefore must be validated. The simplest way to validate is to typecast, which is commonly done by PHP programmers when dealing with unique ids in databases. Simply typecast your GET variable to an integer.

Code: Select all

$_GET['delnews'] = (int)$_GET['delnews'];
Post Reply