Page 1 of 1

Deletion Script is not working

Posted: Wed Feb 09, 2011 10:25 pm
by mdmartiny1977
Hello Everyone.

I am trying to figure out why this delete script does not want to work. I click on the delete user and all it does it take me back to the page to pick a person to delete from the database.

When I run the sql in the database it deletes the user with no problem

This is the show_user_del.php page. This is the verification page to make sure you are deleting the right person

Code: Select all

<?php

if (!$_POST[id]) {
	header ("LOCATION: pick_user.php");
	exit;
}

require('../includes/auth_user.php');

//build and issue query
$sql = "SELECT * FROM $table WHERE id = '$_POST[id]'";
$result = mysql_query($sql, $connection) or die(mysql_error());

while ($row = mysql_fetch_array($result)) {
	$id = $row['id'];
	$f_name = $row['f_name'];
	$l_name = $row['l_name'];
	$username = $row['username'];
	$password = $row['password'];
}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Add Classified Ad</title>
</head>
<body>
<h2><em>Delete user from Database</em></h2>
<h3>User being deleted <?php echo "$f_name $l_name"; ?></h3>
<form method="POST" action="do_delete_user.php">
<input type="hidden" name="id" value="<?php echo "$_POST[id]"; ?>" />
<input type="hidden" name="f_name" value="<?php echo "$f_name"; ?>" />
<input type="hidden" name="l_name" value="<?php echo "$l_name"; ?>" />
<p> <strong>Name:</strong> <?php echo "$f_name $l_name"; ?>
   </p>
   <p> <strong>Username:</strong> <?php echo "$username"; ?>
   </p>
   <p> <strong>Password:</strong> <?php echo "$password"; ?>
   </p>
   <p>
      <input type="submit" name="submit" id="name" value="Delete User" />
   </p>
</form>
<p><a href="../admin_menu.php">Return to Administration Menu</a></p>
</body>
</html>


Here is the do_delete_user.php page. Obviously the page that actually does the deleting. As I mentioned before all it does is reroute back to the pick_user.php page. without removing the person from the database

Code: Select all

<?php

if (!$_POST[id]) {
	header ("LOCATION: pick_user.php");
	exit;
}
require('../includes/auth_user.php');

$sql = "DELETE FROM $table WHERE id='$_POST[id]'";
$result = mysql_query($sql, $connection) or die(mysql_error());
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>
<h1>User has been removed</h1>
<?php echo "$sql"; ?><?php echo "$result"; ?>
<h2><em>User <?php echo "$_POST[f_name] $_POST[l_name]"; ?> has been deleted
      from the <?php echo "$table"; ?> table</em></h2>
<p><a href="pick_user.php">Delete another person</a></p>
<p><a href="../admin_menu.php">Administration Menu</a></p>
</body>
</html>
I echo the query to see what it was looking for and this is what I get
DELETE FROM auth_users WHERE id=''

Please someone help me

Re: Deletion Script is not working

Posted: Thu Feb 10, 2011 12:00 am
by social_experiment
Looks like $_POST['id'] isn't being set.

Code: Select all

<input type="hidden" name="id" value="<?php echo "$_POST[id]"; ?>" />
How is the show_user_del page accessed?

Re: Deletion Script is not working

Posted: Thu Feb 10, 2011 6:06 am
by mdmartiny1977
Through a page called pick_user.php

Here is the code

Code: Select all

<?php

require('../includes/auth_user.php');

$connection = mysql_connect($host, $username, $dbpassword) or die (mysql_error());
$db = mysql_select_db ($dbname, $connection) or die (mysql_error());

$sql = "SELECT * FROM $table";

if(!$connection) die("You do not have a valid SQL connection.");
	$result = mysql_query($sql, $connection);
	if(!$result) {
	  echo "<p>There was an error processing the following SQL statement.</p><p>".$sql."</p>";
	  }

//check the humber of results
$num = mysql_num_rows($result);

//if results are found loop through them and make a form selection block
if ($num < 1){
	$display_block = "<p><em>Sorry! No results.</em></p>";
} else {
	while ($row = mysql_fetch_array($result)) {
	$id = $row['id'];
	$f_name = $row['f_name'];
	$l_name = $row['l_name'];
	$option_block .="<option value=\"$id\">$f_name $l_name</option>";
}

//create the entire form block
$display_block = "<FORM METHOD=\"POST\" ACTION=\"show_user_del.php\">
<p><strong>User Names:</strong>
<select name=\"id\">
$option_block
</select>
<input type=\"submit\" name=\"submit\" Value=\"Get User\"></p>
</form>";
}

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Classified Added</title>
</head>
<body>
<div>
   <h2>Delete A User</h2>
   <p>Select from the list below to delete the user.</p>
   <?php echo "$display_block"; ?> <br />
   <p><a href="../admin_menu.php">Administration Menu</a></p>
</div>
</body>
</html>

Re: Deletion Script is not working

Posted: Thu Feb 10, 2011 6:19 am
by Mordred
ACTION=\"show_user_del.php\" means the id is passed to THAT script, not do_delete_user.php

Also, go read about sql injection and mysql_real_escape_string.

Re: Deletion Script is not working

Posted: Thu Feb 10, 2011 6:29 am
by mdmartiny1977
Mordred wrote:ACTION=\"show_user_del.php\" means the id is passed to THAT script, not do_delete_user.php

Also, go read about sql injection and mysql_real_escape_string.
The way delete script works is

pick user --> show user --> delete user

Re: Deletion Script is not working

Posted: Thu Feb 10, 2011 7:59 am
by social_experiment

Code: Select all

<?php 
$sql = "SELECT * FROM $table WHERE id = '$_POST[id]'";
//
while ($row = mysql_fetch_array($result)) {
        $id = $row['id'];
 }
?>
<!-- append value of $id to the page -->
<form method="POST" action="do_delete_user.php?id=<?php $id; ?>">
You have to append the value of $id to your action attribute (see above) value (I'm guessing that the value of $id will be the same as $_POST['id']). On your do_delete_user page modify your code like this

Code: Select all

$sql = "DELETE FROM $table WHERE id='" . mysql_real_escape_string($_GET['id']) . "' ";
Now the value of $_GET['id'] is retrieved from the query string and your record should be deleted. Make sure you check the value of $_GET['id'] and use mysql_real_escape_string() on all input values.
Hth.

Re: Deletion Script is not working

Posted: Thu Feb 10, 2011 8:23 am
by mdmartiny1977
social_experiment wrote:

Code: Select all

<?php 
$sql = "SELECT * FROM $table WHERE id = '$_POST[id]'";
//
while ($row = mysql_fetch_array($result)) {
        $id = $row['id'];
 }
?>
<!-- append value of $id to the page -->
<form method="POST" action="do_delete_user.php?id=<?php $id; ?>">
You have to append the value of $id to your action attribute (see above) value (I'm guessing that the value of $id will be the same as $_POST['id']). On your do_delete_user page modify your code like this

Code: Select all

$sql = "DELETE FROM $table WHERE id='" . mysql_real_escape_string($_GET['id']) . "' ";
Now the value of $_GET['id'] is retrieved from the query string and your record should be deleted. Make sure you check the value of $_GET['id'] and use mysql_real_escape_string() on all input values.
Hth.
I copied and pasted what you wrote and I get the same result

Re: Deletion Script is not working

Posted: Thu Feb 10, 2011 9:09 am
by social_experiment

Code: Select all

<form method="POST" action="do_delete_user.php?id=<?php echo $id; ?>">
Try adding an 'echo' in the statement above

Re: Deletion Script is not working

Posted: Thu Feb 10, 2011 9:20 am
by mdmartiny1977
Yay!!!! That worked :D

Thank you for your help with this problem :D