Erasing information from a database using forms

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
NiGHTFiRE
Forum Contributor
Posts: 156
Joined: Sun May 14, 2006 10:36 am
Location: Sweden

Erasing information from a database using forms

Post by NiGHTFiRE »

Hey all,
I've got a problem. And i've tryed several diffrent ways and now i'm up to 3 diffrent scripts of trying to do it(yes it's dumb but i've tryed with less and still got the same result).
This is my code:
tabortauktion.php

Code: Select all

<?php

$mysql_server = "xx";

$mysql_user = "xx";

$mysql_password = "xx";

$mysql_database = "xx";



 

$conn = mysql_connect($mysql_server, $mysql_user, $mysql_password);

mysql_select_db($mysql_database, $conn);

$sql = "SELECT * 

                FROM auction 

                ORDER BY id DESC"; 

if (!$result = mysql_query($sql)) 

{ 

        die("Could not get the item list: " . mysql_error()); 

} 



echo '<form name="test1" method="post" action="tabortauktion1.php">'; 

echo '<select name="auction">'; 

while ($row = mysql_fetch_array($result)) 

{ 

        echo '<option value="' . $row['id'] . '">' . $row['auktionnamn'] . '</option>'; 

} 

echo '</select>'; 

echo "<input type='submit' name='submit' value='Få fram auktion'>";

echo '</form>'; 

?>

<?php

include "connect.php";

error_reporting(E_ALL);



if (isset($_POST['auction'])) 

{ 

        // You would really want to validate this here, 

        // But I am keeping this intentionally simple 

       $item_id = $_POST['auction']; 



        $sql = "SELECT * 

                        FROM auction

                        WHERE id = $item_id ORDER BY id DESC"; 

        if (!$result = mysql_query($sql)) 

        { 

                die("Kunde inte komma in i databasen: " . mysql_error()); 

        } 

		

        $item_array = mysql_fetch_array($result); 

        $sql2 = "SELECT * FROM bud WHERE item = $item_id"; 

		    if (!$result2 = mysql_query($sql2)) 

        { 

                die("Kunde inte komma in i databasen: " . mysql_error()); 

        }
}

?>
That works good so far, then it forwards to tabortauktion1.php
And that code is:

Code: Select all

<?php

include("connect.php");

?>

<form name="test2" method="post" action="tabortauktion2.php">

<br>

<?php

echo "Om du vill ta bort den auktionen tryck på Ja. Annars tryck på <i>Tillbaka till startsidan</i>";

echo "<br>";

echo "Ja&nbsp;&nbsp;&nbsp;<input type='checkbox' name='tabort_ja' value={$item_id}"; 

?>

<br>

</form>

<br>

<input type='submit' name='submit' value='Ta bort auktion'>
That code should make so when you press submit you come to tabourtauktion2.php but it doesn't.
And that code is:

Code: Select all

<?php

$mysql_server = "xx";

$mysql_user = "xx";

$mysql_password = "xx";

$mysql_database = "xx";



 

$conn = mysql_connect($mysql_server, $mysql_user, $mysql_password);

mysql_select_db($mysql_database, $conn);

$tabort = $_POST['tabort_ja'];

if($_POST['tabort_ja']) {

$delete =  "DELETE FROM auction WHERE id={$tabort}";

$resultat = mysql_query($delete) or die(mysql_error());

echo "Auktion har tagits bort";

echo "<br>";

echo "<br>";

echo '<a href="emil/admin.php">Tillbaka till startsidan</a>';

?>
So nothing never gets taken away from the database. How should i solve that?
Thanks,
David
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Why not something like this?

Code: Select all


<a href="page.php?action=delete&id=3">Delete</a>

Code: Select all

if (isset($_GET['action'])) {
    switch ($_GET['action']) {
        case 'delete':
            // validate $_GET['id'] here.. I would make sure it's not empty and use ctype_digit and strlen for further checking
            $delete =  "DELETE FROM `auction` WHERE `id`='" . mysql_real_escape_string($_GET['id']) . "' LIMIT 1";
            // execute query and display message or use header to redirect to another page
            break;
    }
}
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Why not something like this?
Because HTTP spec says not to do so.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Weirdan wrote:
Why not something like this?
Because HTTP spec says not to do so.
Can you show me the specific text that says that please?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

RFC2616 wrote:In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Thank you for the link. I'll keep that in mind and I will read the entire spec. Common sense would tell you that you want to design a system so that a search engine can't come through and delete all your data though. (Which has happened to others before) I use GET for delete operations in situations where the user has to be logged in and they are well aware that then they click that link something is going to get deleted.

I'm not a stickler for following the specs though.

Here it is in post form though...

Code: Select all

<form action="yourPage.php" metho="POST" name="thisFormName">
<input type="hidden" name="id" value="3" />
<input type="hidden" name="action" value="delete" />
<input type="submit" value="Delete" />
</form>

Code: Select all

if (isset($_POST['action'])) {
    switch ($_POST['action']) {
        case 'delete':
            // validate $_POST['id'] here.. I would make sure it's not empty and use ctype_digit and strlen for further checking
            $delete =  "DELETE FROM `auction` WHERE `id`='" . mysql_real_escape_string($_POST['id']) . "' LIMIT 1";
            // execute query and display message or use header to redirect to another page
            break;
    }
}
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

I use GET for delete operations in situations where the user has to be logged in and they are well aware that then they click that link something is going to get deleted.
You might want to check Shiflett's post about CSRF then :twisted:
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Interesting stuff.. There is a vulnerability there. 8O Definetly something to keep in mind. I didn't realize it was a security issue.
NiGHTFiRE
Forum Contributor
Posts: 156
Joined: Sun May 14, 2006 10:36 am
Location: Sweden

Post by NiGHTFiRE »

Thanks, it works now after some editing in your code.
Post Reply