Page 1 of 1

Erasing information from a database using forms

Posted: Fri Jul 21, 2006 4:13 pm
by NiGHTFiRE
Hey all,
I've got a problem. And i've tryed several diffrent ways and now i'm up to 3 diffrent scripts of trying to do it(yes it's dumb but i've tryed with less and still got the same result).
This is my code:
tabortauktion.php

Code: Select all

<?php

$mysql_server = "xx";

$mysql_user = "xx";

$mysql_password = "xx";

$mysql_database = "xx";



 

$conn = mysql_connect($mysql_server, $mysql_user, $mysql_password);

mysql_select_db($mysql_database, $conn);

$sql = "SELECT * 

                FROM auction 

                ORDER BY id DESC"; 

if (!$result = mysql_query($sql)) 

{ 

        die("Could not get the item list: " . mysql_error()); 

} 



echo '<form name="test1" method="post" action="tabortauktion1.php">'; 

echo '<select name="auction">'; 

while ($row = mysql_fetch_array($result)) 

{ 

        echo '<option value="' . $row['id'] . '">' . $row['auktionnamn'] . '</option>'; 

} 

echo '</select>'; 

echo "<input type='submit' name='submit' value='Få fram auktion'>";

echo '</form>'; 

?>

<?php

include "connect.php";

error_reporting(E_ALL);



if (isset($_POST['auction'])) 

{ 

        // You would really want to validate this here, 

        // But I am keeping this intentionally simple 

       $item_id = $_POST['auction']; 



        $sql = "SELECT * 

                        FROM auction

                        WHERE id = $item_id ORDER BY id DESC"; 

        if (!$result = mysql_query($sql)) 

        { 

                die("Kunde inte komma in i databasen: " . mysql_error()); 

        } 

		

        $item_array = mysql_fetch_array($result); 

        $sql2 = "SELECT * FROM bud WHERE item = $item_id"; 

		    if (!$result2 = mysql_query($sql2)) 

        { 

                die("Kunde inte komma in i databasen: " . mysql_error()); 

        }
}

?>
That works good so far, then it forwards to tabortauktion1.php
And that code is:

Code: Select all

<?php

include("connect.php");

?>

<form name="test2" method="post" action="tabortauktion2.php">

<br>

<?php

echo "Om du vill ta bort den auktionen tryck på Ja. Annars tryck på <i>Tillbaka till startsidan</i>";

echo "<br>";

echo "Ja&nbsp;&nbsp;&nbsp;<input type='checkbox' name='tabort_ja' value={$item_id}"; 

?>

<br>

</form>

<br>

<input type='submit' name='submit' value='Ta bort auktion'>
That code should make so when you press submit you come to tabourtauktion2.php but it doesn't.
And that code is:

Code: Select all

<?php

$mysql_server = "xx";

$mysql_user = "xx";

$mysql_password = "xx";

$mysql_database = "xx";



 

$conn = mysql_connect($mysql_server, $mysql_user, $mysql_password);

mysql_select_db($mysql_database, $conn);

$tabort = $_POST['tabort_ja'];

if($_POST['tabort_ja']) {

$delete =  "DELETE FROM auction WHERE id={$tabort}";

$resultat = mysql_query($delete) or die(mysql_error());

echo "Auktion har tagits bort";

echo "<br>";

echo "<br>";

echo '<a href="emil/admin.php">Tillbaka till startsidan</a>';

?>
So nothing never gets taken away from the database. How should i solve that?
Thanks,
David

Posted: Fri Jul 21, 2006 6:51 pm
by Benjamin
Why not something like this?

Code: Select all


<a href="page.php?action=delete&id=3">Delete</a>

Code: Select all

if (isset($_GET['action'])) {
    switch ($_GET['action']) {
        case 'delete':
            // validate $_GET['id'] here.. I would make sure it's not empty and use ctype_digit and strlen for further checking
            $delete =  "DELETE FROM `auction` WHERE `id`='" . mysql_real_escape_string($_GET['id']) . "' LIMIT 1";
            // execute query and display message or use header to redirect to another page
            break;
    }
}

Posted: Fri Jul 21, 2006 7:12 pm
by Weirdan
Why not something like this?
Because HTTP spec says not to do so.

Posted: Fri Jul 21, 2006 7:14 pm
by Benjamin
Weirdan wrote:
Why not something like this?
Because HTTP spec says not to do so.
Can you show me the specific text that says that please?

Posted: Fri Jul 21, 2006 7:19 pm
by Weirdan
RFC2616 wrote:In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval.

Posted: Fri Jul 21, 2006 7:30 pm
by Benjamin
Thank you for the link. I'll keep that in mind and I will read the entire spec. Common sense would tell you that you want to design a system so that a search engine can't come through and delete all your data though. (Which has happened to others before) I use GET for delete operations in situations where the user has to be logged in and they are well aware that then they click that link something is going to get deleted.

I'm not a stickler for following the specs though.

Here it is in post form though...

Code: Select all

<form action="yourPage.php" metho="POST" name="thisFormName">
<input type="hidden" name="id" value="3" />
<input type="hidden" name="action" value="delete" />
<input type="submit" value="Delete" />
</form>

Code: Select all

if (isset($_POST['action'])) {
    switch ($_POST['action']) {
        case 'delete':
            // validate $_POST['id'] here.. I would make sure it's not empty and use ctype_digit and strlen for further checking
            $delete =  "DELETE FROM `auction` WHERE `id`='" . mysql_real_escape_string($_POST['id']) . "' LIMIT 1";
            // execute query and display message or use header to redirect to another page
            break;
    }
}

Posted: Fri Jul 21, 2006 7:35 pm
by Weirdan
I use GET for delete operations in situations where the user has to be logged in and they are well aware that then they click that link something is going to get deleted.
You might want to check Shiflett's post about CSRF then :twisted:

Posted: Fri Jul 21, 2006 7:45 pm
by Benjamin
Interesting stuff.. There is a vulnerability there. 8O Definetly something to keep in mind. I didn't realize it was a security issue.

Posted: Sat Jul 22, 2006 6:46 am
by NiGHTFiRE
Thanks, it works now after some editing in your code.