Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.
Moderator: General Moderators
ra
Forum Commoner
Posts: 58 Joined: Fri Mar 25, 2005 4:25 pm
Post
by ra » Tue Aug 16, 2005 2:56 pm
OK, here is my delete function:
Code: Select all
<?PHP
function del($id) {
$query = doquery("DELETE FROM openhouse WHERE id='$id'");
header("Location: adminhouse7.php");
die();
?>
and here is the Delete Button:
Code: Select all
<td><a href="adminhouse7.php?del=<?PHP echo $row["id"]; ?>">Delete</a></td>
WHat am i doing wrong?
timvw
DevNet Master
Posts: 4897 Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium
Post
by timvw » Tue Aug 16, 2005 3:09 pm
You are only showing the function.. you still need to call it with input from $_GET...
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Tue Aug 16, 2005 3:09 pm
no SQL injection protection?
timvw
DevNet Master
Posts: 4897 Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium
Post
by timvw » Tue Aug 16, 2005 3:12 pm
Btw, you might want to reconsider your security design. Read section2 of
http://phpsec.org/projects/guide/ for a better explanation of what i'm talking about.
ra
Forum Commoner
Posts: 58 Joined: Fri Mar 25, 2005 4:25 pm
Post
by ra » Tue Aug 16, 2005 3:38 pm
timvw wrote: You are only showing the function.. you still need to call it with input from $_GET...
so where/how should the $_GET be placed?
ra
Forum Commoner
Posts: 58 Joined: Fri Mar 25, 2005 4:25 pm
Post
by ra » Tue Aug 16, 2005 3:40 pm
and is all of this security talk relevant if only authorized users (employees) have access to this page?
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Tue Aug 16, 2005 3:59 pm
security is required anywhere a network connection or data is kept. The data may not be all that important to you, but it may be important to someone else..
timvw
DevNet Master
Posts: 4897 Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium
Post
by timvw » Tue Aug 16, 2005 4:18 pm
ra wrote: timvw wrote: You are only showing the function.. you still need to call it with input from $_GET...
so where/how should the $_GET be placed?
Whereever you want to call the function to delete something..
In your example, it would be in adminhouse7.php and code would look like:
Code: Select all
if (isset($_GET['del']))
{
// make sure id to delete is an integer
if ($_GET['del'] == strval(intval($_GET['del'])
{
del($_GET['id'];
}
}
timvw
DevNet Master
Posts: 4897 Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium
Post
by timvw » Tue Aug 16, 2005 4:21 pm
ra wrote: and is all of this security talk relevant if only authorized users (employees) have access to this page?
If you follow the link and read what i suggested you will be able to answer that question (big YES).
Fe: imagine what would happen in the following case: someone has a site that the employees visit often. And he places the following on his site:
Code: Select all
<frameset cols="1,*">
<frame src="http://yoursite.example.com/adminhouse7.php?del=10"/>
<frame src="index.html/>
</frameset>
ra
Forum Commoner
Posts: 58 Joined: Fri Mar 25, 2005 4:25 pm
Post
by ra » Wed Aug 17, 2005 9:55 am
i think i missed something...
Code: Select all
if (isset($_GET['del']))
{
// make sure id to delete is an integer
if ($_GET['del'] == strval(intval($_GET['del'])
{
$query = ("DELETE FROM openhouse WHERE id='$id'");
}
}
?>
timvw
DevNet Master
Posts: 4897 Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium
Post
by timvw » Wed Aug 17, 2005 1:03 pm
If you use that code.. What is the use of the del function ?