delete a row

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
ra
Forum Commoner
Posts: 58
Joined: Fri Mar 25, 2005 4:25 pm

delete a row

Post by ra »

OK, here is my delete function:

Code: Select all

<?PHP
function del($id) {

$query = doquery("DELETE FROM openhouse WHERE id='$id'");
header("Location: adminhouse7.php");
die(); 
?>
and here is the Delete Button:

Code: Select all

<td><a href="adminhouse7.php?del=<?PHP echo $row["id"]; ?>">Delete</a></td>
WHat am i doing wrong?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

You are only showing the function.. you still need to call it with input from $_GET...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

no SQL injection protection? :?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Btw, you might want to reconsider your security design. Read section2 of http://phpsec.org/projects/guide/ for a better explanation of what i'm talking about.
ra
Forum Commoner
Posts: 58
Joined: Fri Mar 25, 2005 4:25 pm

Post by ra »

timvw wrote:You are only showing the function.. you still need to call it with input from $_GET...
so where/how should the $_GET be placed?
ra
Forum Commoner
Posts: 58
Joined: Fri Mar 25, 2005 4:25 pm

Post by ra »

and is all of this security talk relevant if only authorized users (employees) have access to this page?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

security is required anywhere a network connection or data is kept. The data may not be all that important to you, but it may be important to someone else..
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

ra wrote:
timvw wrote:You are only showing the function.. you still need to call it with input from $_GET...
so where/how should the $_GET be placed?
Whereever you want to call the function to delete something..

In your example, it would be in adminhouse7.php and code would look like:

Code: Select all

if (isset($_GET['del']))
{
  // make sure id to delete is an integer
  if ($_GET['del'] == strval(intval($_GET['del'])
  {
     del($_GET['id'];
  }
}
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

ra wrote:and is all of this security talk relevant if only authorized users (employees) have access to this page?
If you follow the link and read what i suggested you will be able to answer that question (big YES).

Fe: imagine what would happen in the following case: someone has a site that the employees visit often. And he places the following on his site:

Code: Select all

<frameset cols="1,*">
<frame src="http://yoursite.example.com/adminhouse7.php?del=10"/>
<frame src="index.html/>
</frameset>
ra
Forum Commoner
Posts: 58
Joined: Fri Mar 25, 2005 4:25 pm

Post by ra »

i think i missed something...

Code: Select all

if (isset($_GET['del']))
{
  // make sure id to delete is an integer
  if ($_GET['del'] == strval(intval($_GET['del'])
  {
     $query = ("DELETE FROM openhouse WHERE id='$id'");
  }
} 

?>
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

If you use that code.. What is the use of the del function ?
Post Reply