Page 1 of 1
delete a row
Posted: Tue Aug 16, 2005 2:56 pm
by ra
OK, here is my delete function:
Code: Select all
<?PHP
function del($id) {
$query = doquery("DELETE FROM openhouse WHERE id='$id'");
header("Location: adminhouse7.php");
die();
?>
and here is the Delete Button:
Code: Select all
<td><a href="adminhouse7.php?del=<?PHP echo $row["id"]; ?>">Delete</a></td>
WHat am i doing wrong?
Posted: Tue Aug 16, 2005 3:09 pm
by timvw
You are only showing the function.. you still need to call it with input from $_GET...
Posted: Tue Aug 16, 2005 3:09 pm
by feyd
no SQL injection protection?

Posted: Tue Aug 16, 2005 3:12 pm
by timvw
Btw, you might want to reconsider your security design. Read section2 of
http://phpsec.org/projects/guide/ for a better explanation of what i'm talking about.
Posted: Tue Aug 16, 2005 3:38 pm
by ra
timvw wrote:You are only showing the function.. you still need to call it with input from $_GET...
so where/how should the $_GET be placed?
Posted: Tue Aug 16, 2005 3:40 pm
by ra
and is all of this security talk relevant if only authorized users (employees) have access to this page?
Posted: Tue Aug 16, 2005 3:59 pm
by feyd
security is required anywhere a network connection or data is kept. The data may not be all that important to you, but it may be important to someone else..
Posted: Tue Aug 16, 2005 4:18 pm
by timvw
ra wrote:timvw wrote:You are only showing the function.. you still need to call it with input from $_GET...
so where/how should the $_GET be placed?
Whereever you want to call the function to delete something..
In your example, it would be in adminhouse7.php and code would look like:
Code: Select all
if (isset($_GET['del']))
{
// make sure id to delete is an integer
if ($_GET['del'] == strval(intval($_GET['del'])
{
del($_GET['id'];
}
}
Posted: Tue Aug 16, 2005 4:21 pm
by timvw
ra wrote:and is all of this security talk relevant if only authorized users (employees) have access to this page?
If you follow the link and read what i suggested you will be able to answer that question (big YES).
Fe: imagine what would happen in the following case: someone has a site that the employees visit often. And he places the following on his site:
Code: Select all
<frameset cols="1,*">
<frame src="http://yoursite.example.com/adminhouse7.php?del=10"/>
<frame src="index.html/>
</frameset>
Posted: Wed Aug 17, 2005 9:55 am
by ra
i think i missed something...
Code: Select all
if (isset($_GET['del']))
{
// make sure id to delete is an integer
if ($_GET['del'] == strval(intval($_GET['del'])
{
$query = ("DELETE FROM openhouse WHERE id='$id'");
}
}
?>
Posted: Wed Aug 17, 2005 1:03 pm
by timvw
If you use that code.. What is the use of the del function ?