Page 1 of 1

delete a row

Posted: Tue Aug 16, 2005 2:56 pm
by ra
OK, here is my delete function:

Code: Select all

<?PHP
function del($id) {

$query = doquery("DELETE FROM openhouse WHERE id='$id'");
header("Location: adminhouse7.php");
die(); 
?>
and here is the Delete Button:

Code: Select all

<td><a href="adminhouse7.php?del=<?PHP echo $row["id"]; ?>">Delete</a></td>
WHat am i doing wrong?

Posted: Tue Aug 16, 2005 3:09 pm
by timvw
You are only showing the function.. you still need to call it with input from $_GET...

Posted: Tue Aug 16, 2005 3:09 pm
by feyd
no SQL injection protection? :?

Posted: Tue Aug 16, 2005 3:12 pm
by timvw
Btw, you might want to reconsider your security design. Read section2 of http://phpsec.org/projects/guide/ for a better explanation of what i'm talking about.

Posted: Tue Aug 16, 2005 3:38 pm
by ra
timvw wrote:You are only showing the function.. you still need to call it with input from $_GET...
so where/how should the $_GET be placed?

Posted: Tue Aug 16, 2005 3:40 pm
by ra
and is all of this security talk relevant if only authorized users (employees) have access to this page?

Posted: Tue Aug 16, 2005 3:59 pm
by feyd
security is required anywhere a network connection or data is kept. The data may not be all that important to you, but it may be important to someone else..

Posted: Tue Aug 16, 2005 4:18 pm
by timvw
ra wrote:
timvw wrote:You are only showing the function.. you still need to call it with input from $_GET...
so where/how should the $_GET be placed?
Whereever you want to call the function to delete something..

In your example, it would be in adminhouse7.php and code would look like:

Code: Select all

if (isset($_GET['del']))
{
  // make sure id to delete is an integer
  if ($_GET['del'] == strval(intval($_GET['del'])
  {
     del($_GET['id'];
  }
}

Posted: Tue Aug 16, 2005 4:21 pm
by timvw
ra wrote:and is all of this security talk relevant if only authorized users (employees) have access to this page?
If you follow the link and read what i suggested you will be able to answer that question (big YES).

Fe: imagine what would happen in the following case: someone has a site that the employees visit often. And he places the following on his site:

Code: Select all

<frameset cols="1,*">
<frame src="http://yoursite.example.com/adminhouse7.php?del=10"/>
<frame src="index.html/>
</frameset>

Posted: Wed Aug 17, 2005 9:55 am
by ra
i think i missed something...

Code: Select all

if (isset($_GET['del']))
{
  // make sure id to delete is an integer
  if ($_GET['del'] == strval(intval($_GET['del'])
  {
     $query = ("DELETE FROM openhouse WHERE id='$id'");
  }
} 

?>

Posted: Wed Aug 17, 2005 1:03 pm
by timvw
If you use that code.. What is the use of the del function ?