Delete button and confirmation

Question

Hi I have a working link to delete a row from my database.

<a href="?action=delete&id=<? echo $id ?>" onclick="return confirm('Are you sure you want to delete?')"><strong>Delete this Case</strong></a></td>
<?php
    if($_POST['action']=="delete")
    {
         $id = $_POST['id'];

         mysql_query("DELETE FROM rmstable2 WHERE id= '$id'");
         echo("> Case # $id has been deleted as requested. To see your changes please click <a href='/martinupdate.php?id=$id'>here</a></b><br>");
    }
?>

what I am looking to do is instead of having a link I want to have a button that when pressed it brings up a confirmation and then deletes the row if true.
I do not want accidental deletions.

<form>
    <input type="button" value="Delete this Case" onclick="return confirm('Are you sure you want to delete?')"; 
    <a href="?action=delete&id=<? echo $id ?>">
</form>

Don't use `GET` to delete things! All that will happen is a machine will come along and follow all the links and delete everything from your database! — Nicholas Shanks, Jun 06 '13 at 12:38
This is an admin page and it is a prototype so I am not worried about that much, its more to get it working and then show it as a prototype that will be rebuilt using another language. — Alexandra, Jun 06 '13 at 12:40
@Alexandra That's good to know, but nonetheless, others may come along and see this stack overflow post and copy you in production environments. — Nicholas Shanks, Jun 06 '13 at 12:43
@messifan you are right about that, what is a better option? — Alexandra, Jun 06 '13 at 12:51

score 5 · Answer 1 · answered Jun 06 '13 at 12:40

5

you have to put your confirmation in the onSubmit event of the form

so if the user cancel the confirmation, the form won't be sent

<form onSubmit="return confirm('Are you sure you want to delete?')">
<button type="submit" ...>
</form>

answered Jun 06 '13 at 12:40

Guillaume Aversa

167
1
5

I am a bit confused, is this separate to the form I have already or should I add onSubmit to button code – Alexandra Jun 06 '13 at 12:56
he means on the same form, you replace the with a – Nicholas Shanks Jun 06 '13 at 13:03
@Nicholas I am getting a boolean now :/ – Alexandra Jun 06 '13 at 13:30
the return value of the dialog should prevent/allow the submission to continue. I will try adding my own answer – Nicholas Shanks Jun 06 '13 at 13:32
@Nicholas Thank you! Maybe I am doing it wrong. The confirmation works but then I get a boolean – Alexandra Jun 06 '13 at 13:35

score 5 · Accepted Answer · answered Jun 06 '13 at 13:43

Try this at the top of your file:

<?php

if ($_SERVER['REQUEST_METHOD'] == 'DELETE' || ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST['_METHOD'] == 'DELETE')) {
    $id = (int) $_POST['id'];
    $result = mysql_query('DELETE FROM rmstable2 WHERE id='.$id);
    if ($result !== false) {
        // there's no way to return a 200 response and show a different resource, so redirect instead. 303 means "see other page" and does not indicate that the resource has moved.
        header('Location: http://fully-qualified-url/martinupdate.php?id='.$id, true, 303);
        exit;
    }
}

With this as the form:

<form method="POST" onsubmit="return confirm('Are you sure you want to delete this case?');">
    <input type="hidden" name="_METHOD" value="DELETE">
    <input type="hidden" name="id" value="<?php echo $id; ?>">
    <button type="submit">Delete Case</button>
</form>

A follow-up note to people who are still coming to this answer: The goal here was for a form that posted to itself with an ID to be deleted. This is not a RESTful design. A better design would be to send the request to a URL that included the ID in the address (rather than the request body), such as /cases/23 or /cases?id=23 The latter could well have been used here, actually, but the poster may have had other code that used $_POST['id'] so I played safe and left it as a POST field in the answer. — Nicholas Shanks, Jul 07 '14 at 08:43

score 2 · Answer 3 · edited Jun 20 '20 at 09:12

HTML:

<form id="delete-<?php echo $id; ?>" action="?action=delete" method="post">
    <input type="hidden" name="id" value="<?php echo $id; ?>" />
    <input type="submit" value="Delete this Case" /> 
</form>

JS im assuming jquery for ease:

$("#delete-<?php echo $id; ?>").submit(function() {
    return confirm("Are you sure you want to delete?");
});

What this does is prevent the default submit action if the js confirm returns false (doesn't submit) otherwise lets the regular post go through.

Note: you really shouldn't use html attributes to declare event handlers, this code separates the logic.

EDIT: @Nicholas comment

This is a non-jquery solution. I didn't test it, and i don't believe that preventDefault works in IE <= 8 so I probably wouldn't use it in production BUT it could be done w/o too much code jquery just makes it cross browser and easier.

function loaded()
{
    document.getElementById("delete-<?php echo $id; ?>").addEventListener(
        "submit",
        function(event)
        {
            if(confirm("Are you sure you want to delete?"))
            {
                event.preventDefault();
            }
            
            return false;
        },
        false
     );
}
window.addEventListener("load", loaded, false);

No indication was given that jQuery was available. Without jQuery (or another library) separating out the logic is going to be a fair bit more long-winded. — Nicholas Shanks, Jun 06 '13 at 13:50

Delete button and confirmation

3 Answers3

EDIT: @Nicholas comment

Linked