0

My code for delete entry is this but its not doing anything

HTML

<form id="form3" name="form3" method="post" onsubmit="return validateForm();" action="">
    Id <input type="text" class="txt" name="id" /><br />
    <input type="submit" id="delete" value="delete"/>
</form>

PHP

global $wpdb;

if ( isset ( $_POST['id'] ) && ! empty ( $_POST['id']  ))
{
    $wpdb->query("DELETE " . PRO_TABLE_PREFIX . "tutorial  WHERE id='{$_POST['id']}'");
}
Gabriel Santos
  • 4,934
  • 2
  • 43
  • 74
user1890857
  • 29
  • 2
  • 5

7 Answers7

1

that is how I usually do it:

$wpdb->query("DELETE " . PRO_TABLE_PREFIX . "tutorial  WHERE id='".$_POST['id']."')
syrkull
  • 2,295
  • 4
  • 35
  • 68
1

In oder to avoid confusion like this, I always use sprintf() where I need to concatenate strings

Change:

global $wpdb;
if ( isset ( $_POST['id'] ) && ! empty ( $_POST['id']  )) {
    $wpdb->query("DELETE " . PRO_TABLE_PREFIX . "tutorial  WHERE id='{$_POST['id']}'");
}

to:

global $wpdb;

if ( isset ( $_POST['id'] ) )) {    

   $wpdb->query(sprintf("DELETE %stutorial  WHERE id='%s'", PRO_TABLE_PREFIX, $_POST['id']));
}

A couple of things to note:

1) You're vulnerable to SQL injection
2) Once you've used isset() to determine if the key of $_POST['id'] actually isn't NULL, you don't need to check if its empty via empty()

Update

You should really test $_POST['id'] if its valid. I'd suggest you to implement a function, like, is_id_valid()

function is_id_valid(&$id){ //<-- IMPORTANT, Argument should be a reference 

  if ( ! isset($id) ){
     return false;
  }

  if ( empty($id) ){
    return false;
  }

  // add this if you expect $id to be a numeric value
  // otherwise just ignore - do not add
  if ( ! is_numeric($id) ){
    return false;  
  }

  //it's also a good to validate the length 
  if ( strlen($id) > ... && strlen($id) < ... ){
     return false;
  } 

  //seems like all tests passed
  return true;
}

Then you would use it, like

if ( is_id_valid($_POST['id']) !== false ){
   ....
}

Warning: It's still vulnerably to SQL injection

Yang
  • 8,580
  • 8
  • 33
  • 58
0

Remove single quote around post['id']:

$wpdb->query("DELETE " . PRO_TABLE_PREFIX . "tutorial  WHERE id={$_POST['id']}")

OR

echo $query = "DELETE " . PRO_TABLE_PREFIX . " tutorial  WHERE id =".mysql_real_escape_string($_POST['id']);
$wbpd->query($query);
Suresh Kamrushi
  • 15,627
  • 13
  • 75
  • 90
0
$wpdb->query("DELETE FROM " . PRO_TABLE_PREFIX . "tutorial  WHERE id='{$_POST['id']}'");

PS: Go overthere and accept one answer who helped you most. And here too! :P

Xfile
  • 674
  • 8
  • 19
  • @user1890857 - You must accept answers in order for us to give you the right codes.. and this one, although its working is wrong. – Xfile Jan 01 '13 at 07:23
  • Just think about help someone. More reputation will not grant you a reward. – Gabriel Santos Jan 01 '13 at 07:26
  • @Gabriel Santos - Well if someone is to lazy or whatever to press one button in exchange for 20 mins help (this is 3rd time).. I think that person deserves everything else but help. Thx for nice words though ;) – Xfile Jan 01 '13 at 07:36
  • He may be lazy or you may have not the solution. I understand you (: – Gabriel Santos Jan 01 '13 at 07:41
  • 1
    @Gabriel Santos - Yes. That is the thing for sure :D – Xfile Jan 01 '13 at 07:46
  • @user1890857 No, you are not lazy, sorry if you understood wrong. Re-read the comments above. – Gabriel Santos Jan 01 '13 at 07:50
  • @user1890857 - You are lazy because you are not rewarding people who are helping you with accepting their answers. That is a point of this domain. And it is important because someone, who has problem same as you will see which answer helped you to solve that problem. When you receive good codes, click on "correct answer" and thats it! So simple. – Xfile Jan 01 '13 at 07:57
0

Try following code:-

global $wpdb;

if ( isset ( $_POST['id'] ) && ! empty ( $_POST['id']  ))
{
$wpdb->query("DELETE FROM " . PRO_TABLE_PREFIX . "tutorial  WHERE id=".$_POST['id']);
}
The Real Coder
  • 138
  • 1
  • 7
0
give some action path to the form

html 

<form id="form3" name="form3" method="post" onsubmit="return validateForm();" action="give some actions">
Id <input type="text" class="txt" name="id" /><br />
<input type="submit" id="delete" value="delete"/>

php 

global $wpdb;

if ( isset ( $_POST['id'] ) && ! empty ( $_POST['id']  ))
{
  $id=stripslashes_deep($_POST['id']);
  $wpdb->query("DELETE FROM " . PRO_TABLE_PREFIX . "tutorial  WHERE id=$id");
}
Adarsh Raj
  • 291
  • 1
  • 7
-1

Since you are checking for id in WHERE clause, you need not wrap it in quotes, and you are missing FROM in your delete statement, so standard way would be: And do some filtering of POST data before inserting into database , like doing:

$id = (int) $_POST['id'];
if( $id > 0 ) {
    $wpdb->query("DELETE FROM " . PRO_TABLE_PREFIX . "tutorial  WHERE id=".$_POST['id']);
}
Sudhir Bastakoti
  • 99,167
  • 15
  • 158
  • 162
  • 2
    -1 Please either 1) write acceptably safe code *and/or* 2) clearly state the issue(s) with the provided code. **Answers like this just continue the promotion of *bad, unsafe code*.** –  Jan 01 '13 at 21:40
  • i guess adding some comment along with the answer made it clear then before... ! – Sudhir Bastakoti Jan 02 '13 at 04:17
  • 1
    The quotes (or lack thereof) aren't the problem. The [SQL injection](http://en.wikipedia.org/wiki/SQL_injection) is :( Here are [some practical demonstrations](http://www.unixwiz.net/techtips/sql-injection.html) and solutions. –  Jan 02 '13 at 04:29
  • @Sudhir you clearly copied my own answer because I made the same typo. you should be ashamed of yourself :( it is `id=".$_POST['id']."` not `id=".$_POST['id']` – syrkull Jan 03 '13 at 05:48
  • @shnisaka look carefully i dont have single quotes in id='"... where do you see it...? – Sudhir Bastakoti Jan 03 '13 at 05:49