Display and Delete data from database

Question

I am new to PHP and just wanting to make a basic page where i can see all the users in the database and delete them. I have come this far but it keeps on telling me that I have an i have and Undefined index: user_id and although it tells me that it has deleted the fields it has not deleted anything. Here is my code:

<?php include_once "includes/scripts.php"; ?>
<?php include_once "includes/connect.php";?>
<?php include_once "includes/cms_page_security.php";?>
<div id="cms_container"><br>
    <br>
    <h1>MANAGE USERS<img src="images/three_column_grid_line.png" alt="line"></h1>
    <p class="logout_btn"><a href="admin_cms.php">Back</a></p>
<?php
$tbl="users"; // Table name 
$sql = "SELECT * FROM $tbl";
$result = mysql_query($sql, $connect);
while($rows = mysql_fetch_array($result)){
?>
<?php
echo $rows['user_id'];
echo $rows['user_name'];
echo $rows['user_password'];  
?> 
<a href="delete_user.php?id= <? echo $rows['user_id']; ?>">delete</a>
<?php
}
?>
<?php
mysql_close();
?>
</div><!--cms_container-->
</body>
</html>

The page that it should link to that deletes the query:

<?php include_once "includes/connect.php";?>
<?php
    $tbl="users"; 
    $user_id= $_GET ['user_id'];
    $sql="DELETE FROM $tbl WHERE user_id = '$user_id'";
    $result = mysql_query($sql, $connect);
    if($result){
        echo "Deleted Successfully";
        echo "<BR>";
        echo "<a href='delete.php'>Back to main page</a>";
    }else {
        echo "ERROR";
    }
    ?> 
<?php
mysql_close();
?>

**Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Oct 13 '13 at 18:42
@Quentin I am just curious, do you have some ***Danger*** templates? — sybear, Oct 13 '13 at 18:44
like eating raw `$_GET` params, if you don't escape it properly you are vulnerable to sql injections — Soundz, Oct 13 '13 at 18:49

score 3 · Answer 1 · answered Oct 13 '13 at 18:48

3

In delete_user.php you must get user_id

$user_id= $_GET ['id'];

because in your <a href="delete_user.php?id= <? echo $rows['user_id']; ?>">delete</a> link GET variable is "id", not "user_id"

answered Oct 13 '13 at 18:48

Felix

351
1
9

null · Answer 2 · 2013-10-13T18:58:12.367

You really should be using PDO instead. The issue is in the information that you are passing.

The link : <a href="delete_user.php?id= <? echo $rows['user_id']; ?>">delete</a> is looking for an 'id' but you're later looking for 'user_id'

If you change it to <a href="delete_user.php?user_id=<? echo $rows['user_id']; ?>">delete</a>, it should work.

I still strongly suggest you look into PDO instead though, it's much more secure and easier to work with.

Example of PDO Delete

 public function deleteUser($username, $user_id){

    if($this->isAdmin($username) == true){

        $query = $this->db->prepare('DELETE FROM users WHERE user_id = ?');
        $query->bindValue(1, $user_id);

        try{
            $query->execute();
        }catch(PDOException $e){
            die($e->getMessage());
        }
    }else{
        return false;
    }
}

I'm running an extra check to make sure the person who is requesting the deletion is an admin member but you should be able to see the structure

score 1 · Accepted Answer · answered Oct 13 '13 at 20:44

In addition to the other answers:

It looks like this line could be a fatal error, if php short tags aren't enabled:

<a href="delete_user.php?id= <? echo $rows['user_id']; ?>">delete</a>

The php manual says:

*PHP also allows for short tags <? and ?> (which are discouraged because they are only available if enabled with short_open_tag php.ini configuration file directive, or if PHP was configured with the--enable-short-tags option.* http://php.net/manual/en/language.basic-syntax.phptags.php

score 0 · Answer 4 · answered Oct 13 '13 at 18:43

0

The SQL query will be successful even if it alters zero rows. You are prefixing your user ids with a space when you are generating your HTML (id= <?), so you aren't matching any rows (since "1" won't be matched by " 1").

answered Oct 13 '13 at 18:43

Quentin

914,110
126
1,211
1,335

score 0 · Answer 5 · answered Oct 13 '13 at 18:43

Where you are creating your 'Delete' link

<a href="delete_user.php?id= <? echo $rows['user_id']; ?>">delete</a>

You're creating a variable of 'id', but later you look for 'user_id.

Change your link to

<a href="delete_user.php?user_id=<? echo $rows['user_id']; ?>">delete</a>

Display and Delete data from database

5 Answers5