Delete data using get url php string

Question

I created a page called delete.php

with the following code

<?php

require_once("database.php");
$con = mysql_connect($config["db_server"],$config["db_user"],$config["db_pass"]);
mysql_select_db($config['db_name'], $con);


// The SQL statement that deletes the record
$strSQL = "DELETE FROM records WHERE record_id = 1";
mysql_query($strSQL);

// Close the database connection
mysql_close();
?>

Now if I goto http://www.domain.com/delete.php which will will delete record id with 1 in table records.

How do I use php string so when I go to http://www.domain.com/delete.php?del?=25 it deletes record_id 25?

Thanks.

Apart from apparently having put no effort into finding out what $_GET and $_POST are, you should never do a deletion via a GET request because [GET is for idempotent and safe requests](http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html) which a deletion obviously isn't. Besides, you don't want a web spider crawling your deletion.php with various IDs if you want to keep that data. — Gordon, Nov 06 '13 at 21:58

score 5 · Answer 1 · edited May 23 '17 at 10:32

5

You would use the $_GET superglobal to capture the passed variable.

$deleteId = $_GET['del'];
$strSQL = "DELETE FROM records WHERE record_id = $deleteId";

However, this is insecure and wrong. Do not use this code!

You will need to stop using mysql_ functions (they are deprecated) and use prepared statements to help prevent SQL injection.

As mentioned in the comments, this method is not suggested due to possible issues with web spiders. This article discusses that issue and this question discusses the best practices.

edited May 23 '17 at 10:32

Community

1
1

answered Nov 06 '13 at 21:57

Kermit

33,827
13
85
121

It's not "not suggested" it's stated "SHOULD NOT". – AbraCadaver Nov 06 '13 at 22:11

kaizenCoder · Answer 2 · 2013-11-06T23:02:13.357

Firstly, your url construction is incorrect. It should be:

http://www.domain.com/delete.php?del=25

Then you can use del via GET to access the value:

 $del_id = $_GET['del'];
 $strSQL = "DELETE FROM records WHERE record_id = $del_id";

mysql_ is deprecated. You should be using mysqli_ or (even better) PDO instead.

The above code is susceptible to whats known as mysql injection.

As a rule of thumb, never ever trust the data coming from the user. So what you're doing here is without exaggeration disastrous.

Example:

//GET value: dave
query = " SELECT username, password FROM users WHERE username=$name ";
//Translates to:
query = " SELECT username, password FROM users WHERE username='dave' ";


//malicious input
//GET value: 'OR'1
query = " SELECT username, password FROM users WHERE username=$name ";
//Translates to:
query = "SELECT username, password FROM users WHERE username=''OR'1' ";

The nasty thing here is, 1 evaluates to true thus returning all usernames and passwords in the users table!

mysqli_real_escape_string() to the rescue

Despite being a mouthful to say, this function provides a safeguard by escaping injection attempts with MySQL-friendly '\' quote.

So pumping all your GET/POST data through this function provides a layer of security.

$name = mysqli_real_escape_string($_POST['username'];

Now hopefully that makes sense. Despite rhapsodising mysqli_real_escape_string() I would highly recommend (at some point) looking into using something a bit more sophisticated like PDO instead.

Also this will be in a admin area, so there is require_once("require_login.php"); — user2958236, Nov 07 '13 at 17:37

Delete data using get url php string

2 Answers2

Linked