run php mysql_query on onclick div

Question

I need to put a mysql_query in the onClick event of a div. I tried this, but it does not work.

notifiche.php

while ($i < $result) {
    $id_noti = mysql_result($res, $i, "id");
    $msg=mysql_result($res,$i,"msg");
    ?>
    <div class="box" align="left" style="color: #5c5c5c; padding:4px; border-bottom: 1px solid #c0c0c0; width: 170px !important; position:relative;z-index: auto;">
        <div onClick="doSomething();" class="close_box" align="right"style="font-weight:bold; position:absolute;right:0; top:0; z-index:1;cursor:pointer;">
            x
            <input type="hidden" name="del_noti" value="<?echo $id_noti;?>">
        </div>
        <? echo $msg; ?>
    </div>
    <?  $i++;
}

the script in the head of main page is

<script type="text/javascript">
    function doSomething(){
        $.post("del_notif.php");
        return false;
}
</script>

and the del_notif.php

include 'files/config.php';
mysql_query("UPDATE notifiche SET a='delete' WHERE id='$_POST[del_noti]'");

Please don't use `mysql_*` functions anymore, they are deprecated. See [Why shouldn't I use mysql_* functions in PHP?](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) for details. Instead you should learn about [prepared statements](http://bobby-tables.com/php.html) and use either [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli). If you can't decide which, [this article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you. If you pick PDO, [here is a good tutorial](http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers). — Marcel Korpel, Nov 11 '13 at 12:23
`I tried this, but not work..` what does not work? Any error messages? Called `del_notif.php` plain (not via ajax)? Please escape variables with user content in it. An yes: never ever use `mysql_*` as mentioned by @MarcelKorpel — TiMESPLiNTER, Nov 11 '13 at 12:24
[SQL Injection](https://en.wikipedia.org/wiki/SQL_injection) ... — onionpsy, Nov 11 '13 at 12:24
@TiMESPLiNTER Or better, use prepared statements instead of escaping. — Marcel Korpel, Nov 11 '13 at 12:31
@MarcelKorpel Of course yes, but escaping would be fine and the only solution for `mysql_*`... but doesn't matter as long as he uses `mysql_*` it's unsafe anyway. — TiMESPLiNTER, Nov 11 '13 at 12:34
@TiMESPLiNTER Escaping isn't always fine, there are edge cases where escaping (*and* emulated prepared statements, to what PDO defaults) aren't sufficient, depending on the character set you're using. — Marcel Korpel, Nov 11 '13 at 12:38
But you can't do more than escaping with the `mysql_*` functions cause there are no prepared statements so if he does not change he should at least escape the vars. That's what I'm trying to say. — TiMESPLiNTER, Nov 11 '13 at 12:39

score 3 · Accepted Answer · answered Nov 11 '13 at 12:26

You have to pass the argument to your doSomething function

<div onClick="doSomething(<?echo $id_noti;?>)"...>

and in your script

<script type="text/javascript">
function doSomething(id){
    $.post("del_notif.php", {id: id});
return false;
}
</script>

and on the server

include 'files/config.php';
mysql_query("UPDATE notifiche SET a='delete' WHERE id=". (int) $_POST["id"]);

run php mysql_query on onclick div

1 Answers1