0

JS FILE

       // Three buttons here SAVE, DELETE and CANCEL
       // Save works like supossed to be it saves to Database
       // Delete does only $calendar.weekCalendar("removeEvent", calEvent.id); but dont delete from database


    buttons: {
                   save : function() {
                      calEvent.id = id;
                      id++;
                      calEvent.start = new Date(startField.val());
                      calEvent.end = new Date(endField.val());
                      calEvent.title = titleField.val();
                      calEvent.body = bodyField.val();

                      //post to events.php

                      $.post("events.php?action=save&start="+calEvent.start.getTime()/1000+"&end="+calEvent.end.getTime()/1000+"&title="+calEvent.title+"&body="+calEvent.body);

                      $calendar.weekCalendar("removeUnsavedEvents");
                      $calendar.weekCalendar("updateEvent", calEvent);
                      $dialogContent.dialog("close");
                   },,
                "delete"  : function() {
                      calEvent.id = id;
                      id++;

                      // It must send calEvent.id to PHP action=del
                     $.get( "events.php", { action: "del", id: calEvent.id });

                      $calendar.weekCalendar("removeEvent", calEvent.id);
                      $dialogContent.dialog("close");


                    } ,
                   cancel : function() {
                      $dialogContent.dialog("close");
                   }
                }
             }).show();

PHP FILE 

$action = $_REQUEST['action'];

if (!$link = mysql_connect('host', 'user', 'pass')) {
    echo 'Could not connect to mysql';
    exit;
}

if (!mysql_select_db('agenda', $link)) {
    echo 'Could not select database';
    exit;
}
if ($action === 'del')
{
    $id = $_GET['id']; 

    $del = "DELETE FROM meeting_rooms_calendar WHERE id='$id'";
    $result = mysql_query($del, $link);
    print_r($id);
} 
elseif($action === 'save')
{
    $title = $_REQUEST['title'];
    $body = $_REQUEST['body'];
    $start_time = (int)$_REQUEST['start'];
    $start_time = $start_time + 60*60;
    $end_time = (int)$_REQUEST['end'];
    $end_time = $end_time + 60*60;
    $start = date('c',$start_time);
    $end = date('c',$end_time);
    $sql = "INSERT INTO meeting_rooms_calendar(title,body,start,end) VALUES ('$title','$body','$start','$end')";
    $result = mysql_query($sql, $link);

}

Now if i click save, save will post the request variables to PHP and PHP to the database, when i click DELETE it doenst send the requested ID to PHP so PHP can;t delete it from database how can i make the JS file send the ID to PHP.

If i do it manually by 

www.myweb.com/events.php?action=del&id=1

This wil delete it from database, so that means PHP works. It's just the JS part, it dont delete it automaticly from database.

user2957155
  • 11
  • 5
  • delete is in quotes but others not in js file. And there are two commas before delete key. – zkanoca Nov 21 '13 at 13:23
  • 5
    `events.php?action=del&id=' OR 1 = 1 --`. Suddenly **all** of your events are gone - weird isn't it? [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). – h2ooooooo Nov 21 '13 at 13:24
  • @ÖzkanÖZLÜ Delete is a reserved word in JS – George Nov 21 '13 at 13:24
  • @h2ooooooo does that fix my problem to change it to PDO ? – user2957155 Nov 21 '13 at 13:27
  • 1
    @user2957155 Not out of the box, no. If you use prepared statements and **bind** your variables (not concat them into your query), then yes. It will protect you. This is called "SQL Injection" and you can find thousands of questions here on SO about it. [This is a great place to start](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) – h2ooooooo Nov 21 '13 at 13:29
  • @h2ooooooo, there will be a only logged in users access for this. – user2957155 Nov 21 '13 at 13:32
  • @user2957155 There is **no** excuse for allowing SQL injection. **No** excuse. What if you allow a user to type a sentence and it's `You're all stupid`? Then SQL injection screws you once again. Please don't go the easy way with this, as you **are** going to end up having to do all this again, and it's a horrible horrible horrible way of thinking to think "oh well, my site is hackable - it doesn't matter". You **are** going to have a problem eventually. At the very least, please run all variables you paste into an SQL query through `mysql_real_escape_string` if you want absolute minimum effort – h2ooooooo Nov 21 '13 at 13:35
  • @h2ooooooo , this wil integrate with a wordpress, so database access with wordpress config. This database access is just for to make it work. TO send ID to PHP and delete in database. – user2957155 Nov 21 '13 at 13:46
  • @user2957155 But you're not using any of WP's escaping features, so essentially you're opening up to anyone. WP has PLENTY of SQL injection features. http://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks – h2ooooooo Nov 21 '13 at 13:48
  • @h2ooooooo not YET, it will be after getting it work. – user2957155 Nov 21 '13 at 13:53

0 Answers0