0

I have a webpage where I list all my database data. I have a DELETE link in front of each record. When a user click that DELETE link, it redirect user to a page called delete.php and in this page I run the delete query. My process is

Index.php

<a href="delete.php?action=delete&id=<?php echo $ID; ?>">DELETE</a>

delete.php

if (isset($_REQUEST["action"]))
if ($_REQUEST["action"] == "delete") {
    $id= $_GET['id'];
    $del_query = mysql_query("DELETE FROM TABLE WHERE id= '$id'");
}

Can anyone tell me any secure method of deleting data because this process is not secure and user can directly type this in the URL delete.php?action=delete&id=3 which will delete that record.

Arif
  • 1,222
  • 6
  • 29
  • 60
  • Have a look at SQL injection page in the comment above. – Menelaos Feb 22 '14 at 19:29
  • @MKhalidJunaid I didn't ask about SQL injection. I want the way to pass ID securely – Arif Feb 22 '14 at 19:31
  • @maythesource.com in that question it is not mentioned how to pass id or other data securely. – Arif Feb 22 '14 at 19:32
  • 1
    *"Can anyone tell me any secure method of deleting data because this process is not secure and user can directly type this in the URL delete.php?action=delete&id=3 which will delete that record."* - Just don't and do use a login method where the verified and trusted user has permission to do so. – Funk Forty Niner Feb 22 '14 at 19:33
  • @Fred-ii- in my Query I check user id also but I dont want even a user can delete his own data by typing directly in the URL – Arif Feb 22 '14 at 19:37

1 Answers1

4

You will need a post method which can't be given directly (by typing the url)

instead this use form

<a href="delete.php?action=delete&id=<?php echo $ID; ?>">DELETE</a>

<form method="post" action="delete.php?action=delete">
id: <input type="text" name="id"/> <input type="submit"/>
</form>

in delete.php you will need $id=$_POST['id']

for more security concern, you will need some type of CAPTCHA technique

khizar ansari
  • 1,476
  • 2
  • 18
  • 29
  • thank you so much for the answer. I was using form but i thought It will load the webpage more – Arif Feb 22 '14 at 19:40
  • @sHAmsuLaRiFeEn Although [GET shouldn’t be used for anything other than data retrieval](http://tools.ietf.org/html/rfc2616#section-9.3), simply changing it to POST won’t change anything unless you have a proper authorization check in effect. – Gumbo Feb 22 '14 at 22:11