0

I have a a problem when posting some info from a form to a delete function, I am probably going to kick my self for this but I can't find the answer.

  • admin/index.php
  • lib/admin_functions.php
  • lib/delete_user.php

As above, I have 3 files.

The function it's self is below:

// Display users
function get_all_users() {
    global $con;
    $sql = "SELECT * FROM users ORDER BY id ASC";
    $result = mysqli_query($con, $sql);
    echo "<tr><td>   </td><td> User ID </td><td> Username </td><td> Email Address </td><td> Zendesk User Id </td><td>
    Zendesk View ID </td><td> Firstname </td><td> Surname </td><td> Nickname </td><td> Active 
    </td><td> Admin </td><td> Display Stats?</td><td> Remove User </td></tr>";
    while($row = mysqli_fetch_array($result)) {
        // Displaying all user details
        echo "<tr><td><img height='40' width='40' src='{$row['user_photo']}'></td><td>" .$row['id']. "</td><td>" .$row['user_name']. "</td><td>" .$row['email_address']. "</td><td>" .$row['zendesk_user_id']."</td><td>"
         .$row['zendesk_view_id']. "</td><td>" .$row['user_firstname']. "</td><td>" .$row['user_surname']. "</td><td>" .$row['user_nickname'].  "</td><td>"
         .$row['is_active']. "</td><td>" .$row['is_admin']. "</td><td>" .$row['display_stats'].
         // Form for deleting a user
         "</td><td><form id='delete_user' accept-charset='UTF-8' action='/delete_user.php' role='form' method='POST'><input type='checkbox' value='Delete'><input type='hidden' name='user_id' value='{$row['id']}'></td></tr>";
    }
    echo "<tr><td> Delete Selected User(s) </td><td>";
    echo "<input type='submit' name='submit' value='Delete My Account' onClick=\"return confirm('Are you sure you want to delete this account?')\"></td></form></tr>";
}

The above function belongs in admin_functions.php, it displays all my users with an extra column with a tick box for deletion, and at the bottom a form with the delete button.

I then have the delete_user code

<?php
session_start();
if( ! $_SESSION['loggedIn'] && ! $_SESSION['isAdmin']) {
    // If not admin or logged in, die
    die();
}
require_once(dirname(__FILE__).'/admin_functions.php');
require_once(dirname(__FILE__).'/../config.php');

// DELETE USER 

$user_id = mysql_real_escape_string( $_POST['user_id'] );

// Insert the customer, including the password hash
$sql = "DELETE FROM users where id = '{$user_id}' limit 1";
if (!mysqli_query($con,$sql)) {
  die('Error: ' . mysqli_error($con));
}

print "User Deleted";
mysqli_close($con);

?>

And finally on the index file, I have something that calls the function.

<?php get_all_users(); ?>

The problem I have is that the code all displays as expected, but after the warning message nothing happens. Nothing appears to get posted to delete_user.php, I see no errors in apache2 and also nothing in my console.

Any ideas?

Runt
  • 55
  • 5
  • 1
    This `mysql_real_escape_string` should be `mysqli_real_escape_string` but more specifically `$user_id = mysqli_real_escape_string($con, $_POST['user_id']);` - Those 2 different APIs do not mix. – Funk Forty Niner Aug 02 '14 at 14:39
  • Ah yes, must of missed that. Thank you sir. Not sure that will fix it, we will see :) – Runt Aug 02 '14 at 14:40
  • You're talking about a warning message. Which one? – Oliboy50 Aug 02 '14 at 14:43
  • Looks like you are deleting any user without even checking if the checkbox is checked or not. – putvande Aug 02 '14 at 14:45
  • I have a prompt here: " The prompt works, nothing happens after. – Runt Aug 02 '14 at 14:45
  • View your HTML source, see what appears under your hidden field. If nothing appears, then nothing is being passed to it. You could try changing `value='{$row['id']}'` to `value='{$row[id]}'` see if that helps. – Funk Forty Niner Aug 02 '14 at 14:49
  • I just checked that Fred, and it is passing the correct $user_id in the html. I believe nothing is reaching the form, the apache2 logs don't see anything being referred. @ Putvande I just change my delete script as follows: $delete = mysqli_real_escape_string($con, $_POST['delete']) if (mysqli_query($con,$sql) && $delete = 1) { print "User Deleted"; } else { die('Error: ' . mysqli_error($con)); } – Runt Aug 02 '14 at 14:54
  • Have you tried without the warning to begin with? – Oliboy50 Aug 02 '14 at 14:55
  • OK, try to add error reporting to the top of your file(s) right after your opening ` – Funk Forty Niner Aug 02 '14 at 14:59
  • No errors. Nothing in the console, I am going to try without the warning. – Runt Aug 02 '14 at 15:05
  • Removing the alert made no difference, so the problem is with the form. – Runt Aug 02 '14 at 15:06
  • Make a copy of your file and try this instead. Get rid of your hidden field and change your checkbox to this `` see if that works. While adding `if (isset($_POST['delete']) && isset($_POST['checkbox'])){ // SQL }` - You should be placing your form tags outside your loop also. – Funk Forty Niner Aug 02 '14 at 15:08
  • No difference, but I do prefer that approach. I had to put ' around the ID. – Runt Aug 02 '14 at 15:15

5 Answers5

1

You're not doing a valid HTML anyway :

This is what you've got :

<tr>
    <td>
        <form>
    </td>
</tr>
<tr>
    <td></td>
    <td></td>
        </form>
</tr>

This is what you should have :

<tr>
    <td>
        <form>
            <table><tr><td><!-- checkbox --></td><td><!-- submit --></td></tr></table>
        </form>
    </td>
</tr>

EDIT: Well... I'll try to rewrite your function with a valid HTML Form :

function get_all_users() {
    global $con;
    $sql = "SELECT * FROM users ORDER BY id ASC";
    $result = mysqli_query($con, $sql);
    echo "<tr><td> </td><td> User ID </td><td> Username </td><td> Email Address </td><td> Zendesk User Id </td><td> Zendesk View ID </td><td> Firstname </td><td> Surname </td><td> Nickname </td><td> Active </td><td> Admin </td><td> Display Stats?</td><td> Remove User </td></tr>";
    while($row = mysqli_fetch_array($result)) {
        // Displaying all user details
        echo "<tr><td><img height='40' width='40' src='" .$row['user_photo']. "'></td><td>" .$row['id']. "</td><td>" .$row['user_name']. "</td><td>" .$row['email_address']. "</td><td>" .$row['zendesk_user_id']."</td><td>" .$row['zendesk_view_id']. "</td><td>" .$row['user_firstname']. "</td><td>" .$row['user_surname']. "</td><td>" .$row['user_nickname'].  "</td><td>" .$row['is_active']. "</td><td>" .$row['is_admin']. "</td><td>" .$row['display_stats']. "</td>
         <td>
         <form id='delete_user' accept-charset='UTF-8' action='/delete_user.php' role='form' method='POST'>
         <table>
         <tr>
         <td><input type='checkbox' value='Delete'><input type='hidden' name='user_id' value='". $row['id']. "'></td>
         </tr>
         <tr>
         <td> Delete Selected User(s) </td>
         <td><input type='submit' name='submit' value='Delete My Account' onClick=\"return confirm('Are you sure you want to delete this account?')\"></td>
         </tr>
         </table>
         </form>
         </td>
         </tr>";
    }
}
Oliboy50
  • 2,661
  • 3
  • 27
  • 36
1

As per our chat conversation, am submitting the following answer in order to close the question and to be marked as solved.

You will need to make some slight HTML/table modifications. Plus, you'll need to modify it later on to be a safer method.

I didn't have time to add the extra stuff.

You also did not have any <table></table> tags.

Using the following links >>> mysqli_ with prepared statements, or PDO with prepared statements will help in regards to SQL injection.

<?php 

$DB_HOST = "xxx"; // replace
$DB_NAME = "xxx"; // replace
$DB_USER = "xxx"; // replace
$DB_PASS = "xxx"; // replace

$con = new mysqli($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME);
if($con->connect_errno > 0) {
  die('Connection failed [' . $con->connect_error . ']');
}

$sql = "SELECT * FROM users ORDER BY id ASC";
$result = mysqli_query($con, $sql);


echo "<!DOCTYPE html>" . "\n";
echo "<head></head>" . "\n";
echo "<body>" . "\n";

echo "<form id='delete_user' accept-charset='UTF-8' action='' role='form' method='POST'>" . "\n";

echo "<table>" . "\n";
echo "<tr><td> User ID </td><td> Username </td><td> Email Address </td><td> Zendesk User Id </td><td>
Zendesk View ID </td><td> Firstname </td><td> Surname </td><td> Nickname </td><td> Active 
</td><td> Admin </td><td> Display Stats?</td><td> Remove User </td></tr>" . "\n";

while($row = mysqli_fetch_array($result)) {
    // Displaying all user details
    echo "<tr><td>USER PHOTO CODE</td><td>" .$row['id']. "</td><td>" .$row['user_name']. "</td><td>" .$row['email_address']. "</td><td>" .


     "</td>\n<td><input type='checkbox' name='user_id[]' value='{$row['id']}'></td></tr>" . "\n";
echo "<tr><td> Delete Selected User(s) </td><td>" . "\n";

}

echo "<input type='submit' name='submit' value='Delete My Account' onClick=\"return confirm('Are you sure you want to delete this account?')\"></td>\n</tr>" . "\n";

echo "</table>" . "\n";

echo "</form>";

echo "</body></html>" . "\n";

if(isset($_POST['submit'])){

foreach($_POST['user_id'] as $id){
    $id = (int)$id;
    $delete = "DELETE FROM users WHERE id = $id"; 
    mysqli_query($con,$delete);
}

print "User Deleted";
mysqli_close($con);

}
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • 1
    Thank you, it was the fact I never called in the php it was in the html outside, that was getting confused. I moved and escaped out the html into the PHP, it now works! Thank you
     – Runt Aug 02 '14 at 18:20
0

Form is being created inside the while loop, while the closing tag and the submit button is outside the loop. So there are multiple form being created and a single submit button. Ideally it should be like

Open form

While loop, create check boxes End of loop

Submit button

Close form.

gvmani
  • 1,580
  • 1
  • 12
  • 20
0

First of all, you are using checkboxes in your form so should declare hidden variables user_id as array 

<input type='hidden' name='user_id[]' value='{$row['id']}'>

Then in your php file delete_user.php Use the following code to delete users 

            //echo "<pre>";print_r($_POST);exit; //check user ids using print_r() function
            $user_id = $_POST['user_id'];
            foreach($user_id as $userid) {
                // Insert the customer, including the password hash
                $sql = "DELETE FROM users where id = '$userid' limit 1";
                if (!mysqli_query($con,$sql)) {
                  die('Error: ' . mysqli_error($con));
                }
            }
Rakesh kumar
  • 135
  • 6
0

You are mixing the two apis.It must be mysqli_real_escape_string instead of mysql_real_escape_string.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Avinash Babu
  • 6,171
  • 3
  • 21
  • 26
  • hum looks exactly the same to me – Oliboy50 Aug 02 '14 at 15:39
  • i bet i didnt copied you ..its the common error i can see ..:) – Avinash Babu Aug 02 '14 at 15:40
  • 1
    no that's not why I meant... I mean `mysqli_real_escape_string` is exactly the same as `mysqli_real_escape_string` for me, so I don't understand your answer – Oliboy50 Aug 02 '14 at 15:41
  • The OP already fixed it, so that isn't the real reason. Do delete this or edit to fix the actual problem. Plus *"instead of `mysqli_real_escape_string`."* - should read as *"instead of `mysql_real_escape_string`."* – Funk Forty Niner Aug 02 '14 at 15:42
  • @Fred-ii- fixed it ..its my mistake am sorry – Avinash Babu Aug 02 '14 at 15:43
  • [`See my comment`](http://stackoverflow.com/questions/25096125/form-action-not-posting-via-php-html#comment39051048_25096125) - That's how it needs to be used. So, this doesn't qualify as an answer. Read the other comments also. – Funk Forty Niner Aug 02 '14 at 15:44