How to delete data from SQL, using PHP/HTML form

Question

I have a question about deleting data from SQL by using php form.

My php form is something like this:(it's just HTML I guess)

<html>
    <body>
        <form action="delete.php" method="get">
          Uporabniško ime <input type="text" name="user"><br>
          <input type="submit" value="Submit">
        </form>
    </body>
</html>

and then I have code that should delete from my sql called delete.php:

<?php
    $servername = "localhost";
    $username = "test";
    $password = "test";
    $dbname = "iss";

    // Create connection
    $conn = new mysqli($servername, $username, $password, $dbname);
    // Check connection
    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    } 

    $user = $_POST['user'];


    /*if (is_int($_GET['up_ime']) 
        $query = "DELETE FROM uporabniki WHERE up_ime = " . $_GET['up_ime'];
        $result = mysqli_query($con, $query);
        // Check the result and post confirm message
    }*/

    $sql = "DELETE FROM iss.uporabniki WHERE uporabniki.up_ime = " .$_POST['user'];

?>

In my sql database I have DB called "iss" and table "uporabniki". up_ime is Unique and is basicly username. So I'm trying to make form, where I can write username, and when I click submit, that user should be deleted from SQL database. I have no idea what I'm doing wrong and why this isn't working.

Your form method is incorrect; use "post". Notice this => `$_POST` — Funk Forty Niner, Dec 10 '14 at 18:11
Also make sure that the user you wish to delete, is an `int` and based on a user ID number. Otherwise, `".$_POST['user'];` will add to the code's failure. Not to mention that your present code is open to [**SQL injection**](http://stackoverflow.com/q/60174/). — Funk Forty Niner, Dec 10 '14 at 18:17
**WARNING**: When using `mysqli` you should be using parameterized queries and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string concatenation to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/). This code is scary dangerous. — tadman, Dec 10 '14 at 18:24
FYI: Use jQuery ajax call if you can, It will be efficient and prevent refreshing the browser. — PHCJS, Dec 10 '14 at 18:29
http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers & http://www.w3cyberlearnings.com/PHP_MySQL_PDO_DELETE_with_prepared_statement_and_named_placeholders — Funk Forty Niner, Dec 10 '14 at 18:56
I know this couldn't ever be used for real purposes, but my school demand that from me. However, I changed from get to post and I don't get any error now, but nothing is deleted from sql, so it's not working for me. — user3677216, Dec 10 '14 at 20:22

Riad · Answer 1 · 2014-12-10T20:27:14.360

2

Just change the form method like this:

<form action="delete.php" method="post">

And also don't forget to execute the query:

$sql = "DELETE FROM iss.uporabniki WHERE uporabniki.up_ime = " .$_POST['user'];
$delete_result = mysqli_query($conn, $sql) ;

edited Dec 10 '14 at 20:27

answered Dec 10 '14 at 18:38

Riad

3,822
5
28
39

1

Yeah, the missing query escaped me; that's what happens when looking at code for too long. Well, I'll +1 but do take note that this is *still* open to [SQL injection](http://stackoverflow.com/q/60174/) and should not be trusted. – Funk Forty Niner Dec 10 '14 at 18:41
I did exaclty as you said and I get error: Warning: mysqli_query() expects at least 2 parameters, 1 given in C:\wamp\www\8\delete.php on line 24 Call Stack # Time Memory Function Location 1 0.0005 242584 {main}( ) ..\delete.php:0 2 0.0022 252248 mysqli_query ( ) ..\delete.php:24 – user3677216 Dec 10 '14 at 20:20
yeah, you need to put the link for mysqli_query. answer updated – Riad Dec 10 '14 at 20:27
no more error, but it still won't delete user from database – user3677216 Dec 10 '14 at 21:00
would you plz echo the `$sql` and run the query directly from mysql? – Riad Dec 11 '14 at 09:28

score 2 · Answer 2 · edited Dec 10 '14 at 19:30

2

you write method="get" in html and in php you used $_POST. Change this correctly and your code will run successfully.

edited Dec 10 '14 at 19:30

Riad

3,822
5
28
39

answered Dec 10 '14 at 18:44

hamdy

46
4

score 0 · Answer 3 · answered Nov 08 '16 at 09:06

As refered to this W3 document http/1.1 Methods definition

This should be how to write a form dedicated to delete something

<html>
    <body>
        <form action="delete.php" method="delete">
          Uporabniško ime <input type="text" name="user"><br>
          <input type="submit" value="Submit">
        </form>
    </body>
</html>

And this would be the php receiving the request (also I would recommend you to use, instead of mysqli, PDO which I will use then in my answer)

<?php
    $host= "localhost";
    $username = "test";
    $password = "test";
    $dbname = "iss";

    // Create connection and catch possible error
    try {
        $conn = new PDO('mysql:host='.$host.';dbname='.$dbname.', '.$username.', '.$password);}
    catch (Exception $e)
    {
        die('Error : ' . $e->getMessage());
    } 

    if (isset($_DELETE['user'] && !empty($_DELETE['user'])) {
        $user = $_DELETE['user'];
    } else {
        // if $_DELETE['user'] is not set or empty we close the transaction
        $pdo = null;
        die('Error : user is undefined');
    }
    $stmt = $conn->prepare("DELETE FROM iss.uporabniki WHERE uporabniki.up_ime = :user");
    // we bind parameter to reduce the risk of injection
    $stmt->bindparam(:user, $user, PDO::PARAM_STR);
    $stmt->execute();
    $stmt = null;
    $pdo = null;
?>

hoping this will help you or someone else in the future!

How to delete data from SQL, using PHP/HTML form

3 Answers3