2

I'm trying to delete records from the DB by their ID. The code works as it should but the problem is the ID is coming up in the URL, which from my knowledge it's unsafe.

URL: "http://localhost/Project/includes/delete.php?id=27"

I have used prepared statement to delete the records but the problem comes from the button. IS there any other approach to the one I'm already using to make it safe?

Here is the code:

    while($row = $result->fetch_assoc()) {
        echo '<tr>';
            echo '<td>' . $row['row1'] . '</td>';
            echo '<td>' . $row['row2'] . '</td>';
            echo '<td>' . $row['row3'] . '</td>';
            echo '<td><a href="delete.php?id=' . $row['id'] . '">Delete</a></td>';
        echo '</tr>';
    }

if (isset($_GET['id']) && is_numeric($_GET['id'])) {
    $id = $_GET['id'];

    if ($stmt = $mysqli->prepare("DELETE FROM table WHERE id = ? LIMIT 1")) {
        $stmt->bind_param("i", $id);
        $stmt->execute();
        printf("Affected rows (DELETE): %d\n", $mysqli->affected_rows);
        $stmt->close();
    }
}

Basically I'd like to the make the whole row clickable, whenever the user clicks on the row to delete the records, rather than using the buttons. However, my big challenge is how not to show its ID in the URL.

Any help is highly appreciated.

Thank you

CodeX
  • 57
  • 5

3 Answers3

2

Set the Id in $_SESSION and you can pass it between pages.

OR

You can do it with ajax

while($row = $result->fetch_assoc()) {
    echo '<tr class=\"deleted\">';
        echo '<td>' . $row['row1'] . '</td>';
        echo '<td>' . $row['row2'] . '</td>';
        echo '<td>' . $row['row3'] . '</td>';
        echo '<td><a href="#" id="'. $row['id'] .'" class=\"delete\">Delete</a></td>';
    echo '</tr>';
}

Add this script in page where above code is located ;

<script type="text/javascript">
$(function() {
    $(".delete").click(function(){
    var element = $(this);
    var del_id = element.attr("id");
    var info = 'id=' + del_id;
    if(confirm("Are you sure you want to delete this?")){
     $.ajax({
       type: "POST",
       url: "delete.php",
       data: info,
       success: function(){
     }
    });
      $(this).parents(".deleted").hide(500);
     }
        return false;
    });
});
</script>

create a delete.php in root and it will be like

<?php
//Add your database connection first here
if (isset($_POST['id']) && is_numeric($_POST['id'])) {
    $id = $_POST['id'];

    if ($stmt = $mysqli->prepare("DELETE FROM table WHERE id = ? LIMIT 1")) {
        $stmt->bind_param("i", $id);
        $stmt->execute();
        //Set if condition here to check and show response
        if ($stmt) {
            echo "<font color='red'>Record Deleted Successful</font>";
            } else {
            echo "<font color='red'>Error While Trying To Delete Record, Please Try Again</font>";
            }
        //printf("Affected rows (DELETE): %d\n", $mysqli->affected_rows);
        $stmt->close();
    }
}
?>

With Ajax, your page won't be refreshed and data will be deleted from database and deleted row will be hidden from user

Shehary
  • 9,926
  • 10
  • 42
  • 71
  • Hi @shehary, Sorry for late reply but I went in town. The example you provided is really what I was looking for. The only thing to mention is that: First of I have a select query where I'm retrieving all the info from DB and display them in a table and then down below still in "delete.php" I'm trying to delete the data depending on which row is being clicked from that above table. I'm quite confused where that "html div" should be included. Thank you – CodeX Jul 16 '15 at 19:44
  • @CodeX, I updated the answer, please have a look and lemme know if you still have confusion – Shehary Jul 16 '15 at 20:00
  • hi @shehary, I might look stupid but still doesn't work. Being fair is the first time I'm using ajax. Basically all the above codes should be only in one class "delete.php", however, I've tried and recreated another class only to test the code and still no luck. Have I missed anything? Thank you – CodeX Jul 16 '15 at 20:21
  • no you didn't, i missed something repalce this line `echo 'Delete';` with this `echo 'Delete';` – Shehary Jul 16 '15 at 20:23
  • concept of Ajax is very simple, it will do the dirty work for you without refreshing the page, you see `url` in script, its where you are telling the script where file is located and it handles and POST request and fetch the response back keeping you on same page – Shehary Jul 16 '15 at 20:27
  • is it possible to have all the above codes in only one page? and that page to be called from the main page where I have other staff. For instance have the main page and call that file which outputs the table and does the job of removing .. ? Thank you – CodeX Jul 16 '15 at 20:34
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/83481/discussion-between-shehary-and-codex). – Shehary Jul 16 '15 at 20:36
0

Encode the ID with a two-way encryption, so that it is 'sent' encoded, and decoded to use.

MaggsWeb
  • 3,018
  • 1
  • 13
  • 23
0

To do this you could place a form in the last table cell:

echo '<td><form action="delete.php" method="post">';
echo '<input type="hidden" name="id" value="' . $row['id'] . '/>';
echo '<input type="submit" value="Delete" />';
echo '</form></td>';

The form uses a hidden input for your id value.

In your PHP you would then change to the $_POST array, $_POST['id']

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119