-1

I have a basic backoffice setup with a few tables listing the database content with an option to delete the rows, based on the id. But for every product that I have, I need to have different PHP delete files, in this example, "product_01", "product_02", etc.

How can I pass a custom id in the query string (href='delete_product_01.php?id=...) so I can have a conditional statement in the delete php file, this way I would only need one delete.php file.

Thank you

back.php.php

echo "<td class='deleteMe'><a class='delete_back' href='delete_product_01.php?id=".$record['id']."'>x</a></td>";

delete_product_01.php

include('config_delete.php');

if (isset($_GET['id'])) {
    $id = $_GET['id'];
    $query = mysql_query("DELETE FROM product_01_table WHERE id='$id'");
    if ($query) {
        header('location:back.php');
    }
}
mhall
  • 3,671
  • 3
  • 23
  • 35
user1765661
  • 585
  • 1
  • 7
  • 21
  • Every product has its own table? That sounds like a DB design flaw, or am I reading this question wrong? You are open to SQL injections with this code. – chris85 Sep 09 '15 at 18:05
  • 1
    ***Please*** have a look here: http://www.bobby-tables.com. This code is very unsafe. What if I tried to go to `delete_product_01.php?id=' OR 1=1; -- `? – gen_Eric Sep 09 '15 at 18:10
  • I don't get why people keep using mysql, at least use mysqli_* if you don't want to learn prepared statements yet. but nonetheless, I don't understand how the database is set up. Could you clarify that? – Xander Luciano Sep 09 '15 at 18:12

1 Answers1

1

You could pass the product id as second get parameter, like

delete_product.php?id=4&product_id=1

And in your delete.php you could manipulate your string in some way like

"delete from product_".$_GET["product_id"]."_table where id='$id'"

but you really should NOT do this!

Here are multiple reasons, why such code design is VERY dangerous and bad:

SQL-Injection

One could easily exploit your get parameter to get evil sql code executed. Imagine someone calling 

delete_product.php?id=4';DROP database;

By doing that, he would not only delete one product, he would delete everything. Have a look here for more information about that.

mysql_* functions

mysql_* functions are long deprecated and should not be used. There are many reasons for this, have a look at this SO-Post

Database design

Having a designated table for every single Product of yours is very bad database design. Imagine your company (or whatever instance is selling here) making a change in their product portfolio, removing or adding a product. You would need to make a huge amount of changes. If you consider revising your concept (You really should!) this post will provide you with a good starting point.

Community
  • 1
  • 1
T3 H40
  • 2,326
  • 8
  • 32
  • 43