jQuery php to delete rows dynamically in table from mysql

Question

I am have a page where i have the table row id defined by 'lesson_id' and i have a delete function for jquery that deletes that row without having to change page. It is almost all working but when it posts the information to delete_row.php it is not deleting the record. but delete_row.php is working because i've manually done delete_row.php?id=4 and it deleted that record succesfully. Any pointers and explanations would be great as i'm still learning.

lessons.php

<table id="lessons" class="table-hover">
    <thead>
        <tr>
            <th>Lesson ID</th>
            <th>Lesson Name</th>
            <th></th>
        </tr>
    </thead>
<tbody>
<?php 
while($row=mysqli_fetch_array($result)){
    echo '<tr id="'. $row['lesson_id'].'">';    
        echo '<td>'. $row['lesson_id'] .'</td>';
        echo '<td>'. $row['name'] .'</td>';
        echo '<td><a class="delete">Delete</a></td>';   
    echo '</tr>';
}
?>
</tbody>
<div id="error"></div>
<script>
$(document).ready(function()
{
    $('table#lessons td a.delete').click(function()
    {
        if (confirm("Are you sure you want to delete this row?"))
        {
            var id = $(this).parent().parent().attr('id');
            var data = 'id=' + id ;
            var parent = $(this).parent().parent();
            //$('#error').html(data);
            $.ajax(
            {
                   type: "POST",
                   url: "delete_row.php",
                   data: data,
                   cache: false,

                   success: function()
                   {
                    parent.fadeOut('slow', function() {$(this).remove();});
                   }
             });
        }
    });
});
</script>

delete_row.php

<?php
include ('../../../config.php');
$con = mysqli_connect ($dbhost,$dbuser,$dbpass,$dbname);
if (!$con){
    die('could not connect: '. mysqli_error($con));
}
$error = "";
$success = "";

if($_GET['id'])
{
$id = $_GET['id'];

mysqli_query($con,"DELETE FROM module_lessons WHERE lesson_id='$id'");
}
?>

as its obvious ... this has no sql injection protection on it.

you never bothered embedding teh ID of the record in your delete link, so when the link is clicked, `$_GET['id']` is undefined. And **DON'T DO THIS** you are both vulnerable to [sql injection attacks](http://bobby-tables.com) and the [Spider of Doom](http://www.thedailywtf.com/articles/The_Spider_of_Doom). Enjoy having your server totally pwn3d. — Marc B, Feb 22 '16 at 20:04
You are mixing up GET and POST. You should only use POST; you don't want a clever browser (plugin...) or a search engine to prefetch all your delete links... — jeroen, Feb 22 '16 at 20:04
Apart from the problems mentioned already, you are using some sort of authentication in your real `delete_row.php` script, right? — jeroen, Feb 22 '16 at 20:07
this is a school project i'm learning and i know how to prevent sql injections and validations i've done it in my other forms — Jake Groves, Feb 22 '16 at 20:10

score 2 · Accepted Answer · edited May 23 '17 at 10:28

2

Change $_GET['id']; to $_POST['id'];

Here, you're doing a POST request:

type: "POST",
url: "delete_row.php",

... but in your PHP script you're checking for GET.

Also, as marc b noted, you're currently vulnerable to SQL injection. Look into using mysqli_real_escape_string, or bind_param.

edited May 23 '17 at 10:28

Community

1
1

answered Feb 22 '16 at 20:04

BugHunterUK

8,346
16
65
121

You can use prepared statements in mysqli as well. – jeroen Feb 22 '16 at 20:09
@jeroen Wasn't aware of that. I've used PDO exclusively for as long as I can remember. – BugHunterUK Feb 22 '16 at 20:11
1

Me too. When I have the choice at least :-) – jeroen Feb 22 '16 at 20:12
@BugHunterUK thanks for that that's the answer i been looking for didn't realise my muck up ... and yer i know that it is vulnerable i was trying to solve my problem first before i do that. – Jake Groves Feb 22 '16 at 20:13

jQuery php to delete rows dynamically in table from mysql

1 Answers1