-1

I made messaging system for my site and this is the code I use to display the different users messages in their profile. This gets the messages from the database and displays them in the page in divs (every message in new div). I added 'DELETE MESSAGE' to user to delete the certain message but I don't know how it will work. I want it to delete the div and the database record. I am new in PHP and it is super complicated for me to make it.

<div style='height: auto; margin-top: 0px; padding: 50px;' id='content'>
<?php   
    session_start();
    if (!isset($_SESSION['name'])) {
        header('Location:vhod.php');
        exit;
    }

    $pageTitle = 'СЪОБЩЕНИЯ';
    include 'includes/header.html'; 

    $email = $_SESSION['email'];
    $name = $_SESSION['name'];

    include 'php/db_connect.php';

    $msgs = '';
    $query = "SELECT * FROM `msg` WHERE `to` = '$name'";
    $result = mysqli_query($conn, $query);

    if (mysqli_num_rows($result) > 0) {
        while($row = mysqli_fetch_assoc($result)) {
            echo "<div class='msg_box'>" . "<strong>>> Дата и час: </strong>" . $row["timestamp"] . "<br>" . " <strong>>> От: </strong>" . "<i>" . $row["sender"] . "</i>" . "<br>" . " <strong>>> Тема: </strong>" . "<i>" . $row["subject"] . "</i>" . "<br>" . "<strong>>> Съобщение: </strong>" . "<i>" . $row["msg"] . "</i>" . "<br>" ."<br>" ."<strong><a href='' >DELETE MESSAGE</a></strong>" . "</div>" . "<br>" . "<br>" . "<br>" ;
        }
    } else {
        echo "<h2>Нямате съобщения :(</h2>";
    }
?>

</div>
To. K
  • 55
  • 1
  • 3
  • Your code is vulnerable to a so-called sql-injection attack. As a result **anybody** can delete your database (or do other nasty stuff). Please read [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) here on stackoverflow.com – Jacco Mar 19 '16 at 20:52

1 Answers1

0

To delete an item from the database, you have reference one of its column values. It is best to use the record's ID value for this. So you will need to pass the ID of each message in your 'delete message' link.

Then you have to create a separate script function for the "DELETE MESSAGE" button that takes as input the id of the message.

Try this code:

<div style='height: auto; margin-top: 0px; padding: 50px;' id='content'>
<?php   
session_start();
if (!isset($_SESSION['name'])) {
    header('Location:vhod.php');
    exit;
}

$pageTitle = 'СЪОБЩЕНИЯ';
include 'includes/header.html'; 

$email = $_SESSION['email'];
$name = $_SESSION['name'];

include 'php/db_connect.php';

$msgs = '';
$query = "SELECT * FROM `msg` WHERE `to` = '$name'";
$result = mysqli_query($conn, $query);

if (mysqli_num_rows($result) > 0) {
    while($row = mysqli_fetch_assoc($result)) {
        echo "<div class='msg_box'>" . 
             "<strong>>> Дата и час: </strong>" . $row["timestamp"] . "<br>" . 
             " <strong>>> От: </strong>" . "<i>" . $row["sender"] . "</i>" . "<br>" . 
             " <strong>>> Тема: </strong>" . "<i>" . $row["subject"] . "</i>" . "<br>" . 
             "<strong>>> Съобщение: </strong>" . "<i>" . $row["msg"] . "</i>" . "<br>" ."<br>" .
             "<strong><a href='deletemsg.php?id=".$row["id"]."' >DELETE MESSAGE</a></strong>" . "</div>" . "<br>" . "<br>" . "<br>" ;
    }
} else {
    echo "<h2>Нямате съобщения :(</h2>";
}
?>

</div>

deletemsg.php:

<?php
$msgsid = $_GET("id");
include 'php/db_connect.php';

//create connection if you need it

$query = "DELETE FROM  `msg` WHERE `id` = '$msgsid'";
$result = mysqli_query($conn, $query);

Than refresh the page.

Note replace $row["id"] and id in query with name of column in your db that contains ID of rows (if it's different)

Jacco
  • 23,534
  • 17
  • 88
  • 105
Yeti82
  • 383
  • 1
  • 6
  • 14
  • "To delete an item from the database, you have access to it uniquely via its ID." is simply not true: you can delete any record by matching any value in any column. – Jacco Mar 19 '16 at 20:38
  • it's necessary to give me -1? i'm try to help @Jacco – Yeti82 Mar 19 '16 at 20:41
  • It seems you made a good-faith mistake, so I undid my -1 and edited your answer instead. Hope you don't mind. – Jacco Mar 19 '16 at 20:46
  • Thank you @Jacco, my intent is to help, your edit is correct :) – Yeti82 Mar 19 '16 at 20:49