How to delete a mySql table row using AJAX

Question

var table = "users";
var id = 25;

$("#btndel").click(function() {
    if (confirm("Are you sure ?")) {
        $.ajax({
            url: 'ajaxdel.php',
            type: 'post',
            data: {
                'table': 'table', 
                'id': 'id'
            },
            success: function() {
                location.href = "index.php";
            }
        })
    }
});

ajaxdel.php

extract($_POST);
$stmt = $db->prepare('DELETE FROM '.$table. ' WHERE id = :id') ;
$stmt->execute(array(':id' => $id));

Table row is not deleted.

don't use `extract()`. register_globals was removed from PHP for good reason, and recreating it for such simple things is just... bad. and you leaving yourself open for [sql injection attacks](http://bobby-tables.com) ANYWAYS, because you stuff $table into the query directly. — Marc B, Jun 17 '16 at 19:09
Lol that's not very safe... never directly execute user-input as code. — Michael Zhang, Jun 17 '16 at 19:09
you should also have the table parameterise as you are doing with id. — Abdul Rehman, Jun 17 '16 at 19:11
See http://stackoverflow.com/questions/182287/can-php-pdo-statements-accept-the-table-or-column-name-as-parameter for how to secure table name against injection. — chris85, Jun 17 '16 at 19:12
@Bsienn table names can't be parameterized (but still shouldn't be done as is) — chris85, Jun 17 '16 at 19:13
@chris85 I din't knew that Thanks. The way bonaca is doind is so wrong that I had to at least point out SQl injection issue. and many others already pointed bonaca on right direction. — Abdul Rehman, Jun 17 '16 at 19:17
I'm voting to close this question as off-topic because it is unsafe and no one should ever use it. — Drew, Jun 18 '16 at 17:54
In the question, the PHP code is unsafe. But in my answer PHP is safe. Future readers will consider the answers (I hope, but just too bad if not!) and all the comments above. — Louys Patrice Bessette, Jun 19 '16 at 21:01

score 2 · Answer 1 · answered Jun 17 '16 at 19:08

2

As a start, you are passing the strings 'table' and 'id' as POST parameters, not the contents of the respective variables:

data: {'table': 'table', 'id': 'id'},

Instead, you want to pass the variable values:

data: {'table': table, 'id': id},

You should also think very hard about possible vulnerabilities before you let the code anywhere near your production system.

answered Jun 17 '16 at 19:08

TimoStaudinger

41,396
16
88
94

I wrote `data: {'table': table, 'id': id},` instead of `data: {'table': 'table', 'id': 'id'},` but the row is stil not deleted. ` – qadenza Jun 17 '16 at 19:22
Hey where is this server? Can I POST delete cmds? :p – Drew Jun 18 '16 at 17:37
@Drew And my good friend [Little Bobby Tables](https://xkcd.com/327) wants to login... – PM 2Ring Jun 19 '16 at 14:10

score 1 · Answer 2 · answered Jun 17 '16 at 19:45

TimoSta's answer is good. But I see in comment that it still don't work.

So here is something you could try on your PHP.
It's a more secure way to pass the table name.

I assume that you defined your $db with the SQL user/pass/DBname AND that the SQL user you use has the DELETE priviledge.

$tableArr=["users"];    // You may add other table names you want to access.

if(in_array($_POST['table'],$tableArr){

    $stmt = $db->prepare('DELETE FROM '.$_POST['table'].' WHERE id = ?') ;
    $stmt->bindParam(1,$_POST['id']);
    $stmt->execute;
}

How to delete a mySql table row using AJAX

2 Answers2