Button to delete a user account

Question

I have a table that produces a list of user accounts from mysql db. I would like a button that can delete a user from this list.

Here is my form:

<td><form action="empdelete.php">
 <?php echo "<input type='text' name='employee' value='".$employee['username']."'/><button type='submit' class='btn btn-default'>Delete</button>"?>
        </form></td>;

Here is my empdelete.php:

<?php 
if($_POST['submit'])
{
    mysql_connect("host","username","pword") or die(mysql_error()); 


   mysql_select_db("db") or die(mysql_error()); 


   $username = $_POST['username'];


   $result=mysql_query("DELETE FROM employee WHERE username='$username'") or die(mysql_error()); 

    //confirm
   echo "Employee Deleted"; 
}
?>

The table name is employee and the column name is username. It doesn't seem to be working.. any suggestions?

you have no input bearing the `username` POST, you have `employee` — Funk Forty Niner, Mar 25 '17 at 19:04
Sorry - I am very new at this. Would you be able to explain a little more for me please? — sd0093, Mar 25 '17 at 19:07
Your code is unsafe, anyone using your web app can delete the whole database by entering _' or true or '_ as a user name. Read up on SQL injection. — Patrick Hund, Mar 25 '17 at 19:48
**WARNING**: If you're just learning PHP, please, do not use the [`mysql_query`](http://php.net/manual/en/function.mysql-query.php) interface. It’s so awful and dangerous that it was removed in PHP 7. A replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/) and a guide like [PHP The Right Way](http://www.phptherightway.com/) explains best practices. Your user data is **not** [properly escaped](http://bobby-tables.com/php.html) and there are [SQL injection bugs](http://bobby-tables.com/) and can be exploited. — tadman, Mar 25 '17 at 20:59
Thank you - I am familiar with SQL injections but don't need to be concerned about them for this small project :) — sd0093, Mar 26 '17 at 14:31

Chris · Accepted Answer · 2017-03-25T19:16:44.070

1

You can use a normal link and pass the username as a GET parameter

<?php 
    echo '<a href="empdelete.php?username='.$employee['username'].'">Delete</a>';
?>

And then in your PHP you can take the value and make your delete

<?php 

if($_GET['username']) {

    mysql_connect("host","username","pword") or die(mysql_error()); 
    mysql_select_db("db") or die(mysql_error()); 

    $username = $_GET['username'];
    $result=mysql_query("DELETE FROM employee WHERE username='$username'") or die(mysql_error()); 

    echo "Employee Deleted"; 

}

?>

** be careful though - your approach leaves you open to SQL injection attacks, you should read up about these **

edited Mar 25 '17 at 19:16

answered Mar 25 '17 at 19:06

Chris

4,672
13
52
93

Thank you Chris. I tried that and unfortunately got this error message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'username'];?>'' at line 1 – sd0093 Mar 25 '17 at 19:12
Can you show me what HTML you're using now for the delete link? – Chris Mar 25 '17 at 19:14
THAT WORKED. Thank you sooooo much :) – sd0093 Mar 25 '17 at 19:22
Great ... but do make sure you read up about SQL injection attacks. It may sound boring but it'll save you stress in the future. – Chris Mar 25 '17 at 19:23
Thanks.. I am familiar with SQL injection this is just a small project. Thank you :) – sd0093 Mar 26 '17 at 14:30

score 0 · Answer 2 · edited May 23 '17 at 11:46

In the <input> you have name="employee", therefore you need $username = $_POST['employee'];

Also, your program is vulnerable to SQL injection. When you do this:

   $username = $_POST['username'];


   $result=mysql_query("DELETE FROM employee WHERE username='$username'")

you need to sanitize the $username variable. Start with this question to learn about SQLi:

How can I prevent SQL injection in PHP?

Button to delete a user account

2 Answers2