0

I have made a CRUD application using PHP and Bootstrap.

My delete_record.php file contains the following code:

<?php

include("includes/header.php");
include("includes/nav.php");

if (isset($_GET['mid'])) {
  $sql = "DELETE FROM medical_records WHERE mid = " . $_GET['mid'];
  //echo $sql;
  if (mysqli_query($con, $sql)) {
    //header("Location: {$_SERVER['HTTP_REFERER']}");
    echo "Record successfully deleted";
  } else {
    echo "Error: " . mysqli_error($con);
  }
}?>
<?php include("includes/footer.php"); ?>

The page used to make a simple redirect to the previous url with this line:

header("Location: {$_SERVER['HTTP_REFERER']}");

I have commented it out in order to "Ajaxify" the process. For this purpose I have used:

$('.delete-icn').on('click', function(evt){
    evt.preventDefault();
    var mid = $(this).data('mid');

    if(confirm('Are you sure you want to delete?')) {
        $.ajax({
            url: 'delete_record.php?mid=' + mid,
            method: 'GET',
            data: {mid:mid},
            success: function(deleteMsg){
                $('#delete_msg').slideDown(250);
                $('#delete_msg').text(deleteMsg);
            }
        });
    }
});

But this not only does not delete the record, it returns the html of an entire page inside the alert paragraph tag <p id="delete_msg" class="text-center alert alert-success"></p> instead of only "Record successfully deleted";

Where is the mistake? Thank you!

UPDATE: In the delete_record.php file I have kept only:

if (isset($_GET['mid'])) {
   $sql = "DELETE FROM medical_records WHERE mid = " . $_GET['mid'];
   if (mysqli_query($con, $sql)) {
     //header("Location: {$_SERVER['HTTP_REFERER']}");
     echo "Record successfully deleted";
   } else {
    echo "Error: " . mysqli_error($con);
   }
}?>

No significant change happened as a result of this.

miken32
  • 42,008
  • 16
  • 111
  • 154
Razvan Zamfir
  • 4,209
  • 6
  • 38
  • 252

2 Answers2

1

Ok, your answer may work fine, but here's a question. What happens when someone calls http://example.com/delete_record.php?mid=1&20OR%201%3D1? Answer: you execute the following query and your entire database is wiped out.

DELETE FROM medical_records WHERE mid = 1 OR 1=1;

Try using prepared statements instead:

<?php
include("functions/init.php");
if (isset($_GET['mid'])) {
    $sql = "DELETE FROM medical_records WHERE mid = ?";
    $stmt = $con->prepare($sql);
    $stmt->bind_param("i", $_GET["mid"]);
    if ($stmt->execute()) {
        echo "Fisa a fost stearsa.";
    } else {
        echo "Error: $stmt->error";
    }
}
miken32
  • 42,008
  • 16
  • 111
  • 154
-1

Use mysqli_affected_rows to check whether DELETE query worked or not.

Example (from php.net)

<?php
$link = mysqli_connect("localhost", "my_user", "my_password", "world");

if (!$link) {
    printf("Can't connect to localhost. Error: %s\n", mysqli_connect_error());
    exit();
}

/* Insert rows */
mysqli_query($link, "CREATE TABLE Language SELECT * from CountryLanguage");
printf("Affected rows (INSERT): %d\n", mysqli_affected_rows($link));

mysqli_query($link, "ALTER TABLE Language ADD Status int default 0");

/* update rows */
mysqli_query($link, "UPDATE Language SET Status=1 WHERE Percentage > 50");
printf("Affected rows (UPDATE): %d\n", mysqli_affected_rows($link));

/* delete rows */
mysqli_query($link, "DELETE FROM Language WHERE Percentage < 50");
printf("Affected rows (DELETE): %d\n", mysqli_affected_rows($link));

/* select all rows */
$result = mysqli_query($link, "SELECT CountryCode FROM Language");
printf("Affected rows (SELECT): %d\n", mysqli_affected_rows($link));

mysqli_free_result($result);

/* Delete table Language */
mysqli_query($link, "DROP TABLE Language");

/* close connection */
mysqli_close($link);
?>

Reference http://php.net/manual/en/mysqli.affected-rows.php

Hamza Rashid
  • 1,329
  • 15
  • 22