PHP Delete From Table Via Form Issue

Question

I'm working on a very basic PHP programme. I'm very new to PHP and am aware that I'm using the older versions i.e not PDO. I've been working on this for a while and can't figure out why it isn't working.

I'm simply trying to delete an item from my table which matches the user input.

((also if anyone has any easy recommendations I can use to have a safer delete function as I am aware if the user input is 'r' for example, a huge chunk of the table will be deleted))

Here is my code:

    <?php

    //delete from table
     if(isset($_POST['delete1']))
    {
    $deletevalue = $_POST['deletevalue'];
    $deletequery = "DELETE FROM users WHERE deletevalue = $deletevalue";
    $deleteresult = deleteTable($deletevalue);
    }

    function deleteTable ($deletevalue)
    {
     $connect = mysqli_connect("localhost", "root", "", "test_db");
     $delete_fromTable = mysqli_query($connect, $deletevalue);
     print mysqli_error($connect);  
    }
    ?>

   <!DOCTYPE html>
   <html>
    <body>

    <form action="zzz.php" method="post" />                     
    <p> Remove Item: <input type="text" name="deletevalue" placeholder="Item 
    Name" /> </p>
    <input type="submit" name ="delete1" value="submit" />
    </form> 
    </body>
    </html>

[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Apr 19 '17 at 20:25
"Please don't Flame" does NOT mean you will escape all of the comments that tell you how badly your code is vulnerable. — random_user_name, Apr 19 '17 at 20:26
Impossible to advise why this doesn't work without knowing your database table structure. — random_user_name, Apr 19 '17 at 20:26
my database table structure just has 4 columns, Id, firstName, lastName and Age — Seán Cahill, Apr 19 '17 at 20:27
Then why does your WHERE clause try to compare a column named `deletevalue` with something? — CBroe, Apr 19 '17 at 20:28
`$_POST['delete1']` is an integer or string? If string the first comment addresses this. Use a parameterized query and this will be closer to working (or just might work). — chris85, Apr 19 '17 at 20:28
Does your DB have a column named "deletevalue"? (Or, what CBroe said). — PaulJ, Apr 19 '17 at 20:29
You aren't even sending a SQL query.... `deleteTable($deletevalue)` needs to be `deleteTable($deletequery)` — chris85, Apr 19 '17 at 20:30
I misinterpreted the SQL syntax. I replaced deletevalue with firstName and it is still not working :( — Seán Cahill, Apr 19 '17 at 20:30
@SeánCahill You have +/- 4 issues here. Please read over the all comments. — chris85, Apr 19 '17 at 20:31
if that's the whole code it's obvious why it doesn't work, the $deletequery and $deleteresult aren't being used, just set. There's no query going through at all and to have a user input that can define what's being deleted doesn't seem a sensible option at all — independent.guru, Apr 19 '17 at 20:31
I'm trying to put everyone's comments into effect but I keep messing up my syntax :( — Seán Cahill, Apr 19 '17 at 20:47
If you want to learn how to fix your code, it's simple: Visit these two links and apply that to your code http://php.net/manual/en/function.error-reporting.php - http://php.net/manual/en/mysqli.error.php and then Google the errors you get; best way to learn. — Funk Forty Niner, Apr 19 '17 at 20:56

BetaDev · Answer 1 · 2017-04-19T20:53:41.193

0

Here your code will be looks like (Except security issue)

In this code you are deleting your record on the basis of firstName of the user thats why in where clause WHERE firstName = '$deletevalue' firtName there.

if(isset($_POST['delete1']))
{
    $deletevalue = $_POST['deletevalue'];
    //here put your table column in where clause
    $deletequery = "DELETE FROM users WHERE firstName = '$deletevalue'"; //if your form enters name of the users
    $deleteresult = deleteTable($deletequery);
}

function deleteTable ($deletequery)
{
     $connect = mysqli_connect("localhost", "root", "", "test_db");
     $delete_fromTable = mysqli_query($connect, $deletequery);
     print mysqli_error($connect);  
}

See in your where clause WHERE name = if you are deleting on the basis of name of the user.

and also see deleteTable($deletequery); you need to pass your query not the value.

Note:
Yes, I know you are learning basic things but my recomendations are
1) Use Prepared statements, explore little bit about it
2) Delete records based on ID (unique field) not name, name (firstName) might be same for multiple users in users table

edited Apr 19 '17 at 20:53

answered Apr 19 '17 at 20:32

BetaDev

4,516
3
21
47

2

Let's not teach/propagate sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard Apr 19 '17 at 20:37
hehehe jay you, yeah thank you but I am going to write on note that use prepared statement. – BetaDev Apr 19 '17 at 20:38
I tried to use your code and it's telling me that the input is an "unknown column" in my where clause – Seán Cahill Apr 19 '17 at 20:40
so put your column name in where clause `where name=` to `where your_column_name =` see updated code – BetaDev Apr 19 '17 at 20:46
Id, firstName, lastName, Age – Seán Cahill Apr 19 '17 at 20:48
put your column name in where clause `WHERE firstName =` – BetaDev Apr 19 '17 at 20:55

score 0 · Answer 2 · edited May 23 '17 at 12:17

regarding all comments, and completely OK with security statements, you should really consider using PPS : Prepared Parameterized Statements. This will help Preventing SQL injection. Plus : use error_reporting(E_ALL); ini_set('display_errors', 1); on top of your pages will help PHP give you hint about errors :)

This is a way (not the only one) to handle your query. Please read carefully and adapt names according to your DB structure and column names.

<?php

error_reporting(E_ALL); ini_set('display_errors', 1);

$host = ""; /* your credentials here */
$user = ""; /* your credentials here */
$pwd = ""; /* your credentials here */
$db = ""; /* your credentials here */

/* store in PHP variable */

$deletevalue = $_POST['deletevalue'];

echo"[ is my var ok ? -> $deletevalue ]"; /* just checking value */

// connexion to db
$mysqli = mysqli_connect("$host", "$user", "$pwd", "$db");

if (mysqli_connect_errno()) { echo "Error: no connexion allowed : " . mysqli_connect_error($mysqli); }

$query = " DELETE FROM `users` WHERE deletevalue = ? ";

$stmt = $mysqli->prepare($query); /* prepare query */

$stmt->bind_param("s", $deletevalue); /* bind param will sanitize -> 's' is for a string */

print_r($stmt->error_list); /* any error ? */
print_r($stmt->get_warnings()); /* any error ? */
print_r($stmt->error); /* any error ? */

/* another ways of checking for errors :

if (!($stmt = $mysqli->prepare(" DELETE FROM `users` WHERE deletevalue = ? "))) {
echo "Error attempting to prepare : (" . $mysqli->errno . ") " . $mysqli->error;
}

if (!$stmt->bind_param("s", $deletevalue)) {
echo "Error attempting to bind params : (" . $stmt->errno . ") " .     $stmt->error;
}
*/
if (!$stmt->execute()) { echo"false"; echo "Error attempting to execute : (" . $stmt->errno . ") " . $stmt->error; } else { echo"true"; }

?>

That looks really good but I don't understand any of it :( I'm just working on this for a small function as I begin to try and understand the very basics of PHP, then I will take a proper course — Seán Cahill, Apr 19 '17 at 20:46
@SeánCahill : I commented the code as much as I can, then you also have to read the links given to you in all comments :) and it may look weird above, but is not that difficult to study -> good tutorials + RTM... — OldPadawan, Apr 19 '17 at 20:48

PHP Delete From Table Via Form Issue

2 Answers2