Deleting data in database with dropdown menu in PHP

Question

I am struggling with deleting data in my database with my drop-down menu. My drop-down menu looks like this

<form method="post" action="admin.php">
<h3>Delete a user</h3>
<select name="username">
$sql = mysqli_query($connection, "SELECT username FROM users");
while ($row = $sql->fetch_assoc()){
?>

<option value="username" name="username">
<?php echo $row['username']; ?></option>
<?php } ?>
<input type="submit" name="delete" value="Delete User">
</form>

And this is displaying the users all good like i want it, so here is the php for it

<?php 
include('connect.php');
if(isset($_POST['delete'])) {
$username = $_POST['username'];
mysqli_query("DELETE FROM `users` WHERE `username` = '$username' ");
echo "User was deleted!";
}
?>

So when i hit the submit button "Delete User", it looks like i get sent to admin.php and nothing happens.

How can i fix this? Thanks.

Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Jul 10 '17 at 11:21
That was honestly just something i tried to see if it worked, but no it is not supposed to be there. — SebastianP, Jul 10 '17 at 11:21

score 3 · Answer 1 · edited Apr 08 '22 at 12:34

Replace name="username" from <option></option>
Echo value in value of option.
Connection variable missing in admin.php page

Updated Code

<select name="username">
  <?php
  $sql = mysqli_query($connection, "SELECT username FROM users");
  while ($row = $sql->fetch_assoc()){?>
    <option value="<?php echo $row['username']; ?>"><?php echo $row['username']; ?></option>
  <?php }?>
</select>

admin.php

$stmt = $connection->prepare("DELETE FROM `users` WHERE `username` = ?");
$stmt->bind_param('s', $username);
$stmt->execute();

Alive to die - Anant · Accepted Answer · 2017-07-11T10:38:28.310

1.<option value="username" name="username"> Need to be <option value="<?php echo $row['username']; ?>">

2.Connection variable is missing . Need to be:-

mysqli_query($connection,"DELETE FROM `users` WHERE `username` = '$username' ");

Modified code need to be:-

Form code:-

<?php
//comment these two lines when code started working fine
error_reporting(E_ALL);
ini_set('display_errors',1);

include('connect.php');
?>
<form method="post" action="admin.php">
    <h3>Delete a user</h3>
    <select name="username">
      <?php
      $sql = mysqli_query($connection, "SELECT username FROM users");
      while ($row = mysqli_fetch_assoc($sql)){?>
        <option value="<?php echo $row['username']; ?>"><?php echo $row['username']; ?></option>
      <?php }?>
    </select>
<input type="submit" name="delete" value="Delete User">
</form>

Php code:-

<?php
//comment these two lines when code started working fine
error_reporting(E_ALL);
ini_set('display_errors',1);

include('connect.php');
if(isset($_POST['delete'])) {
    $username = $_POST['username'];
    if(mysqli_query($connection,"DELETE FROM `users` WHERE `username` = '$username' ")){
        echo "User was deleted!";
    }
}
?>

Note:- Always do some error-reporting so that you will get error and rectify that.

Your query is vulnerable to SQL INJECTION so read about prepared statements and use them.

Bibhudatta Sahoo · Answer 3 · 2017-07-10T11:33:50.507

0

You are not putting the value in select option that's why nothing happens
Just replace

<option value="username" name="username">
<?php echo $row['username']; ?></option>
<?php } ?>

with

<option value="<?php echo $row['username']; ?>">
<?php echo $row['username']; ?></option>
<?php } ?>

It will work for you.

edited Jul 10 '17 at 11:33

answered Jul 10 '17 at 11:20

Bibhudatta Sahoo

4,808
2
27
51

You might like to check the syntax for an ` – RiggsFolly Jul 10 '17 at 11:27
1

As there is no `name` attribute on an ` – RiggsFolly Jul 10 '17 at 11:32

score 0 · Answer 4 · answered Jul 10 '17 at 11:22

0

Change

<option value="username" name="username">
<?php echo $row['username']; ?></option>

To

<option value="<?php echo $row['username'] ?>" name="username">
<?php echo $row['username']; ?></option>

answered Jul 10 '17 at 11:22

Sehdev

5,486
3
11
34

1

You might like to check the syntax for an ` – RiggsFolly Jul 10 '17 at 11:28

Deleting data in database with dropdown menu in PHP

4 Answers4