0

I am fetching a query which has a delete button next to it. I want that the first query should never get deleted and so for the first query which is displayed should not have delete button. Here is my code.

<ul>
<?php 
require('connect.php');
$gettheid = $_GET['id'];
$query = "SELECT * FROM `shoppinglist` WHERE items='".$gettheid."'";
if ($result = $conn->query($query)) {
   while($row = $result->fetch_object()){
       $id = $row->srno;
       $item = $row->items;
       $image = $row->image;
?>

<li>
<div class="intheline"><a href="itemdelete.php?delete=<?php echo $id; ?>">Delete</a></div>
<div class="thumbnail intheline">
<img src="photo/<?php echo $image; ?>" />
</div>
<div class="intheline">Name of the item: <?php echo $item; ?></div>
</li>
<?php } } ?>
</ul>

I do not want below mentioned line to get displayed on the first record.

<div class="intheline"><a href="itemdelete.php?delete=<?php echo $id; ?>">Delete</a></div>

Help will be appreciated :)

Mustafa Aliasgar
  • 15
  • 1
  • 8
  • how about a coutner in the loop –  Nov 28 '17 at 21:16
  • if u could show as am not much into php – Mustafa Aliasgar Nov 28 '17 at 21:18
  • [Little Bobby](http://bobby-tables.com/) says **[you may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) with [parameterized queries](https://stackoverflow.com/a/4712113/5827005). I recommend `PDO`, which I [wrote a class for](https://github.com/GrumpyCrouton/GrumpyPDO) to make it extremely easy, clean, and more secure than using non-parameterized queries. Also, [This article](https://phpdelusions.net/pdo/mysqli_comparison) may help you choose between `MySQLi` and `PDO` – GrumpyCrouton Nov 28 '17 at 21:21
  • @GrumpyCrouton tell Little Bobby to first solve my query then we will talk. – Mustafa Aliasgar Nov 28 '17 at 21:23
  • @MustafaAliasgar Well I was going to write an answer, but with that attitude I think I will pass. – GrumpyCrouton Nov 28 '17 at 21:24
  • @GrumpyCrouton Not an issue.. nice article though! – Mustafa Aliasgar Nov 28 '17 at 21:26
  • @GrumpyCrouton i couldn't understand what was there in that link, too weak knowledge of php – Mustafa Aliasgar Nov 28 '17 at 21:36
  • @MustafaAliasgar Yeah that's the problem with essentially code only answers. The answer is there, just not explained. I'll write up a short explanation I suppose. – GrumpyCrouton Nov 28 '17 at 21:37

1 Answers1

0

The Solution

The actual solution here is only 4 new lines of code.

Before the while loop, we declare a variable called $count, which will hold which iteration we are on in the loop.

$counter = 0;

At the end of the loop, but before closing it, we add 1 to the $counter variable, this means 1 will be added for every iteration in the loop.

$counter++;

Now, we just surround the delete <a> element with an IF statement, checking if $counter is not 0. If $counter is anything except 0, it will show the link.

if($counter != 0) {
    echo "<a href='itemdelete.php?delete={$id}'>Delete</a>";
}

MAJOR SECURITY RISK

I can not stress enough how insecure your query is.

Little Bobby says you may be at risk for SQL Injection Attacks. Learn about Prepared Statements with parameterized queries. I recommend PDO, which I wrote a class for to make it extremely easy, clean, and more secure than using non-parameterized queries. Also, This article may help you choose between MySQLi and PDO

It is very important that you fix this security issue, no matter how big your application is (or is not). I highly urge you to fix this for this query, and any other queries you may have in your application AS SOON AS POSSIBLE.

Above, I linked to a PDO class that I made. PDO is generally a better tool than mysqli_*, as it supports many different types of databases. I believe it is more highly regarded by a lot of developers. Even if you do not with to use my class or another class, I highly recommend you switch over to PDO anyways.

Complete code

<ul>
    <?php 
        require('connect.php');
        $gettheid = $_GET['id'];

        //this query has some serious security risks, anyone can alter a $_GET variable to be anything
        //meaning they can interact with your database in ways you did not want. Including deleting any row
        //or even entire tables easily.
        $query = "SELECT * FROM `shoppinglist` WHERE items='".$gettheid."'";


        //the actual solution is a counter, so you need to create a variable to hold how many rows you have gone through.
        $counter = 0;
        if ($result = $conn->query($query)) {
           while($row = $result->fetch_object()){
               $id = $row->srno;
               $item = $row->items;
               $image = $row->image;
                ?>
                    <li>
                        <div class="intheline">
                            <?php
                                //if counter is not 0, display the delete link 
                                if($counter != 0) {
                                    echo "<a href='itemdelete.php?delete={$id}'>Delete</a>";
                                }
                            ?>
                        </div>
                        <div class="thumbnail intheline">
                            <img src="photo/<?php echo $image; ?>" />
                        </div>
                        <div class="intheline">Name of the item: <?php echo $item; ?></div>
                    </li>
                <?php 

                //add 1 to $counter for every iteration, so only the first iteration it will be equal to 0.
                $counter++;
            } 
        } 
    ?>
</ul>
GrumpyCrouton
  • 8,486
  • 7
  • 32
  • 71
  • haha it worked... how will i ever thank you... now that comment is really scary as i have tons of get variable on my site... how i resolve that??!!! – Mustafa Aliasgar Nov 28 '17 at 21:48
  • @MustafaAliasgar Well, a lot of issues can be resolved by using prepared statements with parameterized queries. This will not solve the issue of people simply changing the number they are deleting however. Fixing that is a bigger issue, in which you will need more advanced techniques, perhaps generating a string that is a few digits to determine which row to delete instead of just a simple ID. – GrumpyCrouton Nov 28 '17 at 21:51
  • you are right, just getting all the info i could from those articles. thank you so much. – Mustafa Aliasgar Nov 28 '17 at 21:58
  • @MustafaAliasgar No problem. If I helped you feel free to give me an upvote and/or mark my answer as correct if it solved your issue. – GrumpyCrouton Nov 28 '17 at 21:59