1

I am creating a simple app using node, express, mysql.

I am trying to create a route with which I can delete a row from my db, I wrote a pure javascript xhr.

when I test it I keep getting the following error message

POST http://localhost:3000/article/22 404 (Not Found)

this is what I have:

main.js

function handleDeleteClick(e, userId) {
    e.preventDefault(); // Prevent default behaviour of this event (eg: submitting the form

    // Perform the AJAX request to delete this user
    var target = e.target;
    var id = target.getAttribute('data-id');
    var page = '/article/' + id;
    var parameters = 'delete=true';
    var xmlhttp = new XMLHttpRequest();

    if (confirm('Are you sure you want to delete this?') == true) {
        xmlhttp.onreadystatechange = function() {
            if (xmlhttp.readyState == 4 && xmlhttp.status == 200) {
                // Request completed
            }
        }
        xmlhttp.open("POST", page, true);
        xmlhttp.send(parameters);
    }
}

and the route app.js

app.delete('/article/:id', function(req, res) {
    con.query(`DELETE FROM posts WHERE posts.id = ${req.params.id}`,
        function(err, result, fields) {
            if (err) {
                console.log(err);
            } else {
                console.log("deleted Record: " + result.affectedRows);
                res.redirect('/')
            }
        });
});

what am I missing?

help is very much appreciated! thanks.

chakeda
  • 1,551
  • 1
  • 18
  • 40
BeesWax
  • 102
  • 1
  • 9

3 Answers3

2

change POST to DELETE in your main.js-file:

xmlhttp.open("DELETE", page, true);

You are getting this 404 NOT FOUND error because route POST /article/:id does not exist (it's DELETE /article/:id).

Note: Your DELETE-query is vulnerable for SQL-injection attacks escaping-query-values

Escape query values:

con.query('DELETE FROM posts WHERE posts.id = ?', [req.params.id]);

Note: Actually, correct http status for this case is 405 METHOD NOT ALLOWED, but express by default doesn't distinguish those cases

Ihor Sakailiuk
  • 5,642
  • 3
  • 21
  • 35
  • 1
    thanks for all answers! I will set this one to be the 'best' answer since it is the most complete and points out most focus points. Thank you! I am aware of the vulnarability but this is for later concern since I am first getting stuff up and running on a local environment, before securing it. Much appreciated! – BeesWax Oct 04 '18 at 14:33
  • one questions remains, why isnt it rerouting after deletion? – BeesWax Oct 04 '18 at 14:35
  • @Bee I think you need to handle it on the front-end side – Ihor Sakailiuk Oct 04 '18 at 14:41
  • 1
    correct! sorry about that. Indeed this needed to be done in main.js. thanks again. – BeesWax Oct 04 '18 at 14:42
1

app.delete expects to recieve a DELETE request.

xmlhttp.open("POST", page, true); is sending a POST request.

Change the second argument to "DELETE" to make a DELETE request.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
1

you have a delete route in your server, so if you want to send a request to that route, you should pass "DELETE" parameter to xmlhttp.

so simply change

xmlhttp.open("POST", page, true);

to

xmlhttp.open("DELETE", page, true);

also, this answer may help you understand using XMLHttpRequest better

Do not insert params directly into your database query

As others said, you are vulnerable to SQLInjection attacks. you should evaluate params first instead of just inserting it directly into your SQL query

ganjim
  • 1,234
  • 1
  • 16
  • 30