-2

When I click the delete button it should delete the user from that row from the Database. I also want help for my modify button in this table if I click the modify button it should change the user type (Admin, Chief, user). I already tried everything but I don't know how a can solve it that's why I'm asking your help.

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <title>Pannel</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
    <style type="text/css">
        body {
            font: 14px sans-serif;
            text-align: center;
        }
    </style>
</head>

<body>
    <div class="page-header">
        <h1> Admin Pannel</h1>
    </div>
    <div>
    </div>
</body>

</html>

<?php

session_start();

require 'config.php';

$strSQL = "SELECT username, email, type FROM benutzer";
$rs = mysqli_query($link, $strSQL);

echo "<table border='1' style='margin: 0 auto'>
<tr>
<th class='text-center'>Name / Vorname</th>
<th class='text-center'>Email</th>
<th class='text-center'>Type</th>
<th class='text-center'>Modify</th>
<th class='text-center'>Delete</th>
</tr>";

while ($row = mysqli_fetch_array($rs)) {
    echo "<tr>";
    echo "<td>" . $row['username'] . "</td>";
    echo "<td>" . $row['email'] . "</td>";
    echo "<td>" . $row['type'] . "</td>";
    echo "<td><input type='submit' value='Modify' class='btn' name='modify'></td>";
    echo "<td><input type='submit' value='Delete' class='btn' name='delete'></td>";
    echo "</tr>";
}
echo "</table>";

if (isset($_POST['modify'])) {
    $username = $row['username'];
    $modify_query = mysqli_query($link, "UPDATE benutzer SET type='Mitarbeiter, Chef' WHERE username=$username");

    if ($modify_query) {
        mysqli_close($link);
        header("location:welcome.php");
        exit;
    } else {
        echo mysqli_close($link);
    }
}

if (isset($_POST['delete'])) {
    $username = $row['username'];
    $delete_query = mysqli_query($link, "DELETE FROM benutzer WHERE id=$username");

    if ($delete_query) {
        mysqli_close($link);
        echo "Record deleted successfully";
        exit;
    } else {
        echo mysqli_close($link);
    }
}
?>
Dharman
  • 30,962
  • 25
  • 85
  • 135
AP_08
  • 11
  • 5
  • 1
    1) use prepared statement instead of string interpolation 2) you do not capture or print out phpor mysql errors, so you are completely in the dark as to what could have gone wrong. – Shadow Dec 13 '20 at 13:47
  • You don't have a form on your page. A button cannot submit on its own. – El_Vanja Dec 13 '20 at 13:49
  • 1
    See about [SQL injection](https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work). You should use [prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) or [PDO](https://www.php.net/manual/en/book.pdo) instead. – El_Vanja Dec 13 '20 at 13:49
  • You should also submit the username as part of the form (with a hidden input perhaps). This way `$username = $row['username'];` it will always be the last one from the query. – El_Vanja Dec 13 '20 at 13:53
  • @El_Vanja can't even use `$row['username']` thats not submitted to the server script but processed during the rendering of the client-sided script. – SSpoke Dec 13 '20 at 14:11
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Dec 13 '20 at 15:35

1 Answers1

-2

Try this you were missing hidden input types so the php can't see your code you submitted.
Since you are showing alot of username's you will need to create a bunch of input hidden types with name=username1, name=username2 etc.. or it won't work well I can show you a easier way to do it (look below this code)

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <title>Pannel</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
    <style type="text/css">
        body {
            font: 14px sans-serif;
            text-align: center;
        }
    </style>
</head>

<body>
    <div class="page-header">
        <h1> Admin Pannel</h1>
    </div>
    <div>
    </div>
</body>

</html>

<?php
session_start();
require('config.php');
$strSQL = "SELECT username, email, type FROM benutzer";
$rs = mysqli_query($link, $strSQL);
echo "<table border='1' style='margin: 0 auto'>
<tr>
<th class='text-center'>Name / Vorname</th>
<th class='text-center'>Email</th>
<th class='text-center'>Type</th>
<th class='text-center'>Modify</th>
<th class='text-center'>Delete</th>
</tr>";
while ($row = mysqli_fetch_array($rs)) {
    echo "<tr>";
    echo "<td>" . $row['username'] . "</td>";
    echo "<td>" . $row['email'] . "</td>";
    echo "<td>" . $row['type'] . "</td>";
    echo "<form action='pannel.php' method='post'>";
    echo "<input type='hidden' id=username' name='username' value='".$row['username']."'>";
    echo "<input type='hidden' id=email' name='email' value='".$row['email']."'>";
    echo "<input type='hidden' id=type' name='type' value='".$row['type']."'>";
    echo "<td><input type='submit' value='Modify' class='btn' name='modify'></td>";
    echo "<td><input type='submit' value='Delete' class='btn' name='delete'></td>";
    echo "</form>";
    echo "</tr>";
}
echo "</table>";
if (isset($_POST['modify'])) {
    $username = $_POST['username'];
    $modify_query = mysqli_query($link, "UPDATE benutzer SET type='Mitarbeiter, Chef' WHERE username=$username");
    if ($modify_query) {
        mysqli_close($link);
        header("location:welcome.php");
        exit;
    } else {
        echo mysqli_close($link);
    }
} else if (isset($_POST['delete'])) {
    $username = $_POST['username'];
    $delete_query = mysqli_query($link, "DELETE FROM benutzer WHERE username=$username");
    if ($delete_query) {
        mysqli_close($link);
        echo "Record deleted successfully";
        exit;
    } else {
        echo mysqli_close($link);
    }
}

EDIT:

Easier way to do it

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <title>Pannel</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
    <style type="text/css">
        body {
            font: 14px sans-serif;
            text-align: center;
        }
    </style>
</head>

<body>
    <div class="page-header">
        <h1> Admin Pannel</h1>
    </div>
    <div>
    </div>
</body>

</html>

<?php
session_start();
require('config.php');
$strSQL = "SELECT username, email, type FROM benutzer";
$rs = mysqli_query($link, $strSQL);
echo "<table border='1' style='margin: 0 auto'>
<tr>
<th class='text-center'>Name / Vorname</th>
<th class='text-center'>Email</th>
<th class='text-center'>Type</th>
<th class='text-center'>Modify</th>
<th class='text-center'>Delete</th>
</tr>";
while ($row = mysqli_fetch_array($rs)) {
    echo "<tr>";
    echo "<td>" . $row['username'] . "</td>";
    echo "<td>" . $row['email'] . "</td>";
    echo "<td>" . $row['type'] . "</td>";
    echo "<td><a href='pannel.php?delete=".$row['username']."'>Delete ".$row['username']."</a></td>";
    echo "<td><a href='pannel.php?modify=".$row['username']."'>Modify ".$row['username']."</a></td>";
    echo "</tr>";
}
echo "</table>";
if (isset($_GET['modify'])) {
    $username = $_GET['modify'];
    $modify_query = mysqli_query($link, "UPDATE benutzer SET type='Mitarbeiter, Chef' WHERE username=$username");
    if ($modify_query) {
        mysqli_close($link);
        header("location:welcome.php");
        exit;
    } else {
        echo mysqli_close($link);
    }
} else if (isset($_GET['delete'])) {
    $username = $_GET['delete'];
    $delete_query = mysqli_query($link, "DELETE FROM benutzer WHERE username=$username");
    if ($delete_query) {
        mysqli_close($link);
        echo "Record deleted successfully";
        exit;
    } else {
        echo mysqli_close($link);
    }
}
SSpoke
  • 5,656
  • 10
  • 72
  • 124
  • I tried your code and I got an error but I'm a step closer. Error: Try this you were missing hidden input types so the php can't see your code you submitted – AP_08 Dec 13 '20 at 14:04
  • I think for `benutzer` you want not `WHERE id=$username` but `WHERE username=$username` – SSpoke Dec 13 '20 at 14:09
  • @Aimeric the error is because you put code where I was explaining the code starts below the stuff on top is just summery of what I did. – SSpoke Dec 13 '20 at 14:12
  • Yes I realised it but now when I click on the delete button it refresh the page and nothing is happening. – AP_08 Dec 13 '20 at 14:14
  • @Aimeric did you replace `WHERE id=$username` to `WHERE username=$username` or maybe backwards I don't know how your database is setup, Does modify work alright? – SSpoke Dec 13 '20 at 14:15
  • yeah I changed but still not doing anything. Here you see how it looks: https://imgur.com/a/I67uYxe – AP_08 Dec 13 '20 at 14:27
  • and when I click delete Test User2 it shows me number 1 under the table. – AP_08 Dec 13 '20 at 14:33
  • When I click delete Test User2 it shows me number 1 under the table. Here is the link of the site http://192.168.178.72/pannel.php?modify=Test User2> Modify Test User2 – AP_08 Dec 13 '20 at 14:47
  • Using GET for a delete operation is a terrible idea. Bots can visit those pages, also users could accidentally access them from history or something similar. – El_Vanja Dec 13 '20 at 14:57
  • @Aimeric fixed the codes retry my whole solution I was missing `'` to close the html href tags.. and guys about the down votes I did this in like 5 minutes don't judge me if it works its good enough. – SSpoke Dec 13 '20 at 23:56
  • 1
    @SSpoke the code is working but when I click on the delete button still nothing happens. – AP_08 Dec 14 '20 at 09:58
  • 1
    @SSpoke I found out what the problem was I changed my ```$username``` with ```$id``` and now everything works out fine. Thanks for your help between – AP_08 Dec 14 '20 at 10:09
  • @AP_08 no problem ya I changed id back to username because I thought you made a mistake, I was wrong glad you got it working. – SSpoke Dec 15 '20 at 05:30