-2

i was coding a delete function called deleteProgram() inside a class and everything is working fine but i want to add some javascript code.

<?php

include_once 'db.inc.php';

class DeleteProgram extends Dbh{

    public function deleteProgram(){
        if(isset($_GET['deleteid'])){
            $id = $_GET['deleteid'];
            $sql = "DELETE FROM tblprogram WHERE id='$id';"; 

            $result = $this->connect()->query($sql);  
            header("Location: ../php/program.php");
            exit();

              
        }
    }
}

$delete = new DeleteProgram;
$delete->deleteProgram();

?>

So, this is what i did. I created a try/catch inside my deleteProgram() function inside the if statement and there i use an echo to run the javascript code. But it didn't display anything so that is where got stuck.

<?php
echo '<script src="https://unpkg.com/sweetalert/dist/sweetalert.min.js"></script>';
include_once 'db.inc.php';

class DeleteProgram extends Dbh{

    public function deleteProgram(){
        if(isset($_GET['deleteid'])){
            $id = $_GET['deleteid'];
            $sql = "DELETE FROM tblprogram WHERE id='$id';"; 
            try{
                $result = $this->connect()->query($sql);  
                echo '<style>.swal-text{
                    text-align: center;
                }</style>';
                echo '<script>swal("Deleted Successfully!", "Program has been deleted", "success");</script>';
                header("Location: ../php/program.php");
                exit();
            }catch(PDOException $e){
                echo '<style>.swal-text{
                    text-align: center;
                }</style>';
                echo '<script>swal ( "Delete failed!" ,  "'.$e->getMessage().'" ,  "error" );</script>';
                exit();
            }
        }
    }


}

$delete = new DeleteProgram;
$delete->deleteProgram();

?>
user19012336
  • 7
  • 3
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/security.database.sql-injection) and should use [parameterized prepared statements](https://stackoverflow.com/q/60174/9193372). – Syscall Feb 11 '23 at 06:50
  • `echo`' result is displayed in the page that is redirected. – Syscall Feb 11 '23 at 06:52
  • Hi ! i already changed my code to avoid SQL injections but still i dont know why echo dont work in my class – user19012336 Feb 11 '23 at 07:30
  • do you mean that the `header("Location: ../php/program.php");` is where my echo will be displayed? if so i dont still see anything :(( im still new to this stuff maybe im doing something wrong – user19012336 Feb 11 '23 at 07:33
  • 2
    For example, if you change `header()` by `exit()`, you will see the text. But, header() tell browser to reload the page with given URL, so, you have not the time to see this text. – Syscall Feb 11 '23 at 07:42
  • Echo should **never** be used inside of a class in the first place. All this JS should be added **after** calling the deleteProgram, not inside. – Your Common Sense Feb 11 '23 at 17:09

1 Answers1

-1

As suggested in comments, your code is open to SQL injections, try using parameterized prepared statements instead.

The header() function is redirecting the user before the page is loaded, so the script is written but never shown as the new page is now loaded right after.

One solution is to use the $_SESSION. It can go like this:

On your DeleteProgram class PHP file:

# [...]
session_start();
# [...]
if(isset($_GET['deleteid'])){
    $id = $_GET['deleteid'];
    $sql = "DELETE FROM tblprogram WHERE id='$id';"; 
    try{
        $result = $this->connect()->query($sql);  
        echo '<style>.swal-text{
            text-align: center;
        }</style>';
        $_SESSION['swal'] = [
            'title' => "Deleted Successfully!",
            'message' => "Program has been deleted",
            'status' => "success"
        ];
        header("Location: ../php/program.php");
        exit();
    }catch(PDOException $e){
        # [...]
    }
}
# [...]

In the ../php/program.php file (somewhere in the <body>):

# [...]
session_start();
# [...]
<?php if(isset($_SESSION['swal'])) {
    $title = $_SESSION['swal']['title'];
    $message = $_SESSION['swal']['message'];
    $status = $_SESSION['swal']['status'];
    echo "<script>swal($title, $message, $status);</script>";
} ?>

May I also suggest you to not put CSS style in your code like that. It's not very reliable on where its gonna be written. As your swal() function requires you to place a <script> tag to be used, consider placing you <style> tag next to it or so.

Florent Banneux
  • 12
  • 6
  • **Warning:** This code is wide open to [SQL Injections](https://php.net/manual/security.database.sql-injection). You should use [parameterized prepared statements](https://stackoverflow.com/q/60174/9193372) instead. – Syscall Feb 11 '23 at 19:37