Delete database entry using form with php

thermalzombie · April 4, 2014, 2:02am

Hi I am trying to add buttons to a table so I can delete table rows in a database and need help.

Sorry if I posted in the wrong section to me this looks like a php problem. And I tried doing a search but not sure what to search for.

Here is the form that posts to delete_special.php

<form action="data/delete_special.php" method="post"> <input type="hidden" name="delete_id" value=" <?php echo $row['id']; ?>" /> <input type="submit" value="Delete" /> </form>

delete_special.php
[code]<?php

error_reporting(E_ALL);//all errors
echo "<br>";
var_dump();            //whats in variable
echo "<br>";
var_dump($_POST);      //whats in post

echo "<br>";
echo "Row ID ="; echo $_POST['delete_id'];

// Connect to database server
mysql_connect("localhost", "root", "usbw") or die (mysql_error ());

// Select database
mysql_select_db("fruit") or die(mysql_error());

// The SQL statement that deletes the record
$strSQL = "DELETE FROM special WHERE id = $_POST['delete_id'];
mysql_query($strSQL);

// Close the database connection
mysql_close();
//header('Location: index.php');
?>[/code]

Thanks for the reply.

thermalzombie · April 4, 2014, 5:56am

This is the error I get.

Parse error: syntax error, unexpected ‘’ (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in F:\usbwebserver\root\fruit\admin\data\delete_special.php on line 20

benanamen · April 4, 2014, 3:16pm

This will fix the error:

$strSQL = "DELETE FROM special WHERE id = [size=12pt]{[/size]$_POST[‘delete_id’][size=12pt]}[/size];

thermalzombie · April 6, 2014, 5:20am

More help needed please.

New error:
Parse error: syntax error, unexpected end of file in F:\usbwebserver\root\fruitninja\admin\data\delete_special.php on line 17

Cdoe:

[code] <?php

// Connect to database server
mysql_connect("localhost", "root", "usbw") or die (mysql_error ());

// Select database
mysql_select_db("fruit") or die(mysql_error());

// The SQL statement that deletes the record
$strSQL = "DELETE FROM special WHERE id = {$_POST['delete_id']};
mysql_query($strSQL);

// Close the database connection
mysql_close();

?>[/code]

Thanks for help.

JimL · April 6, 2014, 12:07pm

You can actually see the error in your IDE or in the formatted code here on phphelp.

[php] <?php

// Connect to database server
mysql_connect("localhost", "root", "usbw") or die (mysql_error ());

// Select database
mysql_select_db("fruit") or die(mysql_error());

// The SQL statement that deletes the record

    // See how everything from here is red, this means the code mark up
    // thinks all this is a string. That is your problem
$strSQL = "DELETE FROM special WHERE id = $_POST['delete_id'];
mysql_query($strSQL);

// Close the database connection
mysql_close();

?>[/php]

What’s even worse is that you’re using mysql_* functions, which are deprecated and highly insecure. Your string error is actually doing you a favor with terminating the script so you’re not hackable.

thermalzombie · April 7, 2014, 12:42pm

Does PDO work with PHP version 5.2.17 my web host is a bit behind.

Can you recommend a good tutorial site with examples. I am having a bit of difficulty trying to learn php alot of the examples I have found are for mysql although someone told me I should use mysqli and now I am told to use PDO wich I never heard of and my web host only has version 5.2.17 of php and usbwebserver wich I like to use has version 5.4.17 of php.

About ready to surrender and give up.

JimL · April 7, 2014, 12:48pm

Both mysqli and pdo are valid alternatives today, choose either (and do it correctly) and you’re good to go.

Change webhost. 5.2 is so old it’s ridiculous

awl19 · April 8, 2014, 8:18am

You’re missing your closing quote for your query, which I believe Jim was referring to but he didn’t directly point it out. If you look at the code markup, you’ll notice the colors are incorrect after the end of your query, because the closing quote is missing.

[php]$strSQL = "DELETE FROM special WHERE id = $_POST[‘delete_id’];[/php]

I’d change to this:
[php]$deleteID = $_POST[‘delete_id’];
$strSQL = “DELETE FROM special WHERE id = $deleteID”;[/php]

I like to variabalize my $_POSTs cause it makes the code look shorter, cleaner, and you’re less likely to make a mistake because you’ll be looking at less single and double quotes.

JimL · April 8, 2014, 8:34am

Did you miss my comment?

[php] // See how everything from here is red, this means the code mark up
// thinks all this is a string. That is your problem[/php]

I generally dislike this practise. It just adds another line to the code and other set of bytes to memory. That’s basically all it does.

This looks much better imo
[php]$string = 'Some string here for the user: '.$_POST[‘username’];[/php]

benanamen · April 8, 2014, 3:07pm

I like to variabalize my $_POSTs cause it makes the code look shorter, cleaner, and you're less likely to make a mistake because you'll be looking at less single and double quotes.

It would appear you have not learned you can do this {$_POST[‘info’]} and not use ANY quotes or escaping.

[php]$strSQL = “DELETE FROM special WHERE id = {$_POST[‘delete_id’]}”;[/php]

One important issue with turning all your $_POST or $_GET vars to variables is when someone is deep in your code it is not obvious where those variables came from.

[php]echo “Very obvious this var {$_POST[‘info’]} is from my form. No quotes & concatenation to escape it”;

echo “I have no idea where this variable $info came from just looking at this line.”’;[/php]

Just to elaborate on Jims example…

[php]$string = 'Some string here for the user: '.$_POST['username'];[/php]

If you were to add additional text after the variable you would have to do additional escaping like so:
$string = ‘Some string here for the user: ‘.$_POST[‘username’][size=18pt].’[/size] and more text’;

To me this is easier and less mistake prone and is quite readable and very clean

[php]$string = “Some string here for the user: {$_POST[‘username’]} and more text”;[/php]

All that being said…,
You should never trust user submitted data, so now you are at a point when there IS a good reason to create a variable using a verbose variable name and that is when you rightfully should have sanitized the user submitted data.

[php]$sanitized_posted_username = sanitzer_function($_POST[‘username’]);[/php]

Now you have a variable and it is clear by the name where it came from. Trust me, when you come back to even your own code years later you will be glad for the verbosity (is that even a word?)

awl19 · April 8, 2014, 5:17pm

It would appear you have not learned you can do this {$_POST['info']} and not use ANY quotes or escaping.

I've learned it just fine, just prefer not to use that method and it still has single quotes for the value info, so it kind of defeats the purpose I originally stated. For a novice, less quotes means less chance of an error and more chance of recognizing one.

One important issue with turning all your $_POST or $_GET vars to variables is when someone is deep in your code it is not obvious where those variables came from.

Highly doubtful. I group all my $_* variables together and the variable names are always indicative of what they were created from. And, really, how hard is it to do a ctrl+f and find where the variable comes from? Anyone looking at code they haven't personally created will have to do that anyways.

You should never trust user submitted data, so now you are at a point when there IS a good reason to create a variable using a verbose variable name and that is when you rightfully should have sanitized the user submitted data.

Isn't sanitizing data a pretty default practice, already?

benanamen · April 8, 2014, 5:52pm

how hard is it to do a ctrl+f and find where the variable comes from

It is highly likely that the source of a variable is not going to be on the page you are working on. So ctrl+f will not do any good.

Isn't sanitizing data a pretty default practice, already?

For those in the know, but there are thousands of lines of code out there that are not sanitized for their purpose, parameterized query's excluded.

it still has single quotes for the value info, so it kind of defeats the purpose I originally stated.

I am confused. Using YOUR example, the post quotes are still there (Which they should be). There is just more code to do the same thing.

$deleteID = $_POST[‘delete_id’];
$strSQL = “DELETE FROM special WHERE id = $deleteID”;

I have to admit though, the above is exactly how I did things when I was a noob first learning php. I didnt know any other way at the time. Here is some actual code from an app I did when I was a noob. So embarrasing, but it shows what a cluster F*ck it can be doing it the way you suggest. All this before anything even happens :o :o

[php]if (isset($_REQUEST[“a”])) if (isset($_REQUEST[“logout”])) if (isset($_REQUEST[“msg”])) if (isset($_REQUEST[“validate”])) if (isset($_REQUEST[“keyword”])) if (isset($_REQUEST[“keywords”])) if (isset($_REQUEST[“bid_id”])) if (isset($_REQUEST[“bid_amount”])) if (isset($_REQUEST[“url”])) if (isset($_REQUEST[“description”])) if (isset($_REQUEST[“submission_id”])) if (isset($_REQUEST[“email”])) if (isset($_REQUEST[“updatekey”])) if (isset($_REQUEST[“account_id”])) if (isset($_REQUEST[“oldtitle”])) if (isset($_REQUEST[“oldurl”])) if (isset($_REQUEST[“olddescription”])) if (isset($_REQUEST[“error”])) if (isset($_REQUEST[“C_name”])) if (isset($_REQUEST[“C_address”])) if (isset($_REQUEST[“C_city”])) if (isset($_REQUEST[“C_state”])) if (isset($_REQUEST[“C_zip”])) if (isset($_REQUEST[“C_email”])) if (isset($_REQUEST[“C_telephone”])) if (isset($_REQUEST[“cardtype”])) if (isset($_REQUEST[“C_cardnumber”])) if (isset($_REQUEST[“C_month”])) if (isset($_REQUEST[“C_year”])) if (isset($_REQUEST[“autobill”])) if (isset($_REQUEST[“autobill_amount”])) if (isset($_REQUEST[“title”])) {$a= $_REQUEST[“a”];} // $_REQUEST handles POST and GET
{$logout= $_REQUEST[“logout”];}
{$msg= $_REQUEST[“msg”];}
{$validate= $_REQUEST[“validate”];}
{$keyword= $_REQUEST[“keyword”];}
{$keywords= $_REQUEST[“keywords”];}
{$bid_id= $_REQUEST[“bid_id”];}
{$bid_amount= $_REQUEST[“bid_amount”];}
{$url= $_REQUEST[“url”];}
{$description= $_REQUEST[“description”];}
{$submission_id= $_REQUEST[“submission_id”];}
{$email= $_REQUEST[“email”];}
{$updatekey= $_REQUEST[“updatekey”];}
{$account_id= $_REQUEST[“account_id”];}
{$oldtitle= $_REQUEST[“oldtitle”];}
{$oldurl= $_REQUEST[“oldurl”];}
{$olddescription= $_REQUEST[“olddescription”];}
{$error= $_REQUEST[“error”];}
{$C_name= $_REQUEST[“C_name”];}
{$C_address= $_REQUEST[“C_address”];}
{$C_city= $_REQUEST[“C_city”];}
{$C_state= $_REQUEST[“C_state”];}
{$C_zip= $_REQUEST[“C_zip”];}
{$C_email= $_REQUEST[“C_email”];}
{$C_telephone= $_REQUEST[“C_telephone”];}
{$cardtype= $_REQUEST[“cardtype”];}
{$C_cardnumber= $_REQUEST[“C_cardnumber”];}
{$C_month= $_REQUEST[“C_month”];}
{$C_year= $_REQUEST[“C_year”];}
{$autobill= $_REQUEST[“autobill”];}
{$autobill_amount= $_REQUEST[“autobill_amount”];}
{$title= $_REQUEST[“title”];}[/php]

And If I knew about formatting it would be like this:

[php]<?php
if (isset($_REQUEST[“a”]))
{
$a = $_REQUEST[“a”];
} // $_REQUEST handles POST and GET
if (isset($_REQUEST[“logout”]))
{
$logout = $_REQUEST[“logout”];
}
if (isset($_REQUEST[“msg”]))
{
$msg = $_REQUEST[“msg”];
}
if (isset($_REQUEST[“validate”]))
{
$validate = $_REQUEST[“validate”];
}
if (isset($_REQUEST[“keyword”]))
{
$keyword = $_REQUEST[“keyword”];
}
if (isset($_REQUEST[“keywords”]))
{
$keywords = $_REQUEST[“keywords”];
}
if (isset($_REQUEST[“bid_id”]))
{
$bid_id = $_REQUEST[“bid_id”];
}
if (isset($_REQUEST[“bid_amount”]))
{
$bid_amount = $_REQUEST[“bid_amount”];
}
if (isset($_REQUEST[“url”]))
{
$url = $_REQUEST[“url”];
}
if (isset($_REQUEST[“description”]))
{
$description = $_REQUEST[“description”];
}
if (isset($_REQUEST[“submission_id”]))
{
$submission_id = $_REQUEST[“submission_id”];
}
if (isset($_REQUEST[“email”]))
{
$email = $_REQUEST[“email”];
}
if (isset($_REQUEST[“updatekey”]))
{
$updatekey = $_REQUEST[“updatekey”];
}
if (isset($_REQUEST[“account_id”]))
{
$account_id = $_REQUEST[“account_id”];
}
if (isset($_REQUEST[“oldtitle”]))
{
$oldtitle = $_REQUEST[“oldtitle”];
}
if (isset($_REQUEST[“oldurl”]))
{
$oldurl = $_REQUEST[“oldurl”];
}
if (isset($_REQUEST[“olddescription”]))
{
$olddescription = $_REQUEST[“olddescription”];
}
if (isset($_REQUEST[“error”]))
{
$error = $_REQUEST[“error”];
}
if (isset($_REQUEST[“C_name”]))
{
$C_name = $_REQUEST[“C_name”];
}
if (isset($_REQUEST[“C_address”]))
{
$C_address = $_REQUEST[“C_address”];
}
if (isset($_REQUEST[“C_city”]))
{
$C_city = $_REQUEST[“C_city”];
}
if (isset($_REQUEST[“C_state”]))
{
$C_state = $_REQUEST[“C_state”];
}
if (isset($_REQUEST[“C_zip”]))
{
$C_zip = $_REQUEST[“C_zip”];
}
if (isset($_REQUEST[“C_email”]))
{
$C_email = $_REQUEST[“C_email”];
}
if (isset($_REQUEST[“C_telephone”]))
{
$C_telephone = $_REQUEST[“C_telephone”];
}
if (isset($_REQUEST[“cardtype”]))
{
$cardtype = $_REQUEST[“cardtype”];
}
if (isset($_REQUEST[“C_cardnumber”]))
{
$C_cardnumber = $_REQUEST[“C_cardnumber”];
}
if (isset($_REQUEST[“C_month”]))
{
$C_month = $_REQUEST[“C_month”];
}
if (isset($_REQUEST[“C_year”]))
{
$C_year = $_REQUEST[“C_year”];
}
if (isset($_REQUEST[“autobill”]))
{
$autobill = $_REQUEST[“autobill”];
}
if (isset($_REQUEST[“autobill_amount”]))
{
$autobill_amount = $_REQUEST[“autobill_amount”];
}
if (isset($_REQUEST[“title”]))
{
$title = $_REQUEST[“title”];
}
?>[/php]

JimL · April 8, 2014, 5:57pm

escaping before output to prevent xss is still pretty standard, no inline js headers are slowly killing these attacks as well though.

sanitizing before sql (against sql injection) was made redundant by parameterized queries 10 years ago.

awl19 · April 8, 2014, 6:28pm

sanitizing before sql (against sql injection) was made redundant by parameterized queries 10 years ago.

I won't argue that, but it's still common practice. If you search for a tutorial that involves PHP/MySQL this very day, 9 times out of 10 they'll be using deprecated MySQL, not MySQLi or PDO.

JimL · April 8, 2014, 6:31pm

Yeah, the people writing those posts and tutorials sure is helping out the PHP community