Jump to content

Deleting ID's associated with a parent ID


CloudBreaker

Recommended Posts

Simply put, I have projects, (each with their unique ID).  Each of these projects have multiple files uploaded to them (each of these file have there own IDs along with their own table - submittal_files.  Typically, if I'm going delete a record from a table I'll do something like this inside a table data tag...

 

<a href="submittal-view.php?delete=<?php echo $id;?>"onclick="return confirm('Are you sure you want to delete this file?');">Delete</a>

 

Then something like this...

 

if(isset(GET_['delete'])){

$delete_id = GET_['delete'];

 

mysqli_query($conn, "DELETE FROM whatevertable WHERE file_id = '$delete_id'");

 

}

 

The problem is the file I want deleted does not have the same id as the project id and I need to also pass the project ID as well.

 

I've tried this with no luck...

 

<a href="submittal-view.php?id=<?php echo $id;?>delete=<?php echo primary_id;?> "onclick="return confirm('Are you sure you want to delete this file?');">Delete</a>

 

("primary_id" is the id to that particular file).

 

 

The code I have below does not have any errors, because it's not attempting to delete a file row in the table yet.

 

Line 92 is the line I'm having trouble with.

 

I'm still a beginner, so go easy on me.

 

CB

<?php
include_once 'dbconfig.php';
?>

<?php
session_start(); 

	if(!$_SESSION['user_loginName']){
	header("location: index.php");
	}
	else {
	
	$project_id=$_SESSION['project_id'];	
	
	
	if(isset($_GET['id']) && is_numeric($_GET['id'])){
	
	
	$edit_id = $_GET['id'];
	
	//grab discipline
	$name = $_SESSION['firstName'];
	
	
	$sel = "SELECT * FROM hsa_users WHERE user_firstName='$name'";
	$run = mysqli_query($conn, $sel);
	
	$row=mysqli_fetch_array($run);{
		$discipline	= $row['user_discipline'];
	//End of grab discipline	
	}
	//grab submittal No.
	$s = "SELECT * FROM submittals WHERE id='$edit_id'"; //note...it doesn't have to be $sql everytime.
	$run = mysqli_query($conn, $s);
	
	$row=mysqli_fetch_array($run);{
		$sub_number = $row['sub_number'];
		}
	//end of grab submittal No.
	
	$result = mysqli_query($conn,"SELECT * FROM submittal_files WHERE no=$edit_id");
	
		
	while($row = mysqli_fetch_array($result, MYSQLI_ASSOC)){
		$primary_id	=$row['primary_id'];
		$id			=$row['no'];
		
		}	
	}
	
		
	
?>

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Upload Files</title>
<link rel="stylesheet" href="rfi-style.css" type="text/css" />
</head>
<body>
<div id="header">
<label>Submittal No. <?php echo $sub_number;?> File Uploads (<?php echo $_SESSION['projName'];?>) </label>
</div>
<div id="body">
	<table width="80%" border="1">
    <tr>
    <th colspan="6">your uploads...<label><a href="submittal-files.php?id=<?php echo $edit_id;?>">upload new files...</a></label></th>
    </tr>
    <tr>
    <td>File Name</td>
    <td>File Type</td>
    <td>File Size(KB)</td>
    <td>View</td>
	<td>Uploaded By</td>
	<td>Action</td/>
    </tr>
    <?php
	$i=1;
	$sql="SELECT * FROM submittal_files WHERE no=$edit_id";
	$result_set=mysqli_query($conn,$sql);
	while($row=mysqli_fetch_array($result_set))
	{
		?>
        <tr>
        <td><?php echo $row['file'] ?></td>
        <td><?php echo $row['type'] ?></td>
        <td><?php echo $row['size'] ?></td>
        <td><a href="submittal_files/<?php echo $row['file'] ?>" target="_blank">view file</a></td>
		<td><?php echo $row['uploaded_by']?></td>
		<td>
			<a href="submittal-view.php?id=<?php echo $id;?>"onclick="return confirm('Are you sure you want to delete this file?');">Delete</a>
		</td>
		
        </tr>
     <?php 
	}
	?>
	
	
		
		
	
    </table>
    
</div>
</body>
</html>

<?php } ?>     
Edited by CloudBreaker
Link to comment
Share on other sites

What exactly is the problem here? Why do you need the project ID in addition to the file ID?

 

Besides that, your code has fundamental problems, so I recommend you start with the basics before you jump to more advanced stuff:

  • Learn how to safely pass values to queries using prepared statements. Right now, anybody can inject malicious SQL commands through the URL parameters.
  • Make sure you understand the purpose of GET and POST requests. A GET request is only for retrieving data (hence the name), it must not change data. Right now, anybody could make you delete arbitrary files simply by using an image with a URL like https://yoursite.com/submittal-view.php?delete=123. As your browser makes a request to the URL to retrieve the image data, your server deletes the image. To prevent this, you need to use a POST request together with an anti-CSRF token.
  • Do not insert raw values into the HTML markup as this allows anybody to inject malicious JavaScript code. You need to HTML-escape the strings first.
Edited by Jacques1
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.