CloudBreaker Posted December 30, 2015 Share Posted December 30, 2015 (edited) Simply put, I have projects, (each with their unique ID). Each of these projects have multiple files uploaded to them (each of these file have there own IDs along with their own table - submittal_files. Typically, if I'm going delete a record from a table I'll do something like this inside a table data tag... <a href="submittal-view.php?delete=<?php echo $id;?>"onclick="return confirm('Are you sure you want to delete this file?');">Delete</a> Then something like this... if(isset(GET_['delete'])){ $delete_id = GET_['delete']; mysqli_query($conn, "DELETE FROM whatevertable WHERE file_id = '$delete_id'"); } The problem is the file I want deleted does not have the same id as the project id and I need to also pass the project ID as well. I've tried this with no luck... <a href="submittal-view.php?id=<?php echo $id;?>delete=<?php echo primary_id;?> "onclick="return confirm('Are you sure you want to delete this file?');">Delete</a> ("primary_id" is the id to that particular file). The code I have below does not have any errors, because it's not attempting to delete a file row in the table yet. Line 92 is the line I'm having trouble with. I'm still a beginner, so go easy on me. CB <?php include_once 'dbconfig.php'; ?> <?php session_start(); if(!$_SESSION['user_loginName']){ header("location: index.php"); } else { $project_id=$_SESSION['project_id']; if(isset($_GET['id']) && is_numeric($_GET['id'])){ $edit_id = $_GET['id']; //grab discipline $name = $_SESSION['firstName']; $sel = "SELECT * FROM hsa_users WHERE user_firstName='$name'"; $run = mysqli_query($conn, $sel); $row=mysqli_fetch_array($run);{ $discipline = $row['user_discipline']; //End of grab discipline } //grab submittal No. $s = "SELECT * FROM submittals WHERE id='$edit_id'"; //note...it doesn't have to be $sql everytime. $run = mysqli_query($conn, $s); $row=mysqli_fetch_array($run);{ $sub_number = $row['sub_number']; } //end of grab submittal No. $result = mysqli_query($conn,"SELECT * FROM submittal_files WHERE no=$edit_id"); while($row = mysqli_fetch_array($result, MYSQLI_ASSOC)){ $primary_id =$row['primary_id']; $id =$row['no']; } } ?> <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Upload Files</title> <link rel="stylesheet" href="rfi-style.css" type="text/css" /> </head> <body> <div id="header"> <label>Submittal No. <?php echo $sub_number;?> File Uploads (<?php echo $_SESSION['projName'];?>) </label> </div> <div id="body"> <table width="80%" border="1"> <tr> <th colspan="6">your uploads...<label><a href="submittal-files.php?id=<?php echo $edit_id;?>">upload new files...</a></label></th> </tr> <tr> <td>File Name</td> <td>File Type</td> <td>File Size(KB)</td> <td>View</td> <td>Uploaded By</td> <td>Action</td/> </tr> <?php $i=1; $sql="SELECT * FROM submittal_files WHERE no=$edit_id"; $result_set=mysqli_query($conn,$sql); while($row=mysqli_fetch_array($result_set)) { ?> <tr> <td><?php echo $row['file'] ?></td> <td><?php echo $row['type'] ?></td> <td><?php echo $row['size'] ?></td> <td><a href="submittal_files/<?php echo $row['file'] ?>" target="_blank">view file</a></td> <td><?php echo $row['uploaded_by']?></td> <td> <a href="submittal-view.php?id=<?php echo $id;?>"onclick="return confirm('Are you sure you want to delete this file?');">Delete</a> </td> </tr> <?php } ?> </table> </div> </body> </html> <?php } ?> Edited December 30, 2015 by CloudBreaker Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted December 30, 2015 Share Posted December 30, 2015 (edited) What exactly is the problem here? Why do you need the project ID in addition to the file ID? Besides that, your code has fundamental problems, so I recommend you start with the basics before you jump to more advanced stuff: Learn how to safely pass values to queries using prepared statements. Right now, anybody can inject malicious SQL commands through the URL parameters. Make sure you understand the purpose of GET and POST requests. A GET request is only for retrieving data (hence the name), it must not change data. Right now, anybody could make you delete arbitrary files simply by using an image with a URL like https://yoursite.com/submittal-view.php?delete=123. As your browser makes a request to the URL to retrieve the image data, your server deletes the image. To prevent this, you need to use a POST request together with an anti-CSRF token. Do not insert raw values into the HTML markup as this allows anybody to inject malicious JavaScript code. You need to HTML-escape the strings first. Edited December 30, 2015 by Jacques1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.