Jump to content

Deleting Child IDs


CloudBreaker

Recommended Posts

I don't know if "child IDs" is the right terminology, but my head wrapped around the logic.

 

For a hypothetical example:

 

I have a table called "salesmen" with fields for names etc., and all the names would have associated ids.  I have another table called "sales" and that table would contain information of all the sales particular to the specific salesmen.  Each one of those sales would have their own ID (which would be different from the salespersons ID because one person would have multiple sales.)

 

Let say there was a mistake and a sale had to be deleted from the "sales" table.  As you navigate through the webpage you'd be passing the ID of that particular sales person     

 (http://localhost/salesperson.php?id=15)  15 being that sales person's ID.  All the sales for this individual is listed in a table (on the web page) and there is a column with a "Delete" link in every row for that sale.  The problem is  I've already retrieved the ID from the previous URL (which is 15, the salesperson's ID), and I can't use the typical method to pass the sale ID from the sales table to be deleted.....

 

<td><a href="admin_subfile_delete.php?id=<?php echo $id;?>" onclick="return confirm('Are you sure that you want to delete this sale?');">Delete</a></td>

 

With the above line, I'd be deleting the salesperson, which is no good => (http://localhost/hsa/salesperson_delete.php?id=15).

 

I've tried the following clip of code for a test...but it just doesn't work.  (primary_id is that particular sale's ID).

 

Maybe I'm going about this all wrong...

// connect to the database
include('dbconfig.php');

// confirm that the 'id' variable has been set
if (isset($_GET['id']) && is_numeric($_GET['id']))
{
// get the 'id' variable from the URL
$id = $_GET['id'];


// get the records from the database
if ($result = $mysqli->query("SELECT * FROM sales ORDER BY primary_id"))
{

	



// delete record from database
if ($stmt = $mysqli->prepare("DELETE FROM sales WHERE primary_id = ? LIMIT 1"))
{
$stmt->bind_param("i",$row->primary_id);
$stmt->execute();
$stmt->close();

 

Edited by CloudBreaker
Link to comment
Share on other sites

The problem is  I've already retrieved the ID from the previous URL (which is 15, the salesperson's ID), and I can't use the typical method to pass the sale ID from the sales table to be deleted.....

 

Delete

 

With the above line, I'd be deleting the salesperson, which is no good => (http://localhost/hsa/salesperson_delete.php?id=15).

...

 

1. salesperson_delete.php has nothing to do with admin_subfile_delete.php. Just because "id" in one file means a salesperson doesn't mean "id" anywhere must only be a salesperson.

2. You know you can put whatever you want in the query string, right? You could call the sales ID "sales_id" or "sid" or "potato", it doesn't matter.

Link to comment
Share on other sites

Besides that, it's a really bad idea to delete data upon a GET request. The GET method is meant to retrieve data (hence the name), not change it. Browsers send GET requests all the time, and the user may not even be aware of it. This means there's a huge risk of data loss as well as attacks. For example, I could clear your entire sales table simply by putting a bunch of images on a website (like this one) and waiting for one of your users to come by:

<img src="http://www.yoursite.com/admin_subfile_delete.php?record_id=1" alt="">
<img src="http://www.yoursite.com/admin_subfile_delete.php?record_id=2" alt="">
<img src="http://www.yoursite.com/admin_subfile_delete.php?record_id=3" alt="">
...

This would automatically delete every single record.

 

Also, where do you check if the client is even allowed to delete records? Right now, it seems anybody can do that.

 

I strongly recommend that you choose a more sane approach:

  • Use sessions (or a similar mechanism) to authenticate users and make sure they actually have permission to delete records.
  • Always use POST requests when you want to change data. That is, replace the links with forms.
  • Use an anti-CSRF token to prevent CSRF attacks. So each form needs one hidden field for the token and one submit button. The action URL points to the specific record.

 

// Appearently I already told you this last year, but you chose to ignore it. That's not very smart.

Edited by Jacques1
Link to comment
Share on other sites

I would use these lines so the I'd would not show up in the browser.

 

// redirect user after delete is successful
header("Location: view.php");
}
else
// if the 'id' variable isn't set, redirect the user
{
header("Location: view.php");
}

 

I do use session variables.  I was just trying to focus on the deleting a record.

 

 

you have to use $_GET['id']; if you're passing and I'd to another page...

<?php

// connect to the database
include('connect-db.php');

// confirm that the 'id' variable has been set
if (isset($_GET['id']) && is_numeric($_GET['id']))
{
// get the 'id' variable from the URL
$id = $_GET['id'];

// delete record from database
if ($stmt = $mysqli->prepare("DELETE FROM players WHERE id = ? LIMIT 1"))
{
$stmt->bind_param("i",$id);
$stmt->execute();
$stmt->close();
}
else
{
echo "ERROR: could not prepare SQL statement.";
}
$mysqli->close();

// redirect user after delete is successful
header("Location: view.php");
}
else
// if the 'id' variable isn't set, redirect the user
{
header("Location: view.php");
}

?>
Link to comment
Share on other sites

I have to unlearn some of the bad habits I have learned from all these online classes then.  Until I correct these bad habits, you can label me "the town idiot".  Jacques1, I use prepared statements now, and you are the one that suggested I always do so to avoid SQL injections, so I'm not a total loss... and its not that I don't care, its because I'm having a hard time wrapping my head around a certain concept.

Edited by CloudBreaker
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.