Jump to content



Photo

Chapter 10 - Delelete A User

chapter 10 delate a user

  • Please log in to reply
3 replies to this topic

#1 willow149

willow149

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 16 February 2012 - 5:03 PM

Hi All,

I'm currently working in Chapter 10 with the delete user script.

I have followed the code in the book as itis but when I click "delete" from the view users page I keep getting "this page has been accessed in error".

The only difference that I can see in my code and the book's is that my script is called "delete.php" and the book's is "delete.php". I have changed the name in the script to be correct. Also in the book the DB is named "users" but mine is called "user". The DB connection works fine as I can see my list of registered users.

When I land on the delete a user page I can see my header and the <h2> tag "Delete a user" and my footer but no form to actually delete the user.

My code is below. I'm probably doing something really stupid but any help would be great.

thanks,
Tony.

<?php # Script 10.2 - delete.php

$page_title = 'Delete a User';
include ('_include/header.php');
echo '<h2>Delete a User</h2>';

// Check for a valid user ID, through GET or POST:
if ( (isset($_GET['id'])) && (is_numeric($_GET['id'])) ) { // From view_users.php
$id = $_GET['id'];
} elseif ( (isset($_POST['id'])) && (is_numeric($_POST['id'])) ) { // Form submission.
$id = $_POST['id'];
} else { // No valid ID, kill the script.
echo '<p class="error">This page has been accessed in error.</p>';
include ('_include/footer.php');
exit();
}

require_once ('../../mysqli_connect.php');

// Check if the form has been submitted:
if ($_SERVER['REQUEST_METHOD'] == 'POST') {

if ($_POST['sure'] == 'Yes') { // Delete the record.

// Make the query:
$q = "DELETE FROM user WHERE user_id=$id LIMIT 1";
$r = @mysqli_query ($dbc, $q);
if (mysqli_affected_rows($dbc) == 1) { // If it ran OK.

// Print a message:
echo '<p>The user has been deleted.</p>';

} else { // If the query did not run OK.
echo '<p class="error">The user could not be deleted due to a system error.</p>'; // Public message.
echo '<p>' . mysqli_error($dbc) . '<br />Query: ' . $q . '</p>'; // Debugging message.
}

} else { // No confirmation of deletion.
echo '<p>The user has NOT been deleted.</p>';
}

} else { // Show the form.

// Retrieve the user's information:
$q = "SELECT CONCAT(last_name, ', ', first_name) FROM users WHERE user_id=$id";
$r = @mysqli_query ($dbc, $q);

if (mysqli_num_rows($r) == 1) { // Valid user ID, show the form.

// Get the user's information:
$row = mysqli_fetch_array ($r, MYSQLI_NUM);

// Display the record being deleted:
echo "<h3>Name: $row[0]</h3>
Are you sure you want to delete this user?";

// Create the form:
echo '<form action="delete.php" method="post">
<input type="radio" name="sure" value="Yes" /> Yes
<input type="radio" name="sure" value="No" checked="checked" /> No
<input type="submit" name="submit" value="Submit" />
<input type="hidden" name="id" value="' . $id . '" />
</form>';

} else { // Not a valid user ID.
echo '<p class="error">This page has been accessed in error.</p>';
}

} // End of the main submission conditional.

mysqli_close($dbc);

include ('_include/footer.php');
?>
  • 0

#2 Paul Swanson

Paul Swanson

    Excellent Advisor

  • Members
  • PipPipPip
  • 163 posts
  • LocationPortland, OR, USA

Posted 16 February 2012 - 5:25 PM

One of your queries is failing. In one of your queries you address table 'user' and in the other one you address 'users' ... so one of those is looking for a table that doesn't exist.

I always test to see if the query ran okay. $r will tell you:
$q = "DELETE FROM user WHERE user_id=$id LIMIT 1";
$r = @mysqli_query ($dbc, $q);

if (!$r) { // query failed
  echo "<p>Query: $q</p>\n\n<p>MySQL Error: " . mysqli_error ($dbc) . "</p>\n\n"; // or send via mail if you don't want an error visible to users
} else { // query okay
  // do your mysqli_affected_rows() or mysqli_num_rows() statements
}

  • 0

#3 ericp

ericp

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts
  • LocationHo Chi Minh City, Vietnam

Posted 30 October 2013 - 7:37 AM

Hi,

 

Just a small curious about a note on page 307 regarding this script that says that '... For example, if the query tries to delete the record where the user ID is equal to 42000 (and if that doesn’t exist), no rows will be deleted but no MySQL error will occur. Still, because of the checks made when the form is first loaded, it would take a fair amount of hacking by the user to get to that point.'

 

Does it mean that the primary key number 42000 would NEVER be generated, by default, for the table in MySQL platform used with PHP? or what?

 

And what can make it easily vulnerable?

 

Thanks


  • 0

#4 Larry

Larry

    Administrator/Writer

  • Administrators
  • 3,908 posts
  • LocationState College, PA (USA)

Posted 30 October 2013 - 8:50 AM

Sorry for the confusion. 42000 is just an example number. The greater point is that if you run a DELETE query that doesn't actually delete a record, that won't necessarily create an error.


  • 0





Also tagged with one or more of these keywords: chapter 10, delate a user