DELETE FROM list WHERE id = 'row id in the to-do list'. How can I specify this id?

N

Nikolai Khoziashev2020-12-15 06:31:30

PHP

Nikolai Khoziashev, 2020-12-15 06:31:30

delete.php:

$id = $_GET['notesDelete']; //?
$dbc = mysqli_connect('localhost', 'root', '', 'notes')
    or die('Connect error...');
$query = "DELETE FROM note WHERE id = '$id'"; //?
$result = mysqli_query($dbc, $query);
mysqli_close($dbc);

index.php:

a href="delete.php?id=notesDelete=' . $row['id']  . '"><button>-</button>a //?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

F

FirststepsRu, 2020-12-15
@The_Last_Dot

Error generating URL for deletion

<a href="delete.php?id=notesDelete=' . $row['id']  . '">

There is an erroneous id=notesDelete=N. According to the delete.php code, it should be delete.php? notesDelete=N
But most likely I wanted to do something like

echo "<a href=delete.php?id=",$row['id'],"&notesDelete=1><button>delete</button></a>";

Then delete.php could look like this

if (!isset($_GET['id'])) die("Error: not found id parameter");
$id = intval($_GET['id']);
if ($id == 0) die("Error: wrong id parameter value");
if (isset($_GET['notesDelete'])) {
      $dbc = mysqli_connect('localhost', 'root', '', 'notes') or die('Connect error...');
      $query = "DELETE FROM note WHERE id = ".$id;
      $result = mysqli_query($dbc, $query);
      mysqli_close($dbc);
} else {
      die("Error: no any action found");
}

I would like to make an important remark for a beginner. Your original code is not protected from so-called SQL injections. Here is a sample code

$id = intval("SELECT nothing"); var_dump($id);
$id = intval("1312; DELETE something"); var_dump($id);
$h = "DELETE FROM note WHERE id = '$id'";
var_dump($h);
$id = "10'; DROP DATABASE mysql; SELECT * FROM note WHERE id='1";
$h = "DELETE FROM note WHERE id = '$id'";
var_dump($h);

will display

int(0)
int(1312)
string(34) "DELETE FROM note WHERE id = '1312'"
string(80) "DELETE FROM note WHERE id = '10'; DROP DATABASE mysql; SELECT * from note id='1'"

That is, if an attacker substitutes the text with DROP DATABASE in the URL, he will be able to disrupt the program or get some secret data.
I demonstrated in the code how you can protect yourself from this, it is to force the type of the input data to be required for work, in this case, to an integer intval (). Thus, everything that is not understood will be truncated or converted to 0. For string expressions, it is mandatory to use escaping with mysqli_real_escape_string().
But a better practice in this case would be the so-called "prepared SQL queries" about the creation of which alexalexes mentioned , but did not explain why this should be done.

A

alexalexes, 2020-12-15
@alexalexes

1. Prepare the query text with the prepare-function .
2. Attach the required query parameters with the bind function .
3. Execute the query with the execute function .
Request failed? View errors .
PS: In any unclear situation, read the documentation .

A

Alexander Lykasov, 2020-12-15
@lykasov-aleksandr

Let's play an evil and a good commentator, I'll be kind :) Your link is formed incorrectly - with quotes you've got it wrong. You see what kind of link is actually formed . The notesDelete parameter is passed a string' . $row['id'] . ' instead of $row['id']