PDA

View Full Version : Checkbox array to delete mysql data



jnscollier
05-25-2007, 06:21 PM
So I created this very BASIC message system thing within my site. I added a checkbox next to all the inbox messages so users can delete messages by checking the checkbox and hitting delete.

When I test it out though, I don't get any errors but nothing happens (data is not deleted from mysql table. Heck I don't know! I might be doing the whole thing wrong.

Here's the code, any help would be appreciated!


Here's the form part with the checkbox (i have an if stmt separating read and unread msgs)
(working on code - just realized a few things)

And here's the action page
(working on code - just realized a few things

Twey
05-25-2007, 06:28 PM
Have you checked that $delete_ids contains what you expect it to? Print it and see. Either way, you have deeper problems than that... you haven't validated user input properly. You need to check that a) no reserved MySQL characters appear in the input (mysql_real_escape_string (http://www.php.net/mysql-real-escape-string)() will help here), and b) that all the messages specified in the "delete" parameter belong to the currently logged-in user. If you fail to do the latter, someone could delete messages from other people's inboxes. If you fail to do the former, someone could execute arbitrary commands against your database with the permissions of the PHP script, probably bringing your whole site down.

jnscollier
05-25-2007, 06:36 PM
Frickin a. I know, I just realized that...it just hit me that people can delete inbox items from other users by just deleting their sent items. I have to redesign my table/s. FRICKEN A. I'll get back to this post when I get things squared away.

I'm not really sure what that mysql_real_escape_string() thing is, I'll have to read up on it. Thanks though!

jnscollier
05-25-2007, 10:39 PM
Okay so I changed how I'm going to do things... What I want to do is simply update the field varTodelete with 'y' for the checkboxes (messages) checked.

here's what i have...it's like the values aren't being passed in the array... and it doesn't update, any insight?

Page with form



echo "<form name=\"deletemessage\" action=\"deletemessage.php?$delete\" method=\"post\">
<input type=\"checkbox\" name =\"delete[]\" value=\"$intMessageId\">";
<input type=\"submit\" name=\"submit\" value=\"Delete\" align="left">
</form>"



Action page


<?
if(isset($_POST["delete"])) {$delete = $_POST["delete"];} else {$delete=array();}
for ($i="0"; $i<count($delete); $i++) {
if(!is_numeric($delete[$i])) {$delete[$i]="";}
if(empty($delete[$i])) {unset($delete[$i]);}}

$delete = implode ("<>", $delete);
$delete = "<>".$delete."";
$sql = "Update myPMs set varTodelete = 'y' where intMessageId = $delete";
$res=mysql_query($sql) or die ("Fail to add test_value");

?>

thetestingsite
05-26-2007, 01:39 AM
Try using this instead for the PHP code (based off the snippet you posted above):



<?php
if (isset($_POST['delete'])) {
$delete = $_POST["delete"];

foreach ($delete as $deleted) {
$sql = "Update myPMs set varTodelete = 'y' where intMessageId = $deleted";
$res=mysql_query($sql) or die ("Fail to add test_value");
}

}
else {

//if the array is not set, redirect to original page.

header('Location: page.php');
}
?>


I think I covered the basis of what you are trying to do, but there may be better ways of doing so.
Anyways, hope this helps.

jnscollier
05-26-2007, 02:09 AM
thanks for the help testingsite, after testing though i think the issue is that the value of the intMessageId is not being stored in the array, hence it's not passing it.

I tried outputting that variable to make sure it displays for each message and it does, just fine. So i know it's pulling the info from the table.

-----

Ended up deleting on a per record basis instead.