deleting posts

**hmsnacker123** · 07-01-2008, 05:13 PM

Hi, i have a guestbook, and i want to delete the posts if needed when logged in as an admin (already done the admin login part), and i want a little image of link that deletes the corrospondfing entry, and i want this to go autmaticcly on each post. thanks.

**boogyman** · 07-01-2008, 05:36 PM

Code:

DELETE FROM _msg_table_ WHERE _post_id_ = _number_

you need to know the name of the table the messages are stored. you would also need to know the field that is unique to the message, and the unique value of the message.

placing this "delete" button on each post can be parsed automatically when the page loads, provided that the developer (you) know the path to script that will run the delete command, and that you know the unique value of that specific post (which you should grab with each post)

**hmsnacker123** · 07-01-2008, 05:44 PM

hmm..

Code:

DELETE FROM _msg_table_ WHERE _post_id_ = _number_

.. thanks for that.

you need to know the name of the table the messages are stored. you would also need to know the field that is unique to the message, and the unique value of the message.

i know my table name (guestbook), where do i put / get the unique value of the script?

placing this "delete" button on each post can be parsed automatically when the page loads, provided that the developer (you) know the path to script that will run the delete command, and that you know the unique value of that specific post (which you should grab with each post)

how would i grab it, also how would i write the script (im a newbie at php :s )

**hmsnacker123** · 07-01-2008, 07:33 PM

wait i have this:

PHP Code:


if($_REQUEST['action']=="del")

{

mysql_query("DELETE FROM guestbook WHERE id={$_REQUEST['id']};");

}

do you think this'll work?

**hmsnacker123** · 07-01-2008, 08:23 PM

Wait never mind, i have done it..

thanks for the sql code (^^) though it helped !

**techietim** · 07-01-2008, 08:47 PM

Originally Posted by hmsnacker123

wait i have this:

PHP Code:


if($_REQUEST['action']=="del")
{
mysql_query("DELETE FROM guestbook WHERE id={$_REQUEST['id']};");
}

do you think this'll work?

This is very insecure. A rouge user could put nasty SQL into that query, and possibly delete your whole database. The following is more secure:

PHP Code:


if($_REQUEST['action']=="del")
{
$id = mysql_real_escape_string($_REQUEST['id']);
mysql_query("DELETE FROM guestbook WHERE id={$id};");
}

**Nile** · 07-01-2008, 08:48 PM

Better to use get then request, for people who don't know why the above script doesn't work:

PHP Code:


if($_GET['action']=="del")
{
$query = mysql_query("DELETE FROM `guestbook` WHERE `id`='{$_REQUEST['id']}'")or die(mysql_error());
}

That should do it.

**boogyman** · 07-01-2008, 09:11 PM

Originally Posted by Nile

Better to use get then request, for people who don't know why the above script doesn't work:

PHP Code:


if($_GET['action']=="del")
{
$query = mysql_query("DELETE FROM `guestbook` WHERE `id`='{$_REQUEST['id']}'")or die(mysql_error());
}

That should do it.

not that there aren't enough replies to this, but i thought i would explain what Nile meant by his reply

$_REQUEST['id']

$_REQUEST is a super global variable inherent to the PHP language, meaning that its always available. If you have done any work with PHP or virtually any web scripting language you probably have heard the term GET or POST method, well the REQUEST method is in the same categorization as those, except has a broader scope. Meaning that REQUEST will capture any data that is sent through both the GET or POST method, however it will also capture data from the COOKIE as well. Personally I never like to use REQUEST, because it is too vague and has the potential to catch a lot more "garbage" (malicious) code.

I would suggest that instead you use either $_POST['id'] or $_GET['id'] because those are specific to the script and location of the variable you are trying to access. If you were doing this "delete" through a link on every post, it would probably be alot easier to use the GET method, because its embedded right into the url... eg

Code:

<a href="http://domain.com/delPost.php?id=34509834009128340">Delete Post</a>

where as if you were to do it as a slightly more secure, but not really POST method, it would look something along the lines of

Code:

<form name="something" action="http://domain.com/delPost.php" method="POST">
<fieldset>
<input type="hidden" name="id" value="34509834009128340">
<input type="submit" name="submit" value="Delete Post">
</fieldset>
</form>

as you can see... just in sheer coding, its probably easier to do with the link (GET) method.

**hmsnacker123** · 07-02-2008, 11:29 PM

Thanks for all of the replies !, my final script is this.. is this the securest?

if($_GET['action']=="del")
{
$id = mysql_real_escape_string($_GET['id']);
mysql_query("DELETE FROM guestbook WHERE id={$id};");
}

??

**techietim** · 07-02-2008, 11:49 PM

Originally Posted by hmsnacker123

Thanks for all of the replies !, my final script is this.. is this the securest?

if($_GET['action']=="del")
{
$id = mysql_real_escape_string($_GET['id']);
mysql_query("DELETE FROM guestbook WHERE id={$id};");
}

??

Using $_GET for something like this is insecure. Read about that here:
http://en.wikipedia.org/wiki/Cross_Site_Request_Forgery

Thread: deleting posts

Thread Tools

Search Thread

deleting posts

Bookmarks

Bookmarks

Posting Permissions