Member Avatar for phplover

Hi,

I am driving myself mad. I have not posted the full code but wondering if someone can help.

I am testing a deletion of a record and file using the code below.

The problem i am having is that although i delibrately remove the the variable $id from the where clause in the delete query it still echos out file and record deleted successfuly. Without the $id variable in the where clause it should fail and echo out Unable to delete file and record because ID was not found because the query could not delete the record, problem is it does not and just echos out record and file deleted successfuly. I must be overlooking something as i just can't figure out what i am doing wrong, i have altered the code about 10 times using different methods and i always get the same problem as described above. I have left the variable $id in the where clause just for clarification, but when testing i delibrately remove it to make it fail.

<?php
# if delete button has been submitted delete record
    if(isset($_POST['delete'])){
        # file path
        $filepath = '../files/'.$row[1];

        # If file is reaable and exists
        if(is_readable($filepath)){
            # delete record
            $delete = mysql_query("DELETE FROM databasemanager
                    WHERE id = '$id' LIMIT 1 ");

            # check if row found and querk ok
            if(!$delete){
                $SiteErrorMessages = 'Unable to delete file and record because ID was not found <br /><b>'.mysql_error().'</b>';
                SiteErrorMessages();
            } else {

                # delete file
                $deletefile = unlink($filepath);
                
                # if delete file ok
                if($deletefile){
                    $SiteSuccessMessages =
                    "Record and file deleted successfully!
                    <br /> This page will automatically redirect in 8 seconds.
                    Click <a href=\"index.php\">here</a> to redirect immediately.";
                    SiteSuccessMessages();
                    header("refresh: 8; url=index.php");
                } else {
                    $SiteErrorMessages =
                    'Record deleted but file could not be deleted. <br />
                    This is usually because of file permissions.
                    Please delete the file manually';
                    SiteErrorMessages();
                }
            }
            } else {
            # else file is not readable or does not exist.
            $SiteErrorMessages = "Error: File is not readable or does not exist. Check that the file exists in the <b>files</b> folder";
            SiteErrorMessages();
        }
        }
?>

I did originally try the below code and again removing the variable $id from the where clause, this time using mysql_num_rows, i get a mysql invalid resource link error. But i think thats because i am deleting and not selecting from database.

<?php
# if delete button has been submitted delete record
if(isset($_POST['delete'])){
    # file path
    $filepath = '../files/'.$row[1];

    # If file is reaable and exists
    if(is_readable($filepath)){
        
        # delete record
        $delete = mysql_query("DELETE FROM databasemanager
                WHERE id = '$id' LIMIT 1 ");
     
        if(mysql_num_rows($delete) > 0){
        # delete file
        $deletefile = unlink($filepath);
                
            # if delete file ok
            if($deletefile){
                $SiteSuccessMessages =
                "Record and file deleted successfully!
                <br /> This page will automatically redirect in 8 seconds.
                Click <a href=\"index.php\">here</a> to redirect immediately.";
                SiteSuccessMessages();
                header("refresh: 8; url=index.php");
            } else {
                $SiteErrorMessages =
                'Record deleted but file could not be deleted. <br />
                This is usually because of file permissions.
                Please delete the file manually';
                SiteErrorMessages();
            }
        }
    } else {
            # else file is not readable or does not exist.
            $SiteErrorMessages = "Error: File is not readable or does not exist. Check that the file exists in the <b>files</b> folder";
            SiteErrorMessages();
        }
}
?>

Any help much appreciated.

Thanks
PHPLOVER

Edited by phplover because: n/a
  • 3 Contributors
  • 3 Replies
  • 102 Views
  • 8 Hours Discussion Span
  • Latest Post Latest Post by phplover

Recommended Answers

All 3 Replies

Member Avatar for Graphix

I hope you set the variable $id in code you have not shown yet, and cleaned that with htmlentities() and addslashes(). If you are counting on register_global of PHP, you are creating a huge security leak. Well anyway, to solve your problem, you first need to select the row, check whether there is a row with that id (num_rows > 0) and then delete it:

$q1 = "SELECT * FROM databasemanager WHERE id='".$id."' LIMIT 1";
$r1 = mysql_query($q1) or die("Could not retrieve row. 1");

if (mysql_num_rows($r1) > 0) { // If the id exists

$q2 = "DELETE FROM databasemanager WHERE id='".$id."' LIMIT 1 ";
$r2 = mysql_query($q2) or die("Could not delete row. 2");

// The rest of your code...

}

~G

Member Avatar for MindSter

Try using another approach;
For example, add another query that checks ONLY if the ID does exists (SELECT id from databasemanager where '$id' IS NOT NULL); if it return true then you jump to the next step.
EDIT: as I'm typing, Graphix posted the same answer :)

Edited by MindSter because: n/a
Member Avatar for phplover

Thanks to both of you for your help.

I managed to solve it now.

In reply to: Graphix

I do not program with relying on register_globals , i would never rely on register_globals. Also the $id variable is sanitized but not shown in the code above, as before the delete code above is run it first displays the record and a submit form and warns whether you want to delete the record, if i want to delete the record i press submit and then the delete code above runs.

Thanks for the help.

PHPLOVER

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.