Member Avatar for davy_yg

I am trying delete data from table, the form method is post. The url http://localhost/RustoleumCustomCMS2/administrator/input_image.php?mode=delete&id=0 (passing mode = delete and id = 0). I wonder why nothing happen. It suppose to delete a row in the database.

    include('../includes/koneksi.php');

    $id = isset($_POST['id']) ? $_POST['id'] : '';  
    $judul = isset($_POST['judul']) ? $_POST['judul'] : ''; 
    $image = isset($_POST['image']) ? $_POST['image'] : '';
    $confirmation = isset($_POST['confirmation']) ? $_POST['confirmation'] : '';  

    //Hapus image


    if (!empty($_REQUEST['mode'])&& !empty($_REQUEST['id']) && $_REQUEST['mode'] == "delete"){
        $id = $_REQUEST['id'];
        $result = mysql_query("DELETE FROM gallery WHERE id =".$id) or die(mysql_error());

        $confirmation = $result ? "Data successfully deleted." : "fail to delete data."; 
    }
  • 3 Contributors
  • 6 Replies
  • 163 Views
  • 1 Hour Discussion Span
  • Latest Post Latest Post by broj1

Recommended Answers

All 6 Replies

Member Avatar for Szabi Zsoldos

Davy,

What does the mysql_error() return at that point?

Member Avatar for davy_yg

it doesn't return anything. I guess it doesn't bypass the condition.

Member Avatar for Szabi Zsoldos

Try this please

if(isset($_GET['mode']) && !empty($_GET['mode']) && $_GET['mode']) == "delete"){
    $id = $_REQUEST['id'];
    $result = mysql_query("DELETE FROM gallery WHERE id =".$id) or die(mysql_error());
    $confirmation = $result ? "Data successfully deleted." : "fail to delete data.";
}
Edited by Szabi Zsoldos
Member Avatar for broj1

A few notes here:

  1. You mix GET and POST method. From URL it seems like your intention is to use GET, from the code it seems like you wanted to use POST; it is nothing wrong with mixing methods but do not do it if not realy needed since it is harder to control
  2. It is recommended to avoid $_REQUEST combined array. It is again not wrong if you use it but only if it is necessary and are careful. $_REQUEST contains data from $_GET, $_POST and $_COOKIE arrays and it might happen that you have same keys in them thus overwriting values.
  3. It is not recommended to use GET method for deleting. It is semantically wrong but more importantly the deleting URL gets cached and can do damage later on (intentionally or unintentionally).
  4. Escape values before using them in a query.

szabizs correctly spotted the error and suggested solution to existing code. I usually have to add my raving about security since this is my field of work :-) (and I had to learn it a hard way).

Edited by broj1
commented: That is correct, I've wanted just to help out him :) +3
Member Avatar for davy_yg

It works. Does id == 0 consider empty ? I am trying figure what i did wrong.

Member Avatar for broj1

The manual for empty says:

Returns FALSE if var exists and has a non-empty, non-zero value. Otherwise returns TRUE.

The following things are considered to be empty:

"" (an empty string)
0 (0 as an integer)
0.0 (0 as a float)
"0" (0 as a string)
NULL
FALSE
array() (an empty array)
$var; (a variable declared, but without a value)

So 0 is empty (sounds a bit strange to me, we need to be careful with this function).

Edited by broj1
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.