Hi I am having a problem with the user ID being set, resulting in not deleting the chosen record.

This is the data being passed in the url from view.php - delete.php http://localhost/crud/delete.php?91 . I have put in an if statement to check if the UserID is set and it fails.

Any help would be appriciated

Thanks

David

page view.php

<?php

include('include/db.php');

if ($result = $mysqli->query("select * FROM users ORDER BY UserID")){


    if ($result->num_rows >0){

            echo"<table border='0' cellpadding='10'>";
            echo "<tr><th>ID</th><th>Name</th><th>User Email</th><th>Update</th><th>Delete</th></tr>";
            while($row = $result->fetch_object())
            {
            echo "<tr>";
            echo "<td>" . $row->UserID . "</td>";
            echo "<td>" . $row->UserFullname . "</td>";
            echo "<td>" . $row->UserEmail . "</td>";
            echo "<td><a href='records.php?" .$row->UserID."'>Update</a></td>";
            echo "<td><a href='delete.php?" .$row->UserID."'>Delete</a></td>";
            echo "<tr>";

            }
            echo "</table>";
    }else {

            echo"No reslts found";
    }
}else {

        echo "error". $mysqli->error;
}
$mysqli->close();
?>

Page: delete.php

<?php

include('include/db.php');
if (isset($_POST['UserID']) ? $_POST['UserID'] : ""){
// if ($_POST['UserID'] == "true"){


    $stmt = $mysqli->prepare("DELETE FROM users WHERE UserID = ?");
    $stmt->bind_param('i', $_POST['UserID']);
    $stmt->execute(); 
    $stmt->close();
    exit;
}
else 
{
    echo "Error!! UserID not set";
    exit;
}
    $mysqli->close();
    header("location: view.php");

?>
Member Avatar
diafol

Perhaps you should specify a key:

 http://localhost/crud/delete.php?user_id=91 

Like:

echo "<td><a href='delete.php?user_id=" .$row->UserID."'>Delete</a></td>";

And then as you're passing this in the querystring, you need...

if (isset($_GET['UserID']) ? $_GET['UserID'] : ""){

However, manipulations should use POST not GET.

Hi Diafol, Thanks for your reply - I have made the changes to $_GET and it works. How can I change this to capture $_POST data as this was my orignal idea for security.

Thanks

David

Member Avatar
diafol

POST won't really help with security that much as headers can be spoofed.

You can set a form around the table and provide each button with a name and submit type.