Deleting from data base using value from form.

[martynball]

It all works, but I have to put the "ID" value in the php code. How do I drag in a value from a text field?

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Administator Tools</title>
</head>
<body>
<form name="dr" action="scripts/delete-r.php" id="dr">
Delete by ID:<br />
<input type="text" name="ID" size="4">
<br />
<br />
Delete by Name:<br />
<input type="text" name="NAME" size="30">
<br />
<br />
Delete by Email:<br />
<input type="text" name="EMAIL" size="30">
<br />
<br />
Delete by IP(WIP):<br />
<input type="text" name="IP" size="20">
<br />
<input type="submit">
</form>
</body>
</html>

delete.php:

<? 
mysql_connect('localhost', 'martynba_martynb', 'password') or die('Error: ' . mysql_error());

mysql_select_db('martynba_comments') or die('Error (DB): ' . mysql_error());

$del = mysql_query("DELETE FROM commentTable WHERE ID='22'");
if (!$del)
    {
    die('Error: ' .mysql_error());
    }
?>

Better yet, is there a way I can add a link to click on each row which will delete that row when displaying the data with this?:

<?php
// Connect to the database server
mysql_connect('localhost', 'martynba_martynb', 'password') or die('Error connecting to the database, MySQL returned: ' . mysql_error());
// Select the database
mysql_select_db('martynba_comments') or die('Error selecting database, MySQL returned: ' . mysql_error());

//Build query
$query = mysql_query("SELECT * FROM commentTable");

//Display results
    while ($row = mysql_fetch_array($query)) {
    echo "<br /> ID: " .$row['ID']. 
    "<br /> First Name: ".$row['FNAME'].
    "<br /> Last Name: ".$row['LNAME'].
    "<br /> Phone Number: ".$row['PHON'];}
?>

 

[Mr. DOS]

Same as you're doing here: use the $_POST global array. Or, you could use $_GET and call the delete like this: delete.php?id=42. That way, you could just link to the delete script from the list of items.

Here's a good article on POST/GET in PHP.

As a rule of thumb, though, anything that changes data should be set up as a POST, and anything that just retrieves data should be a GET. That way, someone can't inadvertently change data by repeatedly making the GET request.

--- Mr. DOS

 

[martynball]

I don't understand how i would insert the value into the WHERE thingy... is it something elike this:

<? 
mysql_connect('localhost', 'martynba_martynb', 'password') or die('Error: ' . mysql_error());

mysql_select_db('martynba_comments') or die('Error (DB): ' . mysql_error());

$ID = $_GET[ID]

$del = mysql_query("DELETE FROM commentTable WHERE ID='.$ID'");
if (!$del)
	{
	die('Error: ' .mysql_error());
	}
?>

 

[drf1229]

Just some advice: NEVER give out your SQL password. I am warning you edit your password out of the code ASAP. Anybody can access your databases with your password and username.
Edit:
Although SQL is good to learn, I usually store my comments in a text file and read and write off it for a comments page. I find this way much simpler, though SQL wouldn't hurt to know.
Edit:

I don't understand how i would insert the value into the WHERE thingy... is it something elike this:

<? 
mysql_connect('localhost', 'martynba_martynb', 'mlb0891sr3dm') or die('Error: ' . mysql_error());

mysql_select_db('martynba_comments') or die('Error (DB): ' . mysql_error());

$ID = $_GET[ID]

$del = mysql_query("DELETE FROM commentTable WHERE ID='.$ID'");
if (!$del)
    {
    die('Error: ' .mysql_error());
    }
?>

$del = mysql_query("DELETE FROM commentTable WHERE ID='".$ID."'");

 

[misson]

As a rule of thumb, though, anything that changes data should be set up as a POST, and anything that just retrieves data should be a GET. That way, someone can't inadvertently change data by repeatedly making the GET request.

Very good advice, this. It's part of the REST architectural style. Google turns up plenty of more technical descriptions, should you wish to go deeper.

$del = mysql_query("DELETE FROM commentTable WHERE ID='.$ID'");

Almost. You're mixing both string concatenation (via the '.' operator) and string interpolation. You only need one of them:

$ID = mysql_real_escape_string($_POST['ID']);
$statement = "DELETE FROM commentTable WHERE ID='$ID'";
// OR 
$statement = "DELETE FROM commentTable WHERE ID='" . $ID . "'";

Note that I also sanitized the input with mysql_real_escape_string to prevent SQL injection (see also "SQL Injection Attacks by Example", "SQL Injection Walkthrough" and "Exploits of a Mom"). You could also cast $_POST['ID'] to an int, but this might inadvertently delete the row with ID 0.

// Suppose $_POST['ID'] = "' or 1=1; --"
$ID = (int) $_POST['ID'] 
/* $ID is now 0, which prevents the injected code form deleting every comment, 
    but still might delete a comment we don't want to delete.
 */

Nowadays, the preferred way of preventing SQL injection is to use prepared statements, which are well supported by the PDO driver:

// manage DB connection in some other file named (e.g.) "localDB.php" with something like:
function localDBConnection() {
    static $db = new PDO('mysql:host=localhost;dbname=...', 'username', 'password'); 
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    return $db;
}

// in the script
include("localDB.php");
try {
    $db = localDBConnection();
    $query = $db->prepare('DELETE FROM commentTable WHERE ID=?');
    $query->execute(array($_POST['ID']));
    if ($query->rowCount() < 1) {
        // no rows deleted.
        echo "No matching comments, so nothing was deleted.";
    }
} catch (PDOException $exc) {
    echo "Internal database error. It's been logged; we'll look into it.";
    error_log($exc);
}

 

[martynball]

It isnt working :/

And cheers, I have edited my posts, I forgot to remove the password, please could you edit your quote.

And another thing, how can I make this:
//Display results
echo "<table class=\"comment-table\">";
echo "<tr>";
echo "<td class=\"comment-name\">Posted by: $name<div class=\"comments-date\">$today</div></td>";
echo "</tr>";
echo "<tr>";
echo "<td class=\"comment-message\">$message";
echo "</td>";
echo "</tr>";
echo "<tr>";
echo "<td class=\"comment-id\">ID: $id";
echo "<form method=\"post\" action=\"delete.php\" class=\"del-form\"><input name=\"userdel\" type=\"hidden\" value=\"$id\"><input type=\"image\" src=\"../images/del.png\"></form></td>";
echo "</tr>";
echo "</table>";
echo "<br />";
}

Delete the current record?

 

[Gouri]

What are the errors you are getting?

 

[martynball]

I'm not getting any, thats the weird thing. I think it is just not finding the correct values ect..

http://martynleeball.x10hosting.com/testing/db-m.php

Instead of doing that, could I just use this:
//Display results
echo "<table class=\"comment-table\">";
echo "<tr>";
echo "<td class=\"comment-name\">Posted by: $name<div class=\"comments-date\">$today</div></td>";
echo "</tr>";
echo "<tr>";
echo "<td class=\"comment-message\">$message";
echo "</td>";
echo "</tr>";
echo "<tr>";
echo "<td class=\"comment-id\">ID: $id";
echo "<form method=\"post\" action=\"delete.php\" class=\"del-form\"><input name=\"userdel\" type=\"hidden\" value=\"$id\"><input type=\"image\" src=\"../images/del.png\"></form></td>";
echo "</tr>";
echo "</table>";
echo "<br />";
}

so I an click the form and delete the record?

 

[Gouri]

In the form any one is required or all the fields are compulsory. Because i given a ID value and clicking submit giving parse error

Parse error: syntax error, unexpected '=' in /home/martynba/public_html/testing/delete.php on line 2

 

[martynball]

That error should be gone now, I was just messing around with the code.

 

[Gouri]

Can you attach the "delete.php". I want to see how you are handling the variables. Just change the passwod to test123 and attach here.

 

[martynball]

<?php
//Connect to database
mysql_connect('localhost', 'martynba_martynb', 'test123'') or die('Error: ' . mysql_error());
//Select table
mysql_select_db('martynba_comments') or die('Error (DB): ' . mysql_error());

$ID = mysql_real_escape_string($_GET['ID']);
$statement = "DELETE FROM commentTable WHERE ID='$ID'";
// OR 
$statement = "DELETE FROM commentTable WHERE ID='".$ID."'"; 
if (!$statement)
	{	
	die('Error: ' .mysql_error());
	}
?>

 

[Gouri]

<?php
//Connect to database
mysql_connect('localhost', 'martynba_martynb', 'test123'') or die('Error: ' . mysql_error());
//Select table
mysql_select_db('martynba_comments') or die('Error (DB): ' . mysql_error());

$ID = mysql_real_escape_string($_GET['ID']);
$statement = "DELETE FROM commentTable WHERE ID='$ID'";
// OR 
$statement = "DELETE FROM commentTable WHERE ID='".$ID."'"; 
if (!$statement)
	{	
	die('Error: ' .mysql_error());
	}
?>

Here where are you executing the statement. Just you made a statement but not sending as query to mysql

You have to give instead of that last "if" condition.

if (!mysql_query($statement))
  {
  die('Error: ' . mysql_error());
  }
echo "1 record deleted";

mysql_close($con)

 

[martynball]

Sorry, I don't understnad what you are saying :S

 

[Gouri]

Ok

In the above code you posted

After $statement

The status is the statement variable contains the query as a string.

But where are you executing it?

To execute the statement you have to give the mysql_query($statement)

 

[martynball]

So, I make it like this?:

<?php 
//Connect to database 
mysql_connect('localhost', 'martynba_martynb', 'test123'') or die('Error: ' . mysql_error()); 
//Select table 
mysql_select_db('martynba_comments') or die('Error (DB): ' . mysql_error()); 

$ID = mysql_real_escape_string($_GET['ID']); 
$statement = "DELETE FROM commentTable WHERE ID='$ID'"; 
// OR  
$statement = "DELETE FROM commentTable WHERE ID='".$ID."'";  
result = mysql_query ($statement);
if (!$statement) 
    {     
    die('Error:  .mysql_error()); 
    } 
?>

 

[Gouri]

<?php  
//Connect to database  
mysql_connect('localhost', 'martynba_martynb', 'test123'') or die('Error: ' . mysql_error());  
//Select table  
mysql_select_db('martynba_comments') or die('Error (DB): ' . mysql_error());  

$ID = mysql_real_escape_string($_GET['ID']);  
$statement = "DELETE FROM commentTable WHERE ID='$ID'";  
// OR   
$statement = "DELETE FROM commentTable WHERE ID='".$ID."'";   
result = mysql_query ($statement); 
if (!$result)
    {      
    die('Error:  .mysql_error());  
    }  
?>

This is proper

Just a small change that the $result should be there in the "if" condition.

 

[martynball]

<form action="delete.php" submit="post" />
<input type="text" name="ID" />
<input type="submit" />
</form>

<?php  
//Connect to database  
mysql_connect('localhost', 'martynba_martynb', 'test123'') or die('Error: ' . mysql_error());  
//Select table  
mysql_select_db('martynba_comments') or die('Error (DB): ' . mysql_error());  

$ID = mysql_real_escape_string($_GET['ID']);  
$statement = "DELETE FROM commentTable WHERE ID='$ID'";  
// OR   
$statement = "DELETE FROM commentTable WHERE ID='".$ID."'";   
result = mysql_query ($statement); 
if (!$result)
    {      
    die('Error:  .mysql_error());  
    }  
?>

So, now, if I type the ID number into the form, and hit submit, the row will be deleted? Or just the ID?

I have 4 columns with the pimary key of ID.
ID, NAME, EMAIL, MESSAGE

(Form is just rough code written from memory)
I can't test at the moment because for some reason at my college, some computer rooms have dreamweaver on and some don't... I am in a room with dreamweaver at the moment, and the FTP Client sucks so I aint downloading and uploading...

 

[Gouri]

The entire row will be deleted.


use Filezilla client it is better....

 

[martynball]

Awesome, that's what I want. Now to adapt it so I can click and image to delete the record, but I know how to do that.

I use that at home. can't install things on these computers though. They have some stupid cheap thing which looks like it was coded by a code noob, like me

Their crappy FTP thing isnt even on the computer in this room :/ This college needs to sort out its system.