Problem with implementing forms in PHP while loop

[gdebojyoti.mail96]

I am trying to create automatic delete buttons for every post in my site.

For that, I am using the following line of code inside a while loop. It prints every post stored in the database along with a "Delete post" button.

echo($getStat['statusUpdate']." (<font face='verdana'  size=2px> ".$getStat['time']." </font>) <form method='post'  action='deletepost.php'><input type='hidden' name='postid'  id='postid' value='".$getStat['statusID']."'><input type='submit'  value='Delete post'>");

But whenever I am clicking on any "Delete post" button, the deletepost.php shows the following output:

Are you sure to delete the following post?

ID=1
Post=Hello world!

Here the ID is always displayed as 1, irrespective of the particular statusID I selected. And the post is always "Hello world!" instead of the corresponding post.

Please note that the details of the 1st "status" stored in my SQL table are:

statusUpdate = Hello world!
statusID = 1

I cannot understand what to do in order to rectify this error. Please help me.

Regards.

 

[glennemlee95]

Which forum software are you using exactly? Most forum software, even the free ones, have built in systems for deleting posts for admins and moderators.

 

[misson]

The code sample isn't very readable. Use indentation to show the block structure of PHP and tree structure of HTML. Use

 (or [html]) rather than [code] to colorize portions of the code.

[url=http://sscce.org/]Code samples[/url] should be complete yet concise.

[URL="http://htmldog.com/guides/htmlintermediate/badtags/"]<font>[/URL] isn't [URL="http://webstyleguide.com/wsg3/5-site-structure/2-semantic-markup.html"]semantic[/URL]; don't use it. You should be using CSS to style elements.

[c]echo[/c] is a special form, not a function. You don't need parentheses. It's [URL="http://en.wikipedia.org/wiki/Variadic_function"]variadic[/URL], so you don't need to concatenate strings.

You didn't close the form or the inputs in the sample.

[php]echo <<<EOS
$getStat[statusUpdate] (<span class="stat">$getStat[time]</span>)
<form method="post" action="deletepost.php">
    <input type="hidden" name="postid" id="postid" value="$getStat[statusID]" />
    <input type="submit" value="Delete post" />
</form>
EOS;

 

[gomarc]

Hi gdebojyoti.mail96,

The only value you are passing to deletepost.php is $_POST['postid'], so before you do anything else you should check that this value is correct.

Please note that $_POST['postid'] is not the same as $_POST['postID']

deletepost.php

<?php

$msg = "Is this what you expected?<br />";
$msg .= "postid: " . $_POST['postid'];

echo $msg;
exit;

...

If you are getting the correct value, the problem must be in the database query.

You may also consider adding some protection to your forms by adding a FORM KEY

 

[essellar]

Which forum software are you using exactly? Most forum software, even the free ones, have built in systems for deleting posts for admins and moderators.

Don't assume that everybody uses off-the-shelf software. Many of us prefer to, or find ourselves forced to, develop custom solutions, either out of intellectual curiosity, professional pride, or simple disgust with the quality of what's available. (You couldn't pay me enough to use most of the blogging, forum, CMS or ecommerce platforms out there on my own site, and I'd only inflict them on others if time-to-launch was the primary concern.)

In this case, the OP (gdebojyoti.mail96) is working with a custom "status update" feature developed in relation with this thread in the Programming Help forum. (A subsequent question in that forum is leading me to believe that he/she will be reinventing Facebook before long, so I'd advise backing up a step or two and planning the architecture before getting too carried away. "Friends" will lead to "groups" and "circles", "status" will almost certainly be followed by "comments", and before you know it data and relational integrity are going to become a big problem.)

As for the technical issue here, I'd be willing to bet on the missing </form> tags (as misson mentioned). Since the forms are unnamed and have the same action and method, there's no guarantee that they'll be autoclosed, so your submitted values may very well be unexpected arrays.

 

[glennemlee95]

Don't assume that everybody uses off-the-shelf software. Many of us prefer to, or find ourselves forced to, develop custom solutions, either out of intellectual curiosity, professional pride, or simple disgust with the quality of what's available. (You couldn't pay me enough to use most of the blogging, forum, CMS or ecommerce platforms out there on my own site, and I'd only inflict them on others if time-to-launch was the primary concern.)

I used to be that way until Anonymous took down security company HBGary like it was nothing. Can't forget about Lulzsec either. Had a couple run ins with a hacker group I won't name, but I will say it wasn't pretty.

I shall leave this topic in hopes to prevent arguments. @OP: Best of luck with your ventures! Hope you well in your development! PM me if you need or want someone to test your security against SQL Injection.

 

[gomarc]

Kudos to misson and essellar.

Not closing the form must be the issue.

The sample code will only post the last value of $getStat[statusID] no matter what submit button is pressed.

REP + to you guys.

 

[gdebojyoti.mail96]

Yup, I missed the </form> part. It's now working.

Pretty stupid of me! lol

---------- Post added at 04:12 AM ---------- Previous post was at 04:11 AM ----------

Which forum software are you using exactly? Most forum software, even the free ones, have built in systems for deleting posts for admins and moderators.

I am not using any software; I am developing my website from scratch. It gives me all the options/ controls I want.

---------- Post added at 04:16 AM ---------- Previous post was at 04:12 AM ----------

@OP: Best of luck with your ventures! Hope you well in your development! PM me if you need or want someone to test your security against SQL Injection.

Thanks. I'll definitely contact you as soon as I have finished developing my site.

---------- Post added at 04:23 AM ---------- Previous post was at 04:16 AM ----------

Not closing the form must be the issue.

The sample code will only post the last value of $getStat[statusID] no matter what submit button is pressed.

Exactly!

---------- Post added at 04:30 AM ---------- Previous post was at 04:23 AM ----------

In this case, the OP (gdebojyoti.mail96) is working with a custom "status update" feature developed in relation with this thread in the Programming Help forum. (A subsequent question in that forum is leading me to believe that he/she will be reinventing Facebook before long, so I'd advise backing up a step or two and planning the architecture before getting too carried away. "Friends" will lead to "groups" and "circles", "status" will almost certainly be followed by "comments", and before you know it data and relational integrity are going to become a big problem.)

Yup, I am trying to create a social networking site of my own.
Will you share your views regarding a suitable model?
Please note that I am not very familiar/ comfortable with the Object Oriented Programming (OOP) part of PHP. Will it be necessary? Someone told me that Facebook does not implement OOP.

And I have also posted another query - regarding adding friends. http://x10hosting.com/forums/programming-help/166548-add-friend-script.html

---------- Post added at 04:31 AM ---------- Previous post was at 04:30 AM ----------

Thanks to everyone for helping me.

Regards,
Debojyoti Ghosh.

 

[misson]

There are automated tools to check for SQL injection vulnerabilities, such as sqlmap.

One thing I left out of my previous post: since multiple copies of the form are generated in a loop, there are multiple elements with the same ID ("postid"), which is illegal in HTML. Either leave the ID attribute off the inputs or create a truly unique ID for each input using (e.g.) the status ID or a loop counter. Checking your page with an HTML validator would have caught both the duplicate ID and missing form close-tag errors, and any others as well.