Delete.php page.. How to return?

Dev Shed Forums Sponsor:

November 9th, 2012, 08:40 AM

notflip

Contributing User

Join Date: Sep 2012

Posts: 148

Time spent in forums: 18 h 39 m 9 sec
Reputation Power: 1

Delete.php page.. How to return?

I have this delete.php page with GET's the ID to delete. Now im wondering, how do i return to the page listing the files?

Code:

<?php
$con = mysql_connect(bla bla bla)

$table = $_GET['table'];
$id = $_GET['id'];

mysql_query("DELETE FROM '$table' WHERE klant_naam = '$id'")or die(mysql_error());
?>

Thanks!

November 9th, 2012, 08:50 AM

gw1500se

Contributing User

Join Date: Jul 2003

Posts: 2,877

Time spent in forums: 1 Year 2 Weeks 5 h 19 m 53 sec
Reputation Power: 581

Change the page listing the files to a PHP page and put this code there checking for a submit.

That having been said you have a host of problems with your basic approach.

1) You should not be using the depreciated MySQL extensions and you are wide open to injection.
2) Use PDO prepared statements to avoid injection. If you insist on using depreciated code at least run your query strings through 'mysql_real_escape_string'.
3) I see no safe guards in place to prevent unauthorized users from doing deletes. Anyone can manipulate the URL to delete anything and to manipulate the database via the aforementioned injection. You probably need to be using 'POST' method and add some authorized user checking. Have these users passed some kind of authentication to get this far?
4) Please enclose your PHP code in [ PHP ] tags. Seen ManiacDan's New User Guide for details and also a lot of good debugging and security tips.

__________________
There are 10 kinds of people in the world. Those that understand binary and those that don't.

Last edited by gw1500se : November 9th, 2012 at 08:53 AM.

November 9th, 2012, 08:56 AM

notflip

Contributing User

Join Date: Sep 2012

Posts: 148

Time spent in forums: 18 h 39 m 9 sec
Reputation Power: 1

Quote:

Originally Posted by gw1500se

Hi! since this is my first big PHP/MYSQL application i haven't thought about the security YET.

and jup the users have to authorise to get to this page.

Is delete.php not the way to go? Should i put a check isset delete function on the page where the files are listed then?

November 9th, 2012, 09:22 AM

ptr2void

I haz teh codez!

Join Date: Dec 2003

Posts: 2,476

Time spent in forums: 1 Month 2 Weeks 2 Days 5 h 42 m 39 sec
Reputation Power: 2194

You should be thinking about security from the very beginning!!!

__________________
I ♥ ManiacDan & requinix

This is a sig, and not necessarily a comment on the OP:
Please don't be a help vampire!

November 9th, 2012, 09:43 AM

gw1500se

Contributing User

Join Date: Jul 2003

Posts: 2,877

Time spent in forums: 1 Year 2 Weeks 5 h 19 m 53 sec
Reputation Power: 581

I think you are jumping into programming prematurely. You need to sit down and document your requirements and logic flow. As ptr2void suggests, you need to think about security in your planning phase. You certainly don't want to use GET rather than POST for your form method. If you try to go back and add security later you invariably will leave security holes. Since you are just starting you absolutely do not want to learn to program with obsolete technology. Learn OOP and use PDO. Northie wrote a good intro to OOP, take advantage of it. Feel free to discuss your plan on this forum as there are many security experts here that can get you as close to a bulletproof app as possible.

Delete.php page.. How to return?

Developer Shed Advertisers and Affiliates