#1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    204
    Rep Power
    3

    Delete.php page.. How to return?


    I have this delete.php page with GET's the ID to delete. Now im wondering, how do i return to the page listing the files?

    Code:
    <?php
    $con = mysql_connect(bla bla bla)
    
    $table = $_GET['table'];
    $id = $_GET['id'];
    
    mysql_query("DELETE FROM '$table' WHERE klant_naam = '$id'")or die(mysql_error());
    ?>
    Thanks!
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2003
    Posts
    3,542
    Rep Power
    595
    Change the page listing the files to a PHP page and put this code there checking for a submit.

    That having been said you have a host of problems with your basic approach.

    1) You should not be using the depreciated MySQL extensions and you are wide open to injection.
    2) Use PDO prepared statements to avoid injection. If you insist on using depreciated code at least run your query strings through 'mysql_real_escape_string'.
    3) I see no safe guards in place to prevent unauthorized users from doing deletes. Anyone can manipulate the URL to delete anything and to manipulate the database via the aforementioned injection. You probably need to be using 'POST' method and add some authorized user checking. Have these users passed some kind of authentication to get this far?
    4) Please enclose your PHP code in [ PHP ] tags. Seen ManiacDan's New User Guide for details and also a lot of good debugging and security tips.
    Last edited by gw1500se; November 9th, 2012 at 08:53 AM.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  4. #3
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    204
    Rep Power
    3
    Originally Posted by gw1500se
    Change the page listing the files to a PHP page and put this code there checking for a submit.

    That having been said you have a host of problems with your basic approach.

    1) You should not be using the depreciated MySQL extensions and you are wide open to injection.
    2) Use PDO prepared statements to avoid injection. If you insist on using depreciated code at least run your query strings through 'mysql_real_escape_string'.
    3) I see no safe guards in place to prevent unauthorized users from doing deletes. Anyone can manipulate the URL to delete anything and to manipulate the database via the aforementioned injection. You probably need to be using 'POST' method and add some authorized user checking. Have these users passed some kind of authentication to get this far?
    4) Please enclose your PHP code in [ PHP ] tags. Seen ManiacDan's New User Guide for details and also a lot of good debugging and security tips.
    Hi! since this is my first big PHP/MYSQL application i haven't thought about the security YET. and jup the users have to authorise to get to this page.

    Is delete.php not the way to go? Should i put a check isset delete function on the page where the files are listed then?
  6. #4
  7. No Profile Picture
    I haz teh codez!
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Dec 2003
    Posts
    2,551
    Rep Power
    2337
    You should be thinking about security from the very beginning!!!
    I ♥ ManiacDan & requinix

    This is a sig, and not necessarily a comment on the OP:
    Please don't be a help vampire!
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2003
    Posts
    3,542
    Rep Power
    595
    I think you are jumping into programming prematurely. You need to sit down and document your requirements and logic flow. As ptr2void suggests, you need to think about security in your planning phase. You certainly don't want to use GET rather than POST for your form method. If you try to go back and add security later you invariably will leave security holes. Since you are just starting you absolutely do not want to learn to program with obsolete technology. Learn OOP and use PDO. Northie wrote a good intro to OOP, take advantage of it. Feel free to discuss your plan on this forum as there are many security experts here that can get you as close to a bulletproof app as possible.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.

IMN logo majestic logo threadwatch logo seochat tools logo