#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    24
    Rep Power
    0

    Trouble with delete_product.php


    Been working for hours on this and I just can't seem to figure it out. Here is the delete_product file:
    PHP Code:
    <?php

    // Delete the product from the database
    require_once('database.php');
    $query "DELETE FROM products
              WHERE productCode = 
    $product_Code";
    $db->exec($query);

    // display the Product List page
    include('index.php');
    ?>
    And here is the INDEX that I'm trying to delete a row from when the user hits the delete button.

    PHP Code:
    <?php
        
    require_once('database.php');

        
    // Get products for selected category
        
    $query "SELECT * FROM `products` LIMIT 0, 30 ";
        
    $products $db->query($query);
    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
        <!-- the head section -->
        <head>
            <title>SportsPro Technical Support</title>
            <link rel="stylesheet" type="text/css"
                  href="main.css" />
        </head>

        <!-- the body section -->
        <body>
        <div id="page">
            <div id="header">
                <h1>SportsPro Technical Support</h1>
                <p>Sports management software for the sports enthusiast</p>
                <ul class="nav"><li><a href="/project_start/tech_support/">Home</a></li></ul>
            </div>
           
            <div id="content">
                <!-- display a table of products -->
                <h2></h2>
                <table>
                    <tr>
                        <th>Code</th>
                        <th>Name</th>
                        <th>Version</th>
                        <th>Release Date</th>
                        <th>&nbsp;</th>
                    </tr>
                    <?php foreach ($products as $product) : ?>
                    <tr>
                        <td><?php echo $product['productCode']; ?></td>
                        <td><?php echo $product['name']; ?></td>
                        <td><?php echo $product['version']; ?></td>
                        <td><?php echo $product['releaseDate']; ?></td>
                        <td><form action="delete_product.php" method="post"
                                  id="delete_product_form">
                                  <input type="hidden" name="product_id"
                                   value="<?php echo $product['productCode']; ?>" />
                            <input type="submit" value="Delete" />
                        </form></td>
                    </tr>
                    <?php endforeach; ?>
                </table>
                <p><a href="add_product_form.php">Add Product</a></p>
            </div>
        </div>

               <div id="footer">
                <p class="copyright">
                    &copy; <?php echo date("Y"); ?> SportsPro, Inc.
                </p>
            </div>
        </div><!-- end page -->
        </body>
    </html>
    I have an error on line 6 of delete_product =undefined variable. I just don't know what to put there, any help is appreciated. Thanks.
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,910
    Rep Power
    1045
    Hi,

    first of all, you have a massive security whole there. Since you don't do any authentication (as far as I can tell) and directly inject the POST parameter into the query string, everybody can delete the whole products table just by sending a POST request to delete_product.php with
    Code:
    1 OR 1 = 1
    as the "product_id" parameter.

    That's obviously a very bad idea. First of all, add authentication (if it isn't already there). Secondy, always escape database input values or use prepared statements. This makes sure that the values are actually interpreted as data so that they cannot be used to manipulate the query.

    As to your original question: The variable $product_Code must be defined somewhere before you can use it. And that's what PHP is telling you.

    Judging from your HTML form, you probably want to pull the parameter "product_id" from the POST data. So do it:

    PHP Code:
    $product_Code $_POST['product_id']; 
    And then escape it or pass it to the prepared statement.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    24
    Rep Power
    0
    The DB is for a school assignment, we are having to build the forms from scratch so for security I'm not worried about for this particular project. I just have to develop forms to get the database functional. I have the data pulling from the table correctly, I just can't get the delete button to delete the correlating row. Sorry for my ignorance, only been using PHP for a couple of months but I don't understand what you are meaning by "escaping it or passing it". Also, the "product_id" I originally had that in my form under the delete command, but there's no "product_id" in this table, so I thought I didn't need it and I would instead use the productCode which is the primary key. Thanks for the reply. I will try to insert the line you gave me and read a little more but any further explanation would be great.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,910
    Rep Power
    1045
    Originally Posted by bradmartin0924
    The DB is for a school assignment, we are having to build the forms from scratch so for security I'm not worried about for this particular project.
    Unless this is a pure fun project for you to play around in PHP a bit, security is a part of the application. It doesn't matter if you actually need it in this specific case. It's necessary for the code to be correct.

    Otherwise it's like teaching people how to drive, but the car has no brakes, because "you don't need them" on the training course.



    Originally Posted by bradmartin0924
    Sorry for my ignorance, only been using PHP for a couple of months but I don't understand what you are meaning by "escaping it or passing it".
    When you simply insert strings in a query without any preparations, there's obviously a danger of the strings being interpreted as actual SQL commands (instead of plain data). This allows users to manipulate the queries -- see the example above.

    So you have to make sure that this doesn't happen. There are basically two ways:

    You can manually wrap every value in quotes and escape it. Escaping means that certain characters are devaluated and turned into literal characters (by prepending a backslash). For example, the quotes must be devaluated to prevent the user from "breaking out" of the value quotes and being able to inject SQL commands.

    The second way, which is more modern and secure, consists of using prepared statements. Those are a kind of "query templates" with placeholders for values. Instead of building a query string, you create a prepared statement, pass the values to it and then execute the statement. This way the values will never be interpreted as SQL but only as pure data.

    See the PHP article or Wikipedia on SQL injections.

    PHP supports both approaches. But how exactly they work depends on how you interact with your database.



    Originally Posted by bradmartin0924
    Also, the "product_id" I originally had that in my form under the delete command, but there's no "product_id" in this table, so I thought I didn't need it and I would instead use the productCode which is the primary key.
    In any case, you need to define a variable before you can use it.

    PHP did have a "feature" some time ago that would automatically put the request parameters into variables. But that's horribly insecure and has long been abolished. Maybe that's where you got the idea from?
  8. #5
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,296
    Rep Power
    7170
    I think last time you posted we determined that $db was an instance of PDO. That means the following should work and be secure at the same time:

    PHP Code:
    $query "DELETE FROM products
              WHERE productCode = :product_id"
    ;
    $db->exec($query, array(':product_id' => $_POST['product_id'])); 
    In this case, :product_id is an arbitrary token that I insert into the SQL query as a place-holder for some unsafe value that I wish to use as part of the query. I could have called this anything, like :asdufdioer, but :product_id makes sense. It has no connection to the fact that the value I want to use is stored in $_POST['product_id'] though.

    The second argument to exec is an array of such place-holders, with the array index equal to the place-holder and the element value equal to the unsafe value that you wish to be substituted into that query in place of the place-holder.

    In this case, $_POST['product_id'] contains the unsafe value that you want to use. $_POST because your <form>'s method="post" and 'product_id' because your <input>'s name="product_id".
    Last edited by E-Oreo; October 24th, 2012 at 06:16 PM. Reason: ****ing smilies
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    24
    Rep Power
    0
    Originally Posted by E-Oreo
    I think last time you posted we determined that $db was an instance of PDO. That means the following should work and be secure at the same time:

    PHP Code:
    $query "DELETE FROM products
              WHERE productCode = :product_id"
    ;
    $db->exec($query, array(':product_id' => $_POST['product_id'])); 
    In this case, roduct_id is an arbitrary token that I insert into the SQL query as a place-holder for some unsafe value that I wish to use as part of the query. I could have called this anything, like :asdufdioer, but roduct_id makes sense. It has no connection to the fact that the value I want to use is stored in $_POST['product_id'] though.

    The second argument to exec is an array of such place-holders, with the array index equal to the place-holder and the element value equal to the unsafe value that you wish to be substituted into that query in place of the place-holder.

    In this case, $_POST['product_id'] contains the unsafe value that you want to use. $_POST because your <form>'s method="post" and 'product_id' because your <input>'s name="product_id".
    I tried placing that line of code in the delete_product file and I received an error. Not sure if this is where you suggested putting that line of code but it was what I took from it.

    ( ! ) Warning: PDO::exec() expects exactly 1 parameter, 2 given in C:\xampp\htdocs\tech_support\product_manager\delete_product.php on line 10
    Call Stack
    # Time Memory Function Location
    1 0.0004 328536 {main}( ) ..\delete_product.php:0
    2 0.0023 330168 PDO->exec( ) ..\delete_product.php:10
  12. #7
  13. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,296
    Rep Power
    7170
    Bah, I screwed that example;
    PHP Code:
    $query "DELETE FROM products
              WHERE productCode = :product_id"
    ;
    $st $db->prepare($query);
    $st->execute(array(':product_id' => $_POST['product_id'])); 
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    24
    Rep Power
    0
    Code:
    Notice: Undefined variable: db in C:\xampp\htdocs\tech_support2\product_manager\delete_product.php on line 9
    
    Fatal error: Call to a member function prepare() on a non-object in C:\xampp\htdocs\tech_support2\product_manager\delete_product.php on line 9
    
    673b32c3-cfa0-48a4-b44d-64e77ff6e1cc
    Y2:673b32c3-cfa0-48a4-b44d-64e77ff6e1cc
    That's the error I received that time. I'm just completely lost on this now. I thought it was something simple, but after having worked on it the past 4 days I'm just completely dumbfounded. Again, I appreciate all the help and advice but it's just not computing with me. I've read the book over and over, for what I need to know at this point any how and it just doesn't make sense. I read it, and then practice it and it still doesn't work.


    Originally Posted by E-Oreo
    Bah, I screwed that example;
    PHP Code:
    $query "DELETE FROM products
              WHERE productCode = :product_id"
    ;
    $st $db->prepare($query);
    $st->execute(array(':product_id' => $_POST['product_id'])); 
  16. #9
  17. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,910
    Rep Power
    1045
    Originally Posted by bradmartin0924
    That's the error I received that time. I'm just completely lost on this now. I thought it was something simple, but after having worked on it the past 4 days I'm just completely dumbfounded.
    Have you forgotten the require()? Because $db not being defined is a pretty sure sign that your database script isn't included.
  18. #10
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    24
    Rep Power
    0
    Originally Posted by Jacques1
    Have you forgotten the require()? Because $db not being defined is a pretty sure sign that your database script isn't included.
    It's there. The row is never deleted after the button click though.

    delete_product.php
    PHP Code:
    <?php
    // Get IDs
    $product_id $_POST['product_id'];

    // Delete the product from the database
    require('database.php');
    $query "DELETE FROM products
              WHERE product_id = '
    $product_id'";
    $db->exec($query);

    // display the Product List page
    include('index.php');
    ?>
    And here is the index.php that I'm running. I can't pinpoint what I've done wrong here.

    PHP Code:
    <?php
    require_once('database.php');


        
    // Get products for selected category
        
    $query "SELECT * FROM `products` ";
                 
        
    $products $db->query($query);
    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">

    <!-- the head section -->
    <head>
        <title>SportsPro Technical Support</title>
        <link rel="stylesheet" type="text/css" href="main.css" />
        <script language="Javascript" type="text/javascript">
            function validate(x) {
                
                    if (confirm);"OK to delete" + x + "?" )) {
                        return true
                    }
                            elseif{
                        return false; 
                                 }       
                }
            </script>
    </head>

    <!-- the body section -->
    <body>
        <div id="page">

        <div id="header">
            <h1>SportsPro Technical Support</h1>
            <p>Sports management software for the sports enthusiast</p>
            <br />
                    <a href="indexhome.php" ><strong>Home</strong></a>
        </div>

        <div id="main">

            <h1>Product List</h1>

           

            <div id="content">
                
                <table>
                    <tr>
                        <th>Code</th>
                        <th>Name</th>
                        <th>Version</th>
                        <th>Release Date</th>
                        <th>&nbsp;</th>
                    </tr>
                    <?php foreach ($products as $product) : ?>
                    <tr>
                        <td><?php echo $product['productCode']; ?></td>
                        <td><?php echo $product['name']; ?></td>
                        <td><?php echo $product['version']; ?></td>
                        <td><?php echo $product['releaseDate']; ?></td>
                        <td><form action="delete_product.php" onsubmit="return validate('<?php echo $product['name'];?>')"
                        method="post"
                                  id="delete_product_form">
                            <input type="hidden" name="product_id"
                                   value="<?php echo $product['product_id']; ?>" />
                            <input type="submit" value="Delete" />
                        </form></td>
                    </tr>
                    <?php endforeach; ?>
                </table>
                <p><a href="add_product_form.php">Add Product</a></p>
            </div>
        </div>

        <div id="footer">
            <p>&copy; <?php echo date("Y"); ?> SportsPro, Inc.</p>
        </div>

        </div><!-- end page -->
    </body>
    </html>
  20. #11
  21. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,910
    Rep Power
    1045
    Originally Posted by bradmartin0924
    delete_product.php
    Um, there's no "prepare()" at all, you've somehow gone back to your very first variant. What's your actual code that produces the error message you were talking about?
  22. #12
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    24
    Rep Power
    0

    Help****


    I'm in class now and no one can figure out as to why the delete button is not deleting the actual row. Here's the index.php and delete_product.php.

    index:
    PHP Code:
    <?php
    require_once('database.php');


        
    // Get products for selected category
        
    $query "SELECT * FROM `products` ";
                 
        
    $products $db->query($query);
    ?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">

    <!-- the head section -->
    <head>
        <title>SportsPro Technical Support</title>
        <link rel="stylesheet" type="text/css" href="main.css" />
        <script language="Javascript" type="text/javascript">
            function validate(x) {
                
                    if (confirm);"OK to delete" + x + "?" )) {
                        return true
                    }
                            elseif{
                        return false; 
                                 }       
                }
            </script>
    </head>

    <!-- the body section -->
    <body>
        <div id="page">

        <div id="header">
            <h1>SportsPro Technical Support</h1>
            <p>Sports management software for the sports enthusiast</p>
            <br />
                    <a href="indexhome.php" ><strong>Home</strong></a>
        </div>

        <div id="main">

            <h1>Product List</h1>

           

            <div id="content">
                
                <table>
                    <tr>
                        <th>Code</th>
                        <th>Name</th>
                        <th>Version</th>
                        <th>Release Date</th>
                        <th>&nbsp;</th>
                    </tr>
                    <?php foreach ($products as $product) : ?>
                    <tr>
                        <td><?php echo $product['productCode']; ?></td>
                        <td><?php echo $product['name']; ?></td>
                        <td><?php echo $product['version']; ?></td>
                        <td><?php echo $product['releaseDate']; ?></td>
                        <td><form action="delete_product.php" method="post" id="delete_product_form"
                            <input type="hidden" name="product_id"
                                   value="<?php echo $product['productCode']; ?>" />
                            <input type="submit" value="Delete" onClick="return confirm('Are you sure you want to delete?')" />
                        </form></td>
                    </tr>
                    <?php endforeach; ?>
                </table>
                <p><a href="add_product_form.php">Add Product</a></p>
            </div>
        </div>

        <div id="footer">
            <p>&copy; <?php echo date("Y"); ?> SportsPro, Inc.</p>
        </div>

        </div><!-- end page -->
    </body>
    </html>
    Delete_product:
    PHP Code:
    <?php
    // Get IDs
    $product_Code $_POST['productCode'];

    // Delete the product from the database
    require('database.php');
      
    $query "DELETE FROM products
              WHERE productCode = 'product_Code'"
    ;

    // display the Product List page
    include('index.php');
    ?>
  24. #13
  25. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2012
    Posts
    24
    Rep Power
    0
    sorry for all the hassle and ignorant posts, but I'm stuck at this point and no one can figure it out.
  26. #14
  27. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,910
    Rep Power
    1045
    The problem is that you keep changing your code without giving us the current version, and it gets worse every time. Now you don't even execute the query.

    Please go back to E-Oreo's code. It seems you just copied and pasted it over your old code so that the database script wasn't included any longer. That of course doesn't work. You need to replace only your query stuff:

    PHP Code:
    <?php

    require('database.php');

    $query '
        DELETE
        FROM
            `products`
        WHERE
            `productCode` = :product_id
    '
    ;
    $st $db->prepare($query);
    $st->execute(array(
        
    ':product_id' => $_POST['product_id']
    ));

    // display the Product List page
    include('index.php');

IMN logo majestic logo threadwatch logo seochat tools logo