Jump to content
Larry Ullman's Book Forums

Recommended Posts

Hi All,

 

I'm currently working in Chapter 10 with the delete user script.

 

I have followed the code in the book as itis but when I click "delete" from the view users page I keep getting "this page has been accessed in error".

 

The only difference that I can see in my code and the book's is that my script is called "delete.php" and the book's is "delete.php". I have changed the name in the script to be correct. Also in the book the DB is named "users" but mine is called "user". The DB connection works fine as I can see my list of registered users.

 

When I land on the delete a user page I can see my header and the <h2> tag "Delete a user" and my footer but no form to actually delete the user.

 

My code is below. I'm probably doing something really stupid but any help would be great.

 

thanks,

Tony.

 

<?php # Script 10.2 - delete.php

 

$page_title = 'Delete a User';

include ('_include/header.php');

echo '<h2>Delete a User</h2>';

 

// Check for a valid user ID, through GET or POST:

if ( (isset($_GET['id'])) && (is_numeric($_GET['id'])) ) { // From view_users.php

$id = $_GET['id'];

} elseif ( (isset($_POST['id'])) && (is_numeric($_POST['id'])) ) { // Form submission.

$id = $_POST['id'];

} else { // No valid ID, kill the script.

echo '<p class="error">This page has been accessed in error.</p>';

include ('_include/footer.php');

exit();

}

 

require_once ('../../mysqli_connect.php');

 

// Check if the form has been submitted:

if ($_SERVER['REQUEST_METHOD'] == 'POST') {

 

if ($_POST['sure'] == 'Yes') { // Delete the record.

 

// Make the query:

$q = "DELETE FROM user WHERE user_id=$id LIMIT 1";

$r = @mysqli_query ($dbc, $q);

if (mysqli_affected_rows($dbc) == 1) { // If it ran OK.

 

// Print a message:

echo '<p>The user has been deleted.</p>';

 

} else { // If the query did not run OK.

echo '<p class="error">The user could not be deleted due to a system error.</p>'; // Public message.

echo '<p>' . mysqli_error($dbc) . '<br />Query: ' . $q . '</p>'; // Debugging message.

}

 

} else { // No confirmation of deletion.

echo '<p>The user has NOT been deleted.</p>';

}

 

} else { // Show the form.

 

// Retrieve the user's information:

$q = "SELECT CONCAT(last_name, ', ', first_name) FROM users WHERE user_id=$id";

$r = @mysqli_query ($dbc, $q);

 

if (mysqli_num_rows($r) == 1) { // Valid user ID, show the form.

 

// Get the user's information:

$row = mysqli_fetch_array ($r, MYSQLI_NUM);

 

// Display the record being deleted:

echo "<h3>Name: $row[0]</h3>

Are you sure you want to delete this user?";

 

// Create the form:

echo '<form action="delete.php" method="post">

<input type="radio" name="sure" value="Yes" /> Yes

<input type="radio" name="sure" value="No" checked="checked" /> No

<input type="submit" name="submit" value="Submit" />

<input type="hidden" name="id" value="' . $id . '" />

</form>';

 

} else { // Not a valid user ID.

echo '<p class="error">This page has been accessed in error.</p>';

}

 

} // End of the main submission conditional.

 

mysqli_close($dbc);

 

include ('_include/footer.php');

?>

Share this post


Link to post
Share on other sites

One of your queries is failing. In one of your queries you address table 'user' and in the other one you address 'users' ... so one of those is looking for a table that doesn't exist.

 

I always test to see if the query ran okay. $r will tell you:

$q = "DELETE FROM user WHERE user_id=$id LIMIT 1";
$r = @mysqli_query ($dbc, $q);

if (!$r) { // query failed
 echo "<p>Query: $q</p>\n\n<p>MySQL Error: " . mysqli_error ($dbc) . "</p>\n\n"; // or send via mail if you don't want an error visible to users
} else { // query okay
 // do your mysqli_affected_rows() or mysqli_num_rows() statements
}

Share this post


Link to post
Share on other sites

Hi,

 

Just a small curious about a note on page 307 regarding this script that says that '... For example, if the query tries to delete the record where the user ID is equal to 42000 (and if that doesn’t exist), no rows will be deleted but no MySQL error will occur. Still, because of the checks made when the form is first loaded, it would take a fair amount of hacking by the user to get to that point.'

 

Does it mean that the primary key number 42000 would NEVER be generated, by default, for the table in MySQL platform used with PHP? or what?

 

And what can make it easily vulnerable?

 

Thanks

Share this post


Link to post
Share on other sites

Sorry for the confusion. 42000 is just an example number. The greater point is that if you run a DELETE query that doesn't actually delete a record, that won't necessarily create an error.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×