0

I am have a page where i have the table row id defined by 'lesson_id' and i have a delete function for jquery that deletes that row without having to change page. It is almost all working but when it posts the information to delete_row.php it is not deleting the record. but delete_row.php is working because i've manually done delete_row.php?id=4 and it deleted that record succesfully. Any pointers and explanations would be great as i'm still learning.

lessons.php

<table id="lessons" class="table-hover">
    <thead>
        <tr>
            <th>Lesson ID</th>
            <th>Lesson Name</th>
            <th></th>
        </tr>
    </thead>
<tbody>
<?php 
while($row=mysqli_fetch_array($result)){
    echo '<tr id="'. $row['lesson_id'].'">';    
        echo '<td>'. $row['lesson_id'] .'</td>';
        echo '<td>'. $row['name'] .'</td>';
        echo '<td><a class="delete">Delete</a></td>';   
    echo '</tr>';
}
?>
</tbody>
<div id="error"></div>
<script>
$(document).ready(function()
{
    $('table#lessons td a.delete').click(function()
    {
        if (confirm("Are you sure you want to delete this row?"))
        {
            var id = $(this).parent().parent().attr('id');
            var data = 'id=' + id ;
            var parent = $(this).parent().parent();
            //$('#error').html(data);
            $.ajax(
            {
                   type: "POST",
                   url: "delete_row.php",
                   data: data,
                   cache: false,

                   success: function()
                   {
                    parent.fadeOut('slow', function() {$(this).remove();});
                   }
             });
        }
    });
});
</script>

delete_row.php

<?php
include ('../../../config.php');
$con = mysqli_connect ($dbhost,$dbuser,$dbpass,$dbname);
if (!$con){
    die('could not connect: '. mysqli_error($con));
}
$error = "";
$success = "";

if($_GET['id'])
{
$id = $_GET['id'];

mysqli_query($con,"DELETE FROM module_lessons WHERE lesson_id='$id'");
}
?>

as its obvious ... this has no sql injection protection on it.

Improve this question
5
  • 2
    you never bothered embedding teh ID of the record in your delete link, so when the link is clicked, $_GET['id'] is undefined. And DON'T DO THIS you are both vulnerable to sql injection attacks and the Spider of Doom. Enjoy having your server totally pwn3d. Commented Feb 22, 2016 at 20:04
  • You are mixing up GET and POST. You should only use POST; you don't want a clever browser (plugin...) or a search engine to prefetch all your delete links... Commented Feb 22, 2016 at 20:04
  • php.net/manual/en/function.error-reporting.php Commented Feb 22, 2016 at 20:06
  • Apart from the problems mentioned already, you are using some sort of authentication in your real delete_row.php script, right? Commented Feb 22, 2016 at 20:07
  • this is a school project i'm learning and i know how to prevent sql injections and validations i've done it in my other forms Commented Feb 22, 2016 at 20:10

1 Answer 1

Reset to default
2

Change $_GET['id']; to $_POST['id'];

Here, you're doing a POST request:

type: "POST",
url: "delete_row.php",

... but in your PHP script you're checking for GET.

Also, as marc b noted, you're currently vulnerable to SQL injection. Look into using mysqli_real_escape_string, or bind_param.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

You can use prepared statements in mysqli as well.
@jeroen Wasn't aware of that. I've used PDO exclusively for as long as I can remember.
Me too. When I have the choice at least :-)
@BugHunterUK thanks for that that's the answer i been looking for didn't realise my muck up ... and yer i know that it is vulnerable i was trying to solve my problem first before i do that.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.