Delete from sql database with javascript/php

**Kanie12** · 08-03-2009 04:38 AM

Hi! I have made a page which shows customers order info, trackingnr and so on. What I want is to be able to delete orders. I have already made a delete button but im unsure of the javascript code to remove ordres. I have the following code

Code:

<?php

class status {

    function status() {
    }
    
    
    function displayStatus() {    
        global $mysql;
        
        $user_id = $_SESSION['user_id'];
          $result = $mysql->query("SELECT ordrer.kunde_id, ordrer.status, ordrer.sporingsnummer, ordrer.dato, ordre_detaljer.id, ordre_detaljer.ordre_id, ordre_detaljer.varenavn FROM ordrer, ordre_detaljer WHERE ordrer.kunde_id='{$user_id}' and ordrer.ordre_id=ordre_detaljer.ordre_id limit 10");
        
    
          echo "<br />
          <br />
          <table width=\"800\" align=\"center\" style=\"font-size:13px;\">
          <tr style=\"font-size:;\">
              <td width=\"90\" align=\"center\"><b>Ordrenr</b></td> 
            <td width=\"120\" align=\"center\"><b>Ordrestatus</b></td>
            <td width=\"150\" align=\"center\"><b>Sporingsnummer</b></td>
            <td width=\"200\" align=\"center\"><b>Beskrivelse</b></td>
            <td width=\"100\" align=\"center\"><b>Dato</b></td>
            
            
        </tr>";
      
         while($row = mysql_fetch_array($result)) {
              echo "
              <tr>
                  <td align=\"center\">".$row["ordre_id"]."</td>
                  <td align=\"center\">".$row["status"]."</td>
                  <td align=\"center\">".$row["sporingsnummer"]."</td>
                  <td align=\"center\">".$row["varenavn"]."</td>
                  <td align=\"center\" style=\"font-size:12px;\">".$row["dato"]."</td>
                <td align=\"center\"><button type=\"button\" onclick=\"delete()\">Delete</button></td>
              </tr>";
        }
        echo "</table>";
        
    
      
    }

}
      
?>

and

delete.php

Code:

<?php
global mysql;
var $ordre_id = $_GET["oid"];
$mysql->query("DELETE FROM ordrer WHERE ordre_id='{$ordre_id}'");
$mysql->query("DELETE FROM ordre_detaljer WHERE ordre_id='{$ordre_id}'");

echo 'OK';
?>

**b3nj4m1n** · 08-03-2009 06:32 AM

You could do one of two things.

If you want to delete without reloading the page, then i would recommend that you get a javascript library with ajax capabilities, like jQuery

It will make your life alot easier, especially with big projects like a webshop.

(you could of course do it without a library, but you will need to spend some time getting familar with ajax)

Then you need to make a post to delete.php, with the order id, and a token for security check.

With jQuery, it would look like

Code:

function delete(order_id, token) {
$.ajax({
url: 'delete.php',
cache: false,
data: 'order_id=' + order_id + '&token=' + token,
type: 'POST',
success: function(response){alert('order deleted');}
});
}

If you want to do it without javascript (which would be alot easier) you simply make a link pointing to the page you are on, with a delete=order_id value

Code:

<a href='/yourpage/?delete={$order_id}'>Delete</a>

And then in the top of your page

Code:

if (isset($_REQUEST['delete'])) {$mysql->query("DELETE FROM ordrer WHERE ordre_id='{$_REQUEST['order_id']}'");
}

Of course you need some security check, but i figure that this is for the admin part of a site?

Btw, it's bad practice to mix danish and english in your code :-)
It would help you alot in the long run to stick to english, and only use danish when it's something users need to read.
Especially when you need support on a forum ;-)

Hope this helps, let me know if you need further explanations.

/Benjamin

**Kanie12** · 08-03-2009 10:34 AM

Thx for your reply Benjamin. Its actually norwegian

. I was thinking of translating before i posted but it was so much

.. I tried ur second suggestion (easy way). I am unsure if the if sentence is where it should be, u suggested top of the page. When i try the code i get " www.myshop.no/status/?delete= " in the URL and 404 error. Seems like it doesnt get the order id?

Here is the code now:

Code:

<?php

	if (isset($_REQUEST['delete'])) {$mysql->query("DELETE FROM ordrer WHERE ordre_id='{$_REQUEST['order_id']}'");
}
class status {

	function status() {
	}

	
	function displayStatus() {	
		global $mysql;
		
		$user_id = $_SESSION['user_id'];
	  	$result = $mysql->query("SELECT ordrer.kunde_id, ordrer.status, ordrer.sporingsnummer, ordrer.dato, ordre_detaljer.id, ordre_detaljer.ordre_id, ordre_detaljer.varenavn FROM ordrer, ordre_detaljer WHERE ordrer.kunde_id='{$user_id}' and ordrer.ordre_id=ordre_detaljer.ordre_id limit 10");
		
	  	
	  	echo "<br />
	  	<br />
	  	<table width=\"800\" align=\"center\" style=\"font-size:13px;\">
	  	<tr style=\"font-size:;\">
  			<td width=\"90\" align=\"center\"><b>Ordrenr</b></td>
	    	<td width=\"120\" align=\"center\"><b>Ordrestatus</b></td>
        	<td width=\"150\" align=\"center\"><b>Sporingsnummer</b></td>
        	<td width=\"200\" align=\"center\"><b>Beskrivelse</b></td>
        	<td width=\"100\" align=\"center\"><b>Dato</b></td>
			
			
        </tr>";
	  
	 	while($row = mysql_fetch_array($result)) {
		  	echo "
		  	<tr>
		  		<td align=\"center\">".$row["ordre_id"]."</td>
		  		<td align=\"center\">".$row["status"]."</td>
		  		<td align=\"center\">".$row["sporingsnummer"]."</td>
		  		<td align=\"center\">".$row["varenavn"]."</td>
		  		<td align=\"center\" style=\"font-size:12px;\">".$row["dato"]."</td>
				<td align=\"center\"><a href='/status/?delete={$order_id}'>Delete</a></td>
		  	</tr>";
		}
		echo "</table>";
		
	
	  
	}

}
	  
?>

**Kanie12** · 08-03-2009 10:52 AM

I changed the bottom code to

Code:

<td align=\"center\"><a href='/status/?delete={$row["ordre_id"]}'>Delete</a></td>

But i still get "www.myshop.no/status/?delete=2042" 404 not found. So it gets the right order nr but still doesnt work.. ?

**b3nj4m1n** · 08-03-2009 10:58 AM

Do you have rewrite-engine turned on?

If not, you will have to call status.php?delete=xxxx, instead of /status/?delete=xxxx

Remember that validation of the $_REQUEST parameter is CRUCIAL when you are doing database actions

Code:

if (isset($_REQUEST['delete'])) {
if (!eregi("[0-9]{4}", $_REQUEST['delete']) {die('Invalid ID');
} else {$mysql->query("DELETE FROM ordrer WHERE ordre_id='{$_REQUEST['order_id']}'");}
}

Edit: Ahh, i think i found the error.

Replace

Code:

$mysql->query("DELETE FROM ordrer WHERE ordre_id='{$_REQUEST['order_id']}'");

with

Code:

$mysql->query("DELETE FROM ordrer WHERE ordre_id='{$_REQUEST['delete']}'");

$_REQUEST['order_id'] was never set in the first place.
Either call it $_REQUEST['order_id'] or $_REQUEST['order_delete']

**Kanie12** · 08-03-2009 11:13 AM

Some other guy coded most of this page. When i am on status.php it says www.myshop.no/index.php?menu=status . So i am unsure of the url i have to type in href.

I also tried

Code:

<td align=\"center\"><a href='/index.php?delete={$row["ordre_id"]}'>Delete</a>

Then i got " Fatal error: Call to a member function query() on a non-object in /home/elitetgd/public_html/php/status.php on line 5"

**b3nj4m1n** · 08-03-2009 12:00 PM

You probably need it to be

Code:

<a href='/index.php?menu=status&delete={$row["ordre_id"]}'>Delete</a>

You should set a standard value for menu in the top of your page, so it will always be set (doesnt REALLY matter if its in the admin menu, but good practice anyways)

Top:

Code:

$menu = 'standard';

if (isset($_REQUEST['menu'])) {
if ($_REQUEST['menu'] == "something") $menu = "something";
if ($_REQUEST['menu'] == "somethingelse") $menu = "somethingelse";
}

include_once "{$menu}.php";

...or something like that

**Kanie12** · 08-03-2009 12:06 PM

I tried

Code:

<a href='/index.php?menu=status&delete={$row["ordre_id"]}'>Delete</a>

I press delete then i get:

URL = http://www.myshop.no/index.php?menu=status&delete=2042

"Fatal error: Call to a member function query() on a non-object in /home/elitetgd/public_html/php/status.php on line 5"

So url and orderid is correct but something wrong with sql ?

**b3nj4m1n** · 08-03-2009 12:10 PM

You could also consider doing something like this, if you have a lot of parameters in the URL

Code:

$query_str ="";

$count = count($_GET);
$i = 1;

foreach ($_GET AS $var => $val) {
		$query_str .="{$var}={$val}";
	
	if ($i != $count) $query_str .= "&";
	
	$i++;
}

And then just add extra parameters as needed, like

Code:

<a href='/index.php?{$query_str}&delete={$row['ordre_id']}'>Delete</a>

**Kanie12** · 08-03-2009 12:12 PM

It works now with
[CODE]function deleteOrder() {
global $mysql;
$user_id = $_SESSION['user_id'];
if (isset($_REQUEST['delete'])) {

$mysql->query("DELETE FROM ordrer WHERE ordre_id='{$_REQUEST['delete]}'");
$mysql->query("DELETE FROM ordre_detaljer WHERE ordre_id='{$_REQUEST['delete']}'");

}}[/CODE

**b3nj4m1n** · 08-03-2009 12:22 PM

No, it's the SQL statement, or the way you call the databse that is screwing around.
The last post was just a good thing to do under any circumstance :-)

Can you post the whole page? Or send me a pm with your gmail, skype or msn account, then i'll have a look!

**Kanie12** · 08-03-2009 12:24 PM

It works now with
[code]function deleteOrder() {
global $mysql;
$user_id = $_SESSION['user_id'];
if (isset($_REQUEST['delete'])) {

$mysql->query("DELETE FROM ordrer WHERE ordre_id='{$_REQUEST['delete]}'");
$mysql->query("DELETE FROM ordre_detaljer WHERE ordre_id='{$_REQUEST['delete']}'");

}}[/CODE

THX ALOT!

I would like to use

if (isset($_REQUEST['delete'])) {
if (!eregi("[0-9]{4}", $_REQUEST['delete']) {die('Invalid ID');} else {$mysql->query("DELETE FROM ordrer WHERE ordre_id='{$_REQUEST['delete']}'");}

but there seems to be a typo or something :P

**b3nj4m1n** · 08-03-2009 12:40 PM

Code:

if (isset($_REQUEST['delete'])) {if (!eregi("[0-9]{4}", $_REQUEST['delete'])) {die('Invalid ID');
} else {$mysql->query("DELETE FROM ordrer WHERE ordre_id='{$_REQUEST['delete']}'");}
}

...should do it :-)

Remember that the regular expression needs to be modified.

[0-9] means that it has to be characters between 0 and 9, and {4} means that it has to be precisely 4 characters long.
So if you plan on having e.x between 4 and 6 characters, you could say "[0-9]{4,6}"

You should read a bit about regular expressions, it is very important for security to double check every value coming from the outisde of your script.
Especially with a web shop.

**Kanie12** · 08-03-2009 01:07 PM

That worked perfectly

.. But now anyone can delete an order if the order exists and just change number in url "http://www.myshop.no/index.php?menu=status&delete=2266" . So i was thinking i need to increase security by checking if an order belongs to that user which is logged in. For that i need to first fetch all orders from the user and the compare somehow right ? I already have code for fetching orders

Code:

$result = $mysql->query("SELECT ordrer.kunde_id, ordrer.status, ordrer.sporingsnummer, ordrer.dato, ordre_detaljer.id, ordre_detaljer.ordre_id, ordre_detaljer.varenavn FROM ordrer, ordre_detaljer WHERE ordrer.kunde_id='{$user_id}' and ordrer.ordre_id=ordre_detaljer.ordre_id limit 10");

**b3nj4m1n** · 08-03-2009 05:48 PM

This should help:

Code:

if (isset($_SESSION['user']['id'])) {if (isset($_REQUEST['delete'])) { if (!eregi("[0-9]{4}", $_REQUEST['delete'])) { die('Invalid ID');
} else {
$order = $mysql->query("SELECT user_id FROM ordrer WHERE ordre_id='{$_REQUEST['delete']}'"); 

if (isset($order['ordre_id']) && $order['ordre_id'] == $_SESSION['user_id']) {$mysql->query("DELETE FROM ordrer WHERE ordre_id='{$_REQUEST['delete']}'");
}
}
}
}

And then of course something like this

Code:

<td align=\"center\">".(isset($_SESSION['user_id']) && $_SESSION['user_id'] == $row['user_id'] ? "<a href='/index.php?menu=status&delete={$row['ordre_id']}'>Delete</a>" : "&nbsp;")."
</td>

Thread: Delete from sql database with javascript/php

Thread Tools

Display

Delete from sql database with javascript/php

Thread Information

Users Browsing this Thread

Bookmarks

Bookmarks

Posting Permissions