[Resolved] Help , Delete OP is deleting ALL Data

Sayian

I have a script that allow's user's to upload image's into albums.

The Album name , password , and title are stored in a table called albums.

But detail's about the physical path to the server and the image location's are stored in a table called upload_image_details.

User's can delete or edit thier albums using edit_album.php , But when the Delete OP is issued thru a Get command , If the user doesnt have any album's , then EVERY Record in the Entire upload_image_detail's table is being removed , all user's data get's deleted. Basiclly ... if the user hit's delete , and they dont have an album , the script doesnt find an album to delete , so it's removing all data in upload_image_details. Thier must be a fix for this .. Please help , below is the code

<?php
include("./admin/config.php");
include("$include_path/common.php");

global $HTTP_POST_VARS,$HTTP_GET_VARS,$HTTP_SESSION_VARS;

global $_SESSION;

if ($HTTP_POST_VARS!="")
$_POST=$HTTP_POST_VARS;

if ($HTTP_GET_VARS!="")
$_GET=$HTTP_GET_VARS;

if ($HTTP_SESSION_VARS!="")
$_SESSION=$HTTP_SESSION_VARS;

check_user_login();

if ($_GET['op'] == 'edit')

{
include("$include_path/$table_file");
include("$include_path/doc_head.php");
include("$include_path/styles.php");
include("$include_path/custom.php");
include ("Ads_new.php");

$album_results = mysql_query("SELECT * FROM $tb_albums WHERE user_id='".$_SESSION['userid']."' AND id='".$_GET['aid']."'");
$a_row = mysql_fetch_array($album_results);

$tpl->assign(array(
  'ALBUM_TITLE' => $a_row['title'],
  'ID' => $a_row['id']
));

$tpl->parse('CONTENT', 'albums_edit');
$content = $tpl->fetch('CONTENT');
$final_output = table(" Albums Management", $content);
$tpl->assign(array('CONTENT_TEXT' => $final_output));
$tpl->parse('PAGE', 'main');
$final_output = $tpl->fetch('PAGE');
$final_output = final_output($final_output);
include ("copy.php");

}
elseif ($POST['op'] == 'edit2')
{
if ($POST['title'])
{
if ($POST['password'] && !$POST['public'])
{
$pass = ",password='".$POST['password']."'";
}
elseif ($POST['public'])
{
$pass = ",password=''";
}
if (mysql_query("UPDATE $tb_albums SET title='".$POST['title']."'".$pass." WHERE user_id='".$SESSION['userid']."' AND id='".$POST['id']."'"))
{
header("Location: albums.php");
}
else
{
die(mysql_error());
}
}
}
// CODE THAT IS DELETING ALL DATA FROM UPLOAD_IMAGE_DETAILS if the user doesnt have an album
elseif ($GET['op'] == 'delete')
{
$pic_result = mysql_query("SELECT * FROM $tb_upload_image_details WHERE album_id='".$GET['aid']."'");
while ($p_row = mysql_fetch_array($pic_result))
{
$filename = "";
$res = mysql_query("select concat(id, '$id') as image, image_ext from $tb_users where id = '".$SESSION['userid']."'");
if ($data=mysql_fetch_row($res))
{
$filename=$data[0];
$extension=".".$data[1];
}
$file = $image_path . "/" . $filename;
$res = mysql_query("select ext from $tb_image_types");
$flag = 0;
while ($data = mysql_fetch_row($res))
{
$ext=$data[0];
$deletefile=$file.$p_row['total_file_count'].'.'.$ext;
if (@unlink($deletefile))
{
$extension1=".".$ext;
$flag++;
break;
}
}
mysql_query("DELETE FROM $tb_upload_image_details WHERE id='".$p_row['id']."'");
}
mysql_query("DELETE FROM $tb_albums WHERE id='".$GET['aid']."'");
header("Location: albums.php");
}
else
{
die("unknown operation");
}

saraadmin

What will $_GET['aid'] be if the user doesn't have an album?

Try adding debugging code to print all the SQL queries before they are executed to look for errors...

Sayian

Well , the default value in MySql if the user doesnt have an album is 0 , i should be able to just setup a IF command where if the value's return 0 , it exit's or dies , but im still kind of new at php , im not sure of the command , or where to place it.

sempuritoza

that command should be placed right after the query has been executed and if it returns a value that is 0 (the normal value that it will return if the user does not have an album) then the function there after should not be run.

this is not the correct way of solving the solution though, i would agree with the debuggin approach more. create a display variable and output all your queries to the screen and the variable values one by one go through the whoel process like that until you can find out what is the problem is.

Sayian

Im not sure of the command to use .. im very confused , could someone help me with the code to use to stop the script from executing if Album's return 0

Ravenous

<?php
include("./admin/config.php");
include("$include_path/common.php");

global $HTTP_POST_VARS, $HTTP_GET_VARS, $HTTP_SESSION_VARS;

global $_SESSION;

if ($HTTP_POST_VARS!="")
     $_POST=$HTTP_POST_VARS;

if ($HTTP_GET_VARS!="")
     $_GET=$HTTP_GET_VARS;

if ($HTTP_SESSION_VARS!="")
     $_SESSION=$HTTP_SESSION_VARS;

check_user_login();

if ($_GET['op'] == 'edit')
{
     include("$include_path/$table_file");
     include("$include_path/doc_head.php");
     include("$include_path/styles.php");
     include("$include_path/custom.php");
     include ("Ads_new.php");

 $album_results = mysql_query("SELECT * FROM $tb_albums WHERE user_id='".$_SESSION['userid']."' AND id='".$_GET['aid']."'");
 $a_row = mysql_fetch_array($album_results);

 $tpl->assign(array(
'ALBUM_TITLE' => $a_row['title'],
'ID' => $a_row['id']
));

 $tpl->parse('CONTENT', 'albums_edit');
 $content = $tpl->fetch('CONTENT');
 $final_output = table(" Albums Management", $content);
 $tpl->assign(array('CONTENT_TEXT' => $final_output));
 $tpl->parse('PAGE', 'main');
 $final_output = $tpl->fetch('PAGE');
 $final_output = final_output($final_output);
include ("copy.php");
}

elseif ($_POST['op'] == 'edit2')
{
     if ($_POST['title'])
     {
          if ($_POST['password'] && !$_POST['public'])
          {
               $pass = ",password='".$_POST['password']."'";
          }

      elseif ($_POST['public'])
      {
           $pass = ",password=''";
      }

      if (mysql_query("UPDATE $tb_albums SET title='".$_POST['title']."'".$pass." WHERE user_id='".$_SESSION['userid']."' AND id='".$_POST['id']."'"))
      {
header("Location: albums.php");
          }

      else
      {
           die(mysql_error());
      }
 }
}

// CODE THAT IS DELETING ALL DATA FROM UPLOAD_IMAGE_DETAILS if the user doesnt have an album
elseif ($_GET['op'] == 'delete')
{
     $pic_result = mysql_query("SELECT * FROM $tb_upload_image_details WHERE album_id='".$_GET['aid']."'");
     while ($p_row = mysql_fetch_array($pic_result))
     {
          $filename = "";
          $res = mysql_query("select concat(id, '_$id') as image, image_ext from $tb_users where id = '".$_SESSION['userid']."'");
          if ($data=mysql_fetch_row($res))
          {
               $filename=$data[0];
               $extension=".".$data[1];
          }
          $file = $image_path . "/" .    $filename;
          $res = mysql_query("select ext from $tb_image_types");
          $flag = 0;
          while ($data = mysql_fetch_row($res))
          {
               $ext=$data[0];
               $deletefile=$file.$p_row['total_file_count'].'.'.$ext;
               if (@unlink($deletefile))
               {
                    $extension1=".".$ext;
                    $flag++;
                    break;
               }
          }

 mysql_query("DELETE FROM $tb_upload_image_details WHERE id='".$p_row['id']."'");
 }

 mysql_query("DELETE FROM $tb_albums WHERE id='".$_GET['aid']."'");
header("Location: albums.php");
}

else
{
     die("unknown operation");
}

?>

Sayian

Thats the exact same code that i wrote. Thier's no changes to that code. , So what do you mean proper formatting?

Weedpacket

Originally posted by Sayian
Thats the exact same code that i wrote. Thier's no changes to that code. , So what do you mean proper formatting?

http://dictionary.reference.com/search?q=format

A plan for the organization and arrangement of a specified production.

The material form or layout of a publication.

Computer Science.

The arrangement of data for storage or display.

A method for achieving such an arrangement.

In other words, the way it's laid out differently. You didn't notice?

Sayian

You know , what i need is some help , Not a dictionary or people trying to reformat the way i write my code.

mtmosier

Originally posted by Sayian
You know , what i need is some help , Not a dictionary or people trying to reformat the way i write my code.

All Ravenous did was to wrap your code in [PHP] tags (with spacing) so that everyone could read it better. He was trying to make it easier for you to get help, since many people skip questions where the auther didn't bother (or know) to do it.

Sayian

Alright .. im sorry im just VERY confused , and This issue is Killing my site. Thanks for the Re-formatting. I understand the format is easier to read.

mtmosier

Originally posted by Sayian
could someone help me with the code to use to stop the script from executing if Album's return 0

I'm not sure I fully followed the conversation, but you basically just don't want to delete if the albumn id is 0?

elseif ($_GET['op'] == 'delete' && $_GET['aid'] != 0)

I don't get how that's causing the problem though.

Sayian

Basiclly , Thiers an option in the album edit page , Manage Photo's , Edit , And Delete. If they press the delete button , it send's the 'delete' op , and if the user doesnt have any album's , it's deleting Every single image entry in upload_image_details. Im just as confused as you are.

Weedpacket

Well, I don't see you doing any form input validation, so the contents of the $GET array could be anything - so it's anyone's guess what $GET['aid'] would be in that case; if it's empty then the first query under the delete operation would select from upload_image_details where album_id=''. And I don't know what significance that has in your database schema (given MySQL's poor grip on the concept of data integrity).

One thing that baffles me is the query

$res = mysql_query("select concat(id, '_$id') as image, image_ext from $tb_users where id = '".$_SESSION['userid']."'");

I don't see where "$id" is coming from.

Incidentally, it seems pretty clear that the only bit that actually needed to be posted was

elseif ($_GET['op'] == 'delete')
{
//.... this block
}

Save everyone having to trawl through all that other irrelevant stuff.

Oh, and you don't need those global declarations at the top, either.