[RESOLVED] Delete - confirmation dialog box

trtcom1

Hi there,
I am trying to implement a confirmation dialog box before deleting a record in a table that

have.
I created a MYSQL table called manager with columns:
Table manager
managerID
firstName
lastName
Department
I use a while loop to display the records of every manager in the database a "delete this

manager" link next to each record.
If the user clicks the "delete this manager" a html form is called prompting the user if he

wants indeed to delete that manager.
If yes,I get the following error:

Error deleting manager: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near '' at line 2

Here are extracts of my code:

<?php
$result = @mysql_query('SELECT managerID,FirstName,LastName,Department FROM manager');
 if (!$result) {
   exit('<p>Error performing query: ' .
       mysql_error() . '</p>');
 }

while ($row = mysql_fetch_array($result)) {
	$managerID = $row['managerID'];
	$FirstName = $row['FirstName'];
	$LastName = $row['LastName'];

$Department = $row['Department'];

echo "<tr><td>";
echo $managerID;
echo "</td><td>";
echo $FirstName;
echo "</td><td>";
echo $LastName;
echo "</td><td>";
echo $Department;
echo "</td><td>";

echo "<a href='delete_manager.php?mGinNo=$mGinNo'>Delete this manager</a>";
echo "</td></tr>";

}//end of while-loop
?>

Extracts of delete_manager.php:

<html>

<p>Are you sure you want to delete this manager?</p>

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
   Your choice: <input type="radio" name="choice" value="yes"> Yes <input type="radio" 

name="choice" value="no" /> No
    <button type="submit">Send</button>
</form>

<?php

// Connect to the database server.
// Select the trainee_allocation database

  require('connectdatabase.inc.php');

if (isset($_POST['choice']) ) {
    switch($_POST['choice']) {
        case 'yes':
            /// Code here

  $mGinNo = $_POST['mGinNo'];

  $sql = "DELETE FROM manager
            WHERE mGinNo=$mGinNo";

     if (@mysql_query($sql)) {
       echo '<p>The manager has been deleted.</p>';
     } else {
       echo '<p>Error deleting manager: ' .
           mysql_error() . '</p>';
     }
        break;
    case 'no':
        /// Code here

        break;
    default:
        /// Error treatment

        break;
}
}
else {
    // error treatment
   echo "error";
}

?>
</html>

Could anyone have alook at my code and tell me what I am doing wrong?
Thank you

djjjozsi

one important thing:
if you send variables with an URL, you get its values in $_GET arrray
YOu've better done a delete function with a POST method, its safer,
just think of it, i can "click" with a machine on your delete ID's link.

you navigated the user to a form asking yes or no, but you should insert the $POST['mGinNo'] value into a hidden field into the form to store the ID for destroying 🙂 As i explained $POST["mGinNo"] is $_GET["mGinNo"] in your code.
try to use different variable names.

best you can do while you're troubleshooting is to switch ON the error reporting,
will telli you undefined variables in line XX and line XX

error_reporting(E_ALL);
ini_set("display_errors", 1);

however your program then working, but do not trust the user inputs.

how to prevent your database from harmful SQL injections?

if you handle INTEGER types, you can use a cast method:

if(!isset($_POST['mGinNo']))
die("ID is missing!");
else
{
$mGinNo = (int)$_POST['mGinNo'];  //this (int) will converts your data into integer
}

In other cases mysql_real_escape_string() function should be used.

hello, jjozsi.

trtcom1

djjjozsi
could you please send some code of the explanation you gave me?
I used the type casted statement you showed me,now I no longer get the error message.I get now the following message:The manager has been deleted.
But it does not delete.Any ideas?

djjjozsi

in the while loop where build the link you put the wrong ID:

instead of this:

echo "<a href='delete_manager.php?mGinNo=$mGinNo'>Delete this manager</a>";

use:

	echo "<a href='delete_manager.php?mGinNo=$managerID'>Delete this manager</a>";

before you delete a row, check if its exists.

trtcom1

Hi there,
After getting some help, I managed to get it working.It is working fine,deleting without any problems.
I had to use hidden input in the form and got it working. Thank you everyone for all the input and help.
Here is the code (I decided to use 3 files):
Main file (manager.php):

<?php
//connect to the database

$result = @mysql_query('SELECT managerID,FirstName,LastName,Department FROM manager');
 if (!$result) {
   exit('<p>Error performing query: ' .
       mysql_error() . '</p>');
 }

while ($row = mysql_fetch_array($result)) {
	$managerID = $row['managerID'];
	$FirstName = $row['FirstName'];
	$LastName = $row['LastName'];

$Department = $row['Department'];

echo "<tr><td>";
echo $managerID;
echo "</td><td>";
echo $FirstName;
echo "</td><td>";
echo $LastName;
echo "</td><td>";
echo $Department;
echo "</td><td>";

echo "<a href='delete_manager.php?managerID=$managerID'>Delete this manager</a>";
echo "</td></tr>";

}//end of while-loop
?>

Extracts of delete_manager.php:

<html>

<p>Are you sure you want to delete this manager?</p>

<form action="manager_deleted.php" method="post">
   Your choice: <input type="radio" name="choice" value="yes"> Yes <input type="radio" 

name="choice" value="no" /> No
<input type="hidden" name="managerID"  id="managerID" value="<?php  echo 

$_REQUEST['managerID'];?>">
    <button type="submit">Send</button>
</form>

</html>

Extracts of manager_deleted.php:

<?php

// Connect to the database server.
// Select the trainee_allocation database

  require('connectdatabase.inc.php');

if (isset($_POST['choice']) ) {
    switch($_POST['choice']) {
        case 'yes':
            /// Code here

	$managerID = (int)$_POST['managerID'];

	$sql = "DELETE FROM manager
   			WHERE managerID=$managerID";

	if (@mysql_query($sql)) {
	 	echo '<p>The manager has been deleted.</p>';
 	} else {
	 	echo '<p>Error deleting manager: ' .
 	   	 mysql_error() . '</p>';
	}
        break;
    case 'no':
        /// Code here

        break;
    default:
        /// Error treatment

        break;
}
}
else {
    // error treatment

}

?>

djjjozsi

nice!

if you think this problem has solved please switch this thread as solved in the thread tools.

hello,jjozsi