Deleting SQL rows using PHP Commands

mrcarmine

Hi, could anyone please help me and see what I am doing wrong, I am trying to create a delete function which will delete the specified record a user clicks the 'delete button' on.

This is my code

<html>
<head>
<title>Customers</title>
</head>
<body>

<h1>Customers</h1>

<?php

// This is a sample PHP form for editing the contents of a table.
// It provides simple "CRUD" (Create, Read, Update, Delete)
// functionality, but no error trapping, search/sort facilities,
// paging, or other goodies. 'Delete' is left as an exercise
// for the reader.

// Incorporate application-specific database connection functions.
require "./DBConn.inc";

// Display contents of table
function present_list()
{
$res = mydb_connect();
if (!$res)
echo "Connection unsuccessful!";
else {
$cur = mydb_exec( $res, "select * from customers order by name" );

if (!$cur)
echo "Query failed.";
else {
echo "<p><table border=1>";
echo "<tr><th>NAME</th><th>ADDRESS</th><th>PHONE</th><th></th></tr>";
while (odbc_fetch_row($cur)) {
$pk = odbc_result($cur, "name"); // obtain primary key
echo "<tr>";
echo "<td>" . $pk . "</td>";
echo "<td>" . odbc_result($cur, "address") . "</td>";
echo "<td>" . odbc_result($cur, "phone") . "</td>";
echo "<td>";
$encodedPK = urlencode($pk);
echo " <a href=\"CustomerIndex1.php?command=update&pk=$encodedPK\">Update</a>";
echo " <a href=\"CustomerIndex1.php?command=delete&pk=$encodedPK\">Delete</a>";
echo "</td>";
echo "</tr>";
}
echo "</table>";
echo "<a href=\"CustomerIndex1.php?command=insert\">New</a>";
}
}
}

// Display form contents
function present_form_body() {
?>
Name: <input type="text" name="name" value="<?php echo $GLOBALS['name'] ?>">
<p>Address: <textarea name="address" rows="5" cols="60"><?php echo $GLOBALS['address'] ?></textarea>
<p>Phone: <input type="textbox" name="phone" value="<?php echo $GLOBALS['_phone'] ?>">
<p><input type="submit" value="Submit">
<?php
}

// Display blank form for user to insert.
function present_insert_form() {
echo "<form method=\"post\" action=\"CustomerIndex1.php?command=insert_process\">";
present_form_body();
echo "</form>";
}

// Process insertion request from $POST form contents
function insert_process() {
$res = mydb_connect();
if (!$res)
echo "Connection unsuccessful!";
else {
$query = "insert into customers(name, address, phone) values (";
$query .= "'" . $POST["name"] . "', ";
$query .= "'" . $POST["address"] . "', ";
$query .= "'" . $_POST["phone"] . "'";
$query .= ")";
// echo $query;
$cur = mydb_exec( $res, $query);

if (!$cur)
echo "Operation failed.";
else
echo "Your details have been recorded!";
}
echo "<p>";
present_list();
}

// Display form for user to update, with default values set
// from row specified by the primary key
function present_update_form() {
// Obtain details about row specified in pk
$res = mydb_connect();
if (!$res)
echo "Connection unsuccessful!";
else {
$pk = $GET["pk"];
$query = "select * from customers where name='$pk'";
// echo $query;
$cur = mydb_exec( $res, $query );

if (!$cur)
echo "Query failed.";
else {
if (odbc_fetch_row($cur)) {
echo "<form method=\"post\" action=\"CustomerIndex1.php?command=update_process\">";
$GLOBALS["name"] = odbc_result($cur, "name"); // obtain row/column values
$GLOBALS["address"] = odbc_result($cur, "address");
$GLOBALS["phone"] = odbc_result($cur, "phone");
// Display form body
present_form_body();
echo "<input type=\"hidden\" name=\"pk\" value=\"$pk\">";
echo "</form>";
} else
echo "Unable to retrieve record.";
}
}
}

// Perform update based on $POST form contents
function update_process() {
$res = mydb_connect();
if (!$res)
echo "Connection unsuccessful!";
else {
$pk = $POST["pk"];
$query = "update customers set ";
$query .= "name = '" . $POST["name"] . "', ";
$query .= "address = '" . $POST["address"] . "', ";
$query .= "phone = '" . $POST["phone"] . "' ";
$query .= "where name = '$pk'";
// echo $query;
$cur = mydb_exec( $res, $query);

if (!$cur)
echo "Operation failed.";
else
echo "Your changes have been recorded!";
}
echo "<p>";
present_list();
}

// Ask user if he or she is sure about this...
function present_delete_confirmation() {
$pk = $_GET["pk"];
echo "Are you sure you wish to delete '$pk'?";
echo "<p><a href=\"CustomerIndex1.php?command=delete_confirmed&pk=$pk\">Yes</a> ";
echo "<a href=\"CustomerIndex1.php\">No</a>";
}

// Perform deletion.
function delete_process() {
$res = mydb_connect();
if (!$res)
	echo "Connection Unsuccessful!";

else {
	$pk = $_POST['pk'];
	$query = "DELETE FROM customers WHERE name ='$pk'";
// echo $query;
$cur = mydb_exec( $res, $query);

if (!$cur)
echo "Operation failed.";
else
echo "record deleted!";
	}

echo "<p>";
present_list();[/B]
}

// The '@' symbol before the line ensures that no warning will be
// displayed if $GET["command"] doesn't exist yet.
@ $command = $GET["command"];

switch ($command) {
case "insert":
present_insert_form();
break;
case "insert_process":
insert_process();
break;
case "update":
present_update_form();
break;
case "update_process":
update_process();
break;
case "delete":
present_delete_confirmation();
break;
case "delete_confirmed":
delete_process();
break;
default:
present_list();
}

?>

</body>
</html>

I have highlighted the main area you need to check, the code compiles successfully and gives me a 'record deleted!' confirmation, but the record is still there! Please help it is driving me up the wall!

rincewind456

Function looks OK, are you absolutely sure that the record you are trying to delete is there? because if you try to delete a record that isn't there you won't get an error, just an empty result set.

Echo your query out then copy and paste into the command line or phpmyadmin or similar to see if it works that way.

mrcarmine

Yeah the record is there.

For example, if I want to delete a record called 'Andy' , I press the delete buttion next to it, the Url looks then like this

http://commerce1.leicester.ac.uk/0020932029/crud01/CustomerIndex1.php?command=delete&pk=Andy

Which tells me that it has sent the PK to 'Andy' . It then Asks me if I am sure I want to delete 'Andy' to which I click 'Yes'. Url changes to this

http://commerce1.leicester.ac.uk/0020932029/crud01/CustomerIndex1.php?command=delete_confirmed&pk=Andy

I get the "record deleted"! message at the top of the table, but the record is still there!!!! Look:

rincewind456

Yes but like I said even if the delete statement is for a nonexistent record you will still get a record deleted message.

You need to do as I said and confirm through a cli or phpmyadmin, becuase if your database stores andy and you try to delete Andy then you will get a record deleted message, if you copy and paste to the cli then you will see if you are getting an empty result set.

You have to start the debugging process somewhere, and most problems like this are because the values being passed are not the same as those in the database, so if you eliminate this possibility you can start looking elsewhere.

johanafm

You should also get rid of the error supression operator '@' in your code. You can use if (isset($GET['key'])) instead of @$var = $GEt['key'];

Furthermore, to see both what happens when you don't properly sanitize user input and make sure you delete something (actually, delete EVERYTHING) from your table, try this input

andy' or name like '&#37;

which will become

$pk = "andy' or name like '%";
$query = "DELETE FROM customers WHERE name ='andy' or name like '%'";

And last of all, in case you have actually tested rincewind's suggestion, you claim that you have an URI with a query string like http://commerce1.leicester.ac.uk/002...firmed&pk=Andy
yet the only form in your posted code has method="post" and you are actually checking $POST, not $GET.

mrcarmine

rincewind456;10931275 wrote:
Yes but like I said even if the delete statement is for a nonexistent record you will still get a record deleted message.

You need to do as I said and confirm through a cli or phpmyadmin, becuase if your database stores andy and you try to delete Andy then you will get a record deleted message, if you copy and paste to the cli then you will see if you are getting an empty result set.

You have to start the debugging process somewhere, and most problems like this are because the values being passed are not the same as those in the database, so if you eliminate this possibility you can start looking elsewhere.

I have downloaded PhpMyAdmin but it looks quite daunting. I think I am just gonna ask my lecturer, thanks for the help however.

rincewind456

There is also Mysql GUI tools which you download and install as normal.

Or if you use Linux open a terminal and type

mysql -uUSERNAMEHERE -p

then after you enter your password copy and paste the query in.

You can do the same in Winblows if you installed the CLI when you installed MySql it will be in the program group for mysql in your start menu.