Link to home
Start Free TrialLog in
Avatar of cuttone
cuttone

asked on

confirm delete code in php

Our content management page has a delte link for deleting content. Problem is it is too easy to accidently delete something.

We'd like to have a popup that asks confirm delete before the deletion is actually accomplished.

This is the code:
if ($action == "delete") {
        $sql_delete="DELETE FROM $table_articles WHERE article_id='$article_id'";
        $result = mysql_query($sql_delete);
        if ($result) { echo "Article Deletion Successful"; }
        else { echo "There was a problem with your submission<br>".(mysql_error($link)); }


AND THE CODE AT THE DELTE BUTTON
<a href="<?echo $PHP_SELF;?>?action=delete&article_id=<? echo $news['article_id']; ?>">delete</a>

Open in new window

Avatar of VanHackman
VanHackman
Flag of El Salvador image


You Need a little bit of JavaScript.

Change your Delete Link for:

<a href="#" onClick="delete();">delete</a>

And add the JavaScript Function to the page:

Merry Christmas!!
<script language="Javascript">

function delete()
{
 
answer = confirm("Do you really want to delete the content.");
 
if (answer) {
 
// Deleting...

  DeleteScript = '<?echo $PHP_SELF;?>?action=delete&article_id=<? echo $news['article_id']; ?>';
  document.location.href = DeleteScript;
 
}
 else {

  // Nothing...

 }

}
</script>

Open in new window

Avatar of cuttone
cuttone

ASKER

I am not clear on the delete link. Useing the given link as it is written
<a href="#" onClick="delete();">delete</a>

Not only does not provide the confirm popup, but it also does not delete the article.
ASKER CERTIFIED SOLUTION
Avatar of hsq91
hsq91
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial

Sorry, I had a little bit mistake in the Php line.

The link in your script must be:

<a href="javascript:void(0)" onclick="DeleteArticle()">delete</a>

And the JavaScript Function:

<script language="javascript">

function DeleteArticle()
{

Answer = confirm("Do you really want to delete the content?");
 
if (Answer) {
 
  // Deleting...
  alert('Ok, Lets Delete the Article...');
  DeleteScript = <?echo ($PHP_SELF."?action=delete&article_id=".$news['article_id']);?>;
  document.location.href = DeleteScript;
 
}
 else {

    // Nothing...
      alert('Dont worry, Nothing happen...');
 }

 return true;
}
</script>

I attached the Full and functional example :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
  <title>Delete Confirmation With JavaScript by VanHackman</title>
</head>

<body>

<a href="javascript:void(0)" onclick="DeleteArticle()">delete</a>

</body>

 <script language="javascript">

function DeleteArticle()
{

Answer = confirm("Do you really want to delete the content?");
 
if (Answer) {
 
// Deleting... 
  alert('Ok, Lets Delete the Article...');
  //DeleteScript = <?echo ($PHP_SELF."?action=delete&article_id=".$news['article_id']);?>;
  DeleteScript = 'TheDeleteURl.html'; // Delete this line and un-comment the line above.
  document.location.href = DeleteScript;
 
}
 else {

    // Nothing...
	alert('Dont worry, Nothing happen...');
 }

 return true;
}
</script>

</html>

Open in new window

Line 10 of the original post violates one of the cardinal rules of HTTP.  You must not modify the data model on the basis of a GET request.  In other words, you want to recode this so you use a POST request to delete the records.

Why?  Glad you asked!  It's all about RFC2616...

Imagine what would happen if a search engine spidered that page?  It would prefetch all the delete pages and your data base would wind up empty.  Of course it does not have to be a search engine. It could be a hacker, too.

I would not rely on JavaScript for this, since search engines and hackers do not care about JavaScript - they will plow through the page anyway.  The best strategy is to rewrite, using the POST method and perhaps adding a confirm step to the server-side script.

Some refs to help you understand the difference between GET and POST:
http://www.cs.tut.fi/~jkorpela/forms/methods.html#fund
http://www.velocityreviews.com/forums/t61534-question-get-vs-post-method.html
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

best of luck with it, ~Ray
Ray, if I may point out, normally, reliable Content Management Systems (CMS), as the author has mentioned, will only serve delete links to logged-in site administrators (who possess the appropriate session data), and will block delete requests that originate from non-site admins (who do not possess the appropriate session data), such as hackers and search engines. So, it is clearly not the responsibility of the author to worry about the "[violation of] one of the cardinal rules of HTTP," or the like, as it's supposed to be only a concern for the CMS systems designers!
I understand your point.  Let me respond this way.  If a programmer came to me looking for a job and showed a code sample that modified the data model on the basis of a GET request, she would not get the first interview, full stop.  Ignorance of the danger is the only way I can interpret such a thing.   What if her code library was one day borrowed by a junior developer?  It's a danger I cannot risk.

Even if you're using a password challenge to make your page "invisible" to hackers, it seems like a poor idea to ignore the RFC's - they exist for good reason.  

Best to all, ~Ray
"If a programmer came to me looking for a job..."
- Well, in my opinion, CMS are originally intended for non-programmers; otherwise, the programmers will most likely invent their very own, much more controllable CMS, or simply edit content by hard-coding.

Also, on your preceding comment: "I would not rely on JavaScript for this"
- Didn't you see that the author's not using JavaScript to delete the items? Didn't you read that the author wanted a "popup" for delete confirmation? JavaScript doesn't have anything to do with the "dangers" of the CMS core system, it is only an enhancer here; in addition, the fact that "search engines and hackers do not care about JavaScript - they will plow through the page anyway" will be countered by the login system--which normally uses a "POST" and just about all site use it, even Experts-Exchange, right?

So, instead of just critiquing the author to improve his/her "data model," why didn't you provide a better solution (or closely related links), then? I know of the alternative that may satisfy your "POST" requirement--while still satisfying the author's original request--but that's not what the author originally asked for; again, if you think you have the better solution, then please do provide your solution, instead of just "talking sweetly with nothing meaningful."
@hsq91, Limited Member:  I see you are relatively new here.  Welcome to EE.  It is a community of volunteers where we share ideas and support one another in a rather communist style, from each according to his ability, etc.  Advice is not the same as criticism, and sometimes we find askers who have posted a question that is the computer equivalent of "Can I use water instead of oil to lubricate my engine?"  In these cases it's my practice to try to share some background information on the subject so that instead of just saying "No" (factually correct, and yet not a very helpful answer) we can generate some dialog and maybe create some understanding.  

In the instant case, I believe that RFC2616 should be a part of the Askers understanding and consideration, and that's why I draw attention to it.  I'm by no means flawless, and while I often answer questions with complete and tested code samples, sometimes I do not.  It depends on time and workload, eh?

Best regards for a healthy and prosperous New Year, ~Ray
Avatar of cuttone

ASKER

Wow, I didn't intend for the question to turn into a shouting match.

I appreciate all the input. To comment on Ray Paseur's input, I did not write the CMS. A long since dissapered developer did. I know enough to look under the hood and change the oil, but not to rebuild the engine. So for now, I think I will probably try to implement to original solution and see if that works for now.

@cuttone: Do you try my code?

MSG ID: 26121055
Avatar of cuttone

ASKER

I have not yet had a chance to work on it, but I will. Thanks
cuttone, for "confirm delete code," all you need is my concise JavaScript function:

function confirmDeletion(){
var MESSAGE="Are you sure you want to permanently delete this article?";

return confirm(MESSAGE); // Will return true (proceed to deletion) or false (halt deletion), depending on button clicked (such as "OK" or "Cancel" or the "X" button)
}

Check out my MSG ID: 26121642 for details on how to implement this function in 2 ways.
Well, so far, I've provided the most concise, thoroughly-tested JavaScript function, introduced at http:#a26121642 and emphasized at http:#a26148488, that satisfies the author's original requirements. I've also provided detailed explanations of my codes where I've introduced them, also at http:#a26121642; moreover, I've introduced and explained, also at http:#a26121642, a second alternative way of coding the code for the author to choose from and use as well.

If you ask for my closing recommendations, of course I'll say give me the accepted solution! You can simply compare my codes (and effort that I put in) with the other codes provided by the other "experts" and test all the codes to see, for yourself, which one the author would most likely pick.

Thanks to you all, and I hope that the author or the admins will wisely close this question.
Avatar of cuttone

ASKER

To all those who provided input and especially hsq91, thanks for the help. Sorry it took so long to accept, byt desktop crashed in December and have beem working to rebuild and recover date, so these web fixes were on the backburner.
Wow, thanks for your quick action, cuttone!