Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 879
  • Last Modified:

confirm delete code in php

Our content management page has a delte link for deleting content. Problem is it is too easy to accidently delete something.

We'd like to have a popup that asks confirm delete before the deletion is actually accomplished.

This is the code:
if ($action == "delete") {
        $sql_delete="DELETE FROM $table_articles WHERE article_id='$article_id'";
        $result = mysql_query($sql_delete);
        if ($result) { echo "Article Deletion Successful"; }
        else { echo "There was a problem with your submission<br>".(mysql_error($link)); }


AND THE CODE AT THE DELTE BUTTON
<a href="<?echo $PHP_SELF;?>?action=delete&article_id=<? echo $news['article_id']; ?>">delete</a>

Open in new window

0
cuttone
Asked:
cuttone
  • 6
  • 4
  • 3
  • +1
1 Solution
 
VanHackmanCommented:

You Need a little bit of JavaScript.

Change your Delete Link for:

<a href="#" onClick="delete();">delete</a>

And add the JavaScript Function to the page:

Merry Christmas!!
<script language="Javascript">

function delete()
{
 
answer = confirm("Do you really want to delete the content.");
 
if (answer) {
 
// Deleting...

  DeleteScript = '<?echo $PHP_SELF;?>?action=delete&article_id=<? echo $news['article_id']; ?>';
  document.location.href = DeleteScript;
 
}
 else {

  // Nothing...

 }

}
</script>

Open in new window

0
 
cuttoneAuthor Commented:
I am not clear on the delete link. Useing the given link as it is written
<a href="#" onClick="delete();">delete</a>

Not only does not provide the confirm popup, but it also does not delete the article.
0
 
hsq91Commented:
2 ways:
#1. Simple way (you have to keep assigning "onclick" attribute to all your additional links):
- The HTML (note that I've changed your "&article_id" to "&amp;article_id" ... this is for valid (X)HTML coding):
<a href="<?echo $PHP_SELF;?>?action=delete&amp;article_id=<? echo $news['article_id']; ?>" onclick="return confirmDeletion();">Delete this article</a>

- The JavaScript:
<script type="text/javascript"><!--// Hide script from validators and old browsers --><![CDATA[

function confirmDeletion(){
var MESSAGE="Are you sure you want to permanently delete this article?";

return confirm(MESSAGE); // Will return true (proceed to deletion) or false (halt deletion), depending on button clicked (such as "OK" or "Cancel" or the "X" button)
}

// End hiding ]]></script>

#2. More complex, yet simpler for the HTML, and module-like way:
Here's an unobtrusive JavaScript that you may consider, which will also make it extremely easy for you to apply to more than 1 delete link in the HTML.
- The HTML:
Simply assign a class="confdel" attribute in ANY/ALL your delete links:
<a href="<?echo $PHP_SELF;?>?action=delete&amp;article_id=<? echo $news['article_id']; ?>" class="confdel">Delete this article</a>
<a href="<?echo $PHP_SELF;?>?action=delete&amp;article_id=<? echo $news['article_id']; ?>" class="confdel">Also delete this article</a>
<a href="<?echo $PHP_SELF;?>?action=delete&amp;article_id=<? echo $news['article_id']; ?>" class="confdel">And this article</a>

- The (unobtrusive) JavaScript:
<script type="text/javascript"><!--// Hide script from validators and old browsers --><![CDATA[

window.onload=registerDeleters;

// - OR - (Only use EITHER of above or below, NOT BOTH)

window.onload=
function (){
registerDeleters();
// Do other onload tasks
};

function registerDeleters(){
var deleters="confdel"; // The value of the class attribute of the delete links
deleters=new RegExp("\\b"+deleters+"\\b","i"); // Convert to class, insensitive search pattern
   for (var i=0,obj=document.getElementsByTagName("a"),l=obj.length;i<l;i++){
      if (deleters.test(obj[i].className)){ // If the link's class attribute contains the same word as "deleters"
      obj[i].onclick=function(){return confirmDeletion();}; // Then assign an confirmation onclick handler
      }
   }
}

function confirmDeletion(){
var MESSAGE="Are you sure you want to permanently delete this article?";

return confirm(MESSAGE); // Will return true (proceed to deletion) or false (halt deletion), depending on button clicked (such as "OK" or "Cancel" or the "X" button)
}

// End hiding ]]></script>
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
VanHackmanCommented:

Sorry, I had a little bit mistake in the Php line.

The link in your script must be:

<a href="javascript:void(0)" onclick="DeleteArticle()">delete</a>

And the JavaScript Function:

<script language="javascript">

function DeleteArticle()
{

Answer = confirm("Do you really want to delete the content?");
 
if (Answer) {
 
  // Deleting...
  alert('Ok, Lets Delete the Article...');
  DeleteScript = <?echo ($PHP_SELF."?action=delete&article_id=".$news['article_id']);?>;
  document.location.href = DeleteScript;
 
}
 else {

    // Nothing...
      alert('Dont worry, Nothing happen...');
 }

 return true;
}
</script>

I attached the Full and functional example :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
  <title>Delete Confirmation With JavaScript by VanHackman</title>
</head>

<body>

<a href="javascript:void(0)" onclick="DeleteArticle()">delete</a>

</body>

 <script language="javascript">

function DeleteArticle()
{

Answer = confirm("Do you really want to delete the content?");
 
if (Answer) {
 
// Deleting... 
  alert('Ok, Lets Delete the Article...');
  //DeleteScript = <?echo ($PHP_SELF."?action=delete&article_id=".$news['article_id']);?>;
  DeleteScript = 'TheDeleteURl.html'; // Delete this line and un-comment the line above.
  document.location.href = DeleteScript;
 
}
 else {

    // Nothing...
	alert('Dont worry, Nothing happen...');
 }

 return true;
}
</script>

</html>

Open in new window

0
 
Ray PaseurCommented:
Line 10 of the original post violates one of the cardinal rules of HTTP.  You must not modify the data model on the basis of a GET request.  In other words, you want to recode this so you use a POST request to delete the records.

Why?  Glad you asked!  It's all about RFC2616...

Imagine what would happen if a search engine spidered that page?  It would prefetch all the delete pages and your data base would wind up empty.  Of course it does not have to be a search engine. It could be a hacker, too.

I would not rely on JavaScript for this, since search engines and hackers do not care about JavaScript - they will plow through the page anyway.  The best strategy is to rewrite, using the POST method and perhaps adding a confirm step to the server-side script.

Some refs to help you understand the difference between GET and POST:
http://www.cs.tut.fi/~jkorpela/forms/methods.html#fund
http://www.velocityreviews.com/forums/t61534-question-get-vs-post-method.html
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

best of luck with it, ~Ray
0
 
hsq91Commented:
Ray, if I may point out, normally, reliable Content Management Systems (CMS), as the author has mentioned, will only serve delete links to logged-in site administrators (who possess the appropriate session data), and will block delete requests that originate from non-site admins (who do not possess the appropriate session data), such as hackers and search engines. So, it is clearly not the responsibility of the author to worry about the "[violation of] one of the cardinal rules of HTTP," or the like, as it's supposed to be only a concern for the CMS systems designers!
0
 
Ray PaseurCommented:
I understand your point.  Let me respond this way.  If a programmer came to me looking for a job and showed a code sample that modified the data model on the basis of a GET request, she would not get the first interview, full stop.  Ignorance of the danger is the only way I can interpret such a thing.   What if her code library was one day borrowed by a junior developer?  It's a danger I cannot risk.

Even if you're using a password challenge to make your page "invisible" to hackers, it seems like a poor idea to ignore the RFC's - they exist for good reason.  

Best to all, ~Ray
0
 
hsq91Commented:
"If a programmer came to me looking for a job..."
- Well, in my opinion, CMS are originally intended for non-programmers; otherwise, the programmers will most likely invent their very own, much more controllable CMS, or simply edit content by hard-coding.

Also, on your preceding comment: "I would not rely on JavaScript for this"
- Didn't you see that the author's not using JavaScript to delete the items? Didn't you read that the author wanted a "popup" for delete confirmation? JavaScript doesn't have anything to do with the "dangers" of the CMS core system, it is only an enhancer here; in addition, the fact that "search engines and hackers do not care about JavaScript - they will plow through the page anyway" will be countered by the login system--which normally uses a "POST" and just about all site use it, even Experts-Exchange, right?

So, instead of just critiquing the author to improve his/her "data model," why didn't you provide a better solution (or closely related links), then? I know of the alternative that may satisfy your "POST" requirement--while still satisfying the author's original request--but that's not what the author originally asked for; again, if you think you have the better solution, then please do provide your solution, instead of just "talking sweetly with nothing meaningful."
0
 
Ray PaseurCommented:
@hsq91, Limited Member:  I see you are relatively new here.  Welcome to EE.  It is a community of volunteers where we share ideas and support one another in a rather communist style, from each according to his ability, etc.  Advice is not the same as criticism, and sometimes we find askers who have posted a question that is the computer equivalent of "Can I use water instead of oil to lubricate my engine?"  In these cases it's my practice to try to share some background information on the subject so that instead of just saying "No" (factually correct, and yet not a very helpful answer) we can generate some dialog and maybe create some understanding.  

In the instant case, I believe that RFC2616 should be a part of the Askers understanding and consideration, and that's why I draw attention to it.  I'm by no means flawless, and while I often answer questions with complete and tested code samples, sometimes I do not.  It depends on time and workload, eh?

Best regards for a healthy and prosperous New Year, ~Ray
0
 
cuttoneAuthor Commented:
Wow, I didn't intend for the question to turn into a shouting match.

I appreciate all the input. To comment on Ray Paseur's input, I did not write the CMS. A long since dissapered developer did. I know enough to look under the hood and change the oil, but not to rebuild the engine. So for now, I think I will probably try to implement to original solution and see if that works for now.
0
 
VanHackmanCommented:

@cuttone: Do you try my code?

MSG ID: 26121055
0
 
cuttoneAuthor Commented:
I have not yet had a chance to work on it, but I will. Thanks
0
 
hsq91Commented:
cuttone, for "confirm delete code," all you need is my concise JavaScript function:

function confirmDeletion(){
var MESSAGE="Are you sure you want to permanently delete this article?";

return confirm(MESSAGE); // Will return true (proceed to deletion) or false (halt deletion), depending on button clicked (such as "OK" or "Cancel" or the "X" button)
}

Check out my MSG ID: 26121642 for details on how to implement this function in 2 ways.
0
 
hsq91Commented:
Well, so far, I've provided the most concise, thoroughly-tested JavaScript function, introduced at http:#a26121642 and emphasized at http:#a26148488, that satisfies the author's original requirements. I've also provided detailed explanations of my codes where I've introduced them, also at http:#a26121642; moreover, I've introduced and explained, also at http:#a26121642, a second alternative way of coding the code for the author to choose from and use as well.

If you ask for my closing recommendations, of course I'll say give me the accepted solution! You can simply compare my codes (and effort that I put in) with the other codes provided by the other "experts" and test all the codes to see, for yourself, which one the author would most likely pick.

Thanks to you all, and I hope that the author or the admins will wisely close this question.
0
 
cuttoneAuthor Commented:
To all those who provided input and especially hsq91, thanks for the help. Sorry it took so long to accept, byt desktop crashed in December and have beem working to rebuild and recover date, so these web fixes were on the backburner.
0
 
hsq91Commented:
Wow, thanks for your quick action, cuttone!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now