Link to home
Start Free TrialLog in
Avatar of Jazzy 1012
Jazzy 1012

asked on

Using javascript confirmation for a delete in mysql

I have this code:
<?php 
$query2= "SELECT * from `rsvp` WHERE `Gathered By` = '$username'";
$result= mysqli_query($conn, $query2);
while($row = mysqli_fetch_assoc($result))
{
	echo '<tr>';
	foreach($row as $fieldname => $values)
	{
		if($fieldname == 'id')
		{
			continue;
		}
		if($fieldname == 'Gathered By')
		{
			echo '<td>';
			echo $values;
			echo '</td>';
		}
		else if($fieldname == 'Date')
		{
			echo '<td>';
			echo date("m/d/Y");
			echo '</td>';
		}
		else
		{
			echo '<td>';
			echo '<input class = "change readonly-input" value= "' .$values . '" readonly name="data[' . $row['id'] . '][' . $fieldname . ']" />';
			echo '</td>'; 
		}
	}
	echo '<td><a href="delete.php?id='.$row['id'].'"><i class="fa fa-trash"></i></a>';
	echo '</td>';

Open in new window

My delete works but how can I do it with javascript confirm when I need to pass the id?
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image
Please, please, please be careful with this design!  You can be setting yourself up for a catastrophe if you delete a record on the basis of a GET request (eg: with the id in the URL).  This is a well-known antipattern.  Here is why:

Let's say you can delete a record with this link:
<a href="delete.php?id='.$row['id'].'"><i class="fa fa-trash"></i></a>

Open in new window


That means you can also delete a record with this link:
<a href="delete.php?id=3"><i class="fa fa-trash"></i></a>

Open in new window


That means a bad actor could put together a collection of links like this:
<a href="http://your.org/delete.php?id=1">1</a>
<a href="http://your.org/delete.php?id=2">2</a>
<a href="http://your.org/delete.php?id=3">3</a>
/* Etc */
<a href="http://your.org/delete.php?id=999999">999999</a>

Open in new window


Now imagine what would happen if the bad actor fed that page to Google.  Google would spider the page, following all of the links.  And your database would be wiped out.

One correct way to make a delete request is shown in this article.  Look for the part about The Delete Script
https://www.experts-exchange.com/articles/12335/PHP-and-MySQLi-Table-Maintenance.html

Executive summary: JavaScript is the wrong tool for delete confirmation.  You should use an HTTP request instead.
Avatar of Jazzy 1012
Jazzy 1012

ASKER

It's okay, I just need a conformation, okay so is there a way to do it?
ASKER CERTIFIED SOLUTION
Avatar of Mukesh Yadav
Mukesh Yadav
Flag of India image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image
The problem with the accepted solution is that it does nothing to mitigate the danger described above.  A JavaScript solution assumes that the only way anyone can get to the delete script is through a JavaScript enabled web browser.  And that's just wrong.  If it were true, Google could not exist.

Strongly urge you to reconsider this strategy!  JavaScript is the wrong tool.
Avatar of Jazzy 1012
Jazzy 1012

ASKER

Okay, thanks Ill take it into consideration!