0

The PHP code won't delete item from database using "$noteid". If I put a number in it's place it will, but when I try using "$noteid". It won't do it. It does everything correct up to the point where it tries to delete.

Here's how I get the "$noteid":

//javascript
function viewnote(noteid) {

  window.location = "noteview.php?noteid="  + noteid;

}

//button in body
<input type="button" value="Edit" onclick="editnote('<?= $noteid ?>')" />

Here's the code on the linked to page:

<?php

$noteid = $_REQUEST['noteid'];

if (isset($_POST['delete'])){
 mysql_query("DELETE FROM notes WHERE noteid='$noteid'");
 header ('Location: index2.php');
}
?>

<body>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" style="margin:0px; pading:0px"><input type="submit" name="delete" value="Delete"></form>
</body>

** It's Working Now!!! ** What made it work was a hidden form field.

Here's the code:

<?php
if (isset($_POST['delete'])){
        $nid = $_REQUEST['notenum'];
    mysql_query("DELETE FROM notes WHERE noteid='$nid'");
    header ('Location: index2.php');
}
?>

//body cody
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" style="margin:0px; pading:0px"><input type="text" name="notenum" value="<?php echo $noteid; ?>" style="display:none" /><input type="submit" name="delete" value="Delete"></form>

Thanks to everyone for your help!!! This site is my favourite site now.

Improve this question
3
  • 1
    The likelihood is that $_REQUEST['noteid'] is empty. Try vardump($_REQUEST) and see what you're working with. Commented Dec 22, 2010 at 14:23
  • 2
    $noteid = "'; drop table notes; --"; Commented Dec 22, 2010 at 14:24
  • Note that <?php echo $_SERVER['PHP_SELF']; ?> is a potential XSS hole, too. It should not be used. Commented Dec 7, 2012 at 7:53

3 Answers 3

Reset to default
5

You're using a lot of bad practices:

<?= $noteid ?>

That is not supported on all PHP versions, use the following instead:

<?php echo $noteid; ?>

Secondly,

mysql_query("DELETE FROM notes WHERE noteid='$noteid'");

STOP RIGHT THERE. Go learn about SQL injection before coding. I'm not joking. The right code:

mysql_query('DELETE FROM notes WHERE noteid="'.mysql_real_escape_string($noteid).'"');

Also ensure that the PHP variable $noteid does exist prior to onclick="editnote(...)" />.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

ok changed everything around and code is still not working. The <input type="button" value="Edit" onclick="editnote('<?= $noteid ?>')" /> is generated from $getnotes = mysql_query(" code removed for safety reasons ", $db); if (mysql_num_rows($getnotes)>0) { while($gnote = mysql_fetch_array($getnotes)){ $title = $gnote['title']; $noteid = $gnote['noteid'];}} It definitely exists prior, because if it didn't, I wouldn't be able to go to the next page using the number pulled from the database.
1

The problem you have is that $_REQUEST['noteid'] won't be set after the form has posted. In that scenario you could add a hidden form field to store the value from the query string. You also need to look at sanitising your variable with mysql_real_escape_string and using $_GET or $_POST rather than $_REQUEST

Improve this answer

2 Comments

THANK YOU THANK YOU THANK YOU THANK YOU!!!!! I forgot about using hidden form fields. I'm still new to PHP. Y'all are great help :)
@dnagirl gave you some good advice. If a variable doesn't behave correctly, always start by dumping it.
1

Please consider using Binds and Prepared statements. Almost all problems of the from "x from PHP doesn't work right in SQL" can be solved by using prepared statements.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.