0

I am working on a custom content management system. I was instructed to do some changes, and this is what I need to do. I need to create a user management page which allows the administrator to delete (or disable his status) a user from the database.

This is my User Management Page:

<?php
$query = 'SELECT author_id, author_email as Email, author_name as Name
        FROM authors
        ORDER BY Name
        LIMIT 0, 30';

$result = mysql_query($query);

?>

<table class="listing">
<thead>
    <tr>
        <td>Author ID</td>
        <th>Author E-Mail</th>
        <th>Author Name</th>
        <th>Delete</th>
    </tr>
</thead>
<tbody>
    <?php
    for ($i = 0; $row = mysql_fetch_array($result); $i++) {
        if ($i % 2 == 0) {
            echo '<tr class="even">';
        } else {
            echo '<tr class="odd">';
        }
        echo "<td>{$row['author_id']}</td>";
        echo "<td>{$row['Email']}</td>";
        echo "<td>{$row['Name']}</td>";
        echo "<td><a href=\"del-user.php?term={$row['author_id']}\" onclick=\"javascript:return confirm('Are you sure you want to delete this user?')\">X</a></td>";
        echo '</tr>';
    }
    ?>
</tbody>
</table>

This is my del-user.php page: 

<?php
include('inc/config.php');
$title = 'Delete Individual User';
include('inc/db.php');
include('inc/header.php');

echo '<h2>Delete</h2>';

if (isset($GET['term'])) {
$query = "DELETE FROM authors WHERE author_id = {$GET['term']} LIMIT 1";
mysql_query($query) or die('Failed to delete user');
echo '<p>User Deleted</p>';
echo '<p>Back to <a href="manage-users.php">Manage Users </>.</p>';
} else {
echo '<p>Tried to Delete: "';
echo ($GET['term']);
echo '"</p>';
echo '<p>Nothing to Delete</p>';    
}

include('inc/footer.php');
?>

I am new to PHP, but this is not working, the author_id value is not being passed to the other page, and it is being left empty. So I cannot delete anything from the del-users.php page.

I'm guessing that this is the problematic part:

echo "<td><a href=\"del-user.php?term={$row['author_id']}\" onclick=\"javascript:return confirm('Are you sure you want to delete this user?')\">X</a></td>";

Anybody knows why this is happening?

Improve this question
2
  • Would be easy and more manageable to various things with ajax calls Commented Aug 5, 2011 at 11:55
  • @Stack 101 - I never used ajax, so I prefer not to complicate things Commented Aug 5, 2011 at 11:57

4 Answers 4

Reset to default
1

Several issues:

You send data like this:

del-user.php?term={$row['author_id']}

So that means that actualy $_GET['term'] contains the id.

You catch the value like this: 

if (isset($_GET['author_id'])) {
$query = "DELETE FROM authors WHERE author_id = {$_GET['author_id']} LIMIT 1";

And it is not good, since $_GET['term'] contains the id, so you have to fix the lower one to look like this:

if (isset($_GET['term'])) 
$query = "DELETE FROM authors WHERE author_id = {mysql_real_escape_string($_GET['term'])} LIMIT 1";

Also you need to expand the select query, since you are not actualy fetching the author_id from the db:

$query = 'SELECT author_email as Email, author_name as Name, author_id
        FROM authors
        ORDER BY Name
        LIMIT 0, 30';

Please, escape your variables before you trow them to the database...

http://php.net/manual/en/function.mysql-real-escape-string.php

Cheers

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Kinda incredible... If you added authorId to the select, and changed the $_GET['author_id'] to $_GET['term'], there is nothing left not to work. :) What message do you get?
Having said that, my url now has 25 at the end, which is the author id "/del-user.php?term=25"
The correct version of the delete script has $_GET['term'] instead of $_GET['author_id']. Are you absolutely sure you did it? :)
I got no error, but I got this: "Delete Tried to Delete: "" Nothing to Delete" I get this when there is nothing to get
didn't you tell me it should be term?
|
1

the problem is your query!

$query = 'SELECT author_email as Email, author_name as Name
    FROM authors
    ORDER BY Name
    LIMIT 0, 30';

you are not selecting the author_id

Improve this answer

Comments

1

You pass your user id in the url like this :

echo "<td><a href=\"del-user.php?term={$row['author_id']}\"

The you must GET term, not author_id :

$query = "DELETE FROM authors WHERE author_id = {$GET['term']} LIMIT 1";

And by the way, you should read about prepared query and sql injection ;)

Improve this answer

Comments

1

use author_id in your query

<?php
$query = 'SELECT author_id, author_email as Email, author_name as Name
        FROM authors
        ORDER BY Name
        LIMIT 0, 30';

$result = mysql_query($query);

?>

Improve this answer

2 Comments

the loop is not the problem, the problem is this part: <td><a href=\"del-user.php?term={$row['author_id']}\" it is not passing the author_id to the other page correctly
Why would the loop be the problem? :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.