Im looking for the best, safest way to delete values from a table for the current, logged in user.
I have a query on my page which grabs all interests for a user and display them as such
<?php
print $interest1 . "<a href='del-interest.php'>Delete</a><br />";
print $interest2 . "<a href='del-interest.php'>Delete</a><br />";
print $interest3 . "<a href='del-interest.php'>Delete</a><br />";
?>
I want to add a delete function (Which I've never done before) so that when a user clicks delete the corresponding row is removed from the table, my only concern is, if i use POST/GET methods to pass the data some users may maliciously alter the data being posted and delete all kinds of stuff, Sorry if this isnt too clear, what im asking is whats the best, safest way to do this?
Sorry if this doesnt make sense im trying my best to learn PHP, but, Would the following work?
<?php
print $interest1 . "<form method='post' action='delete-interest.php'><input type='hidden' value='".$interest1."' name='int1' id='int1'/></form><br />";
print $interest2 . "<form method='post' action='delete-interest.php'><input type='hidden' value='".$interest2."' name='int2' id='int2'/></form><br />";
print $interest3 . "<form method='post' action='delete-interest.php'><input type='hidden' value='".$interest3."' name='int3' id='int3'/></form><br />";
?>
and then on delete-interst.开发者_JAVA技巧php I had...
if(isset($_POST['int1'])) {
$interest = $_POST['int1'];
mysql_query = DELETE $interest FROM user_interests WHERE user_id = users sesson id;
}
elseif(isset($_POST['int2'])) {
$interest = $_POST['int2'];
mysql_query = DELETE $interest FROM user_interests WHERE user_id = users sesson id;
}
elseif(isset($_POST['int3'])) {
$interest = $_POST['int3'];
mysql_query = DELETE $interest FROM user_interests WHERE user_id = users sesson id;
}
For a start do not use an <a>
tag as this will send a GET request which is extremely bad form.
Snippet from w3.org
...the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval.
Therefore you should be using a form normally using the POST
method if you was following RESTful
conventions you would use DELETE
(but most browsers don't support this, so you would have to simulate this).
As @OMG ponies stated you will need to have the information of the unique identifier (primary key) available so you know which row to delete.
As @henasraf stated you should validate that the user sending the request is in fact logged in and has permissions to delete his data. You mentioned the interests are linked to users therefore you just verify that the user is logged in and is only trying to delete there data.
You need to use javascript and ajax to get that type of click and go functionality.
For example with jQuery:
$('.del-link').click(function(){
var id = $(this).data('rowid');
$.post('del-interest.php', {id: id}, function(data){
//do something on return
});
return false;
});
And your html would need to look something like this:
interest1 <a class="del-link" href="#" data-rowid="interest1ID">DELETE</a>
interest2 <a class="del-link" href="#" data-rowid="interest2ID">DELETE</a>
...
Remember to have some sort of validation on the php side, and return some data
so the javascript can output any errors to the user.
Your best go would be to validate the deletion before doing it. In the deletion itself, check if the user has permission to do what he's doing. When that's out of the way, use the DELETE FROM
SQL query to do the job.
精彩评论