Why query only delete the last row? - php

<?php
$query= mysqli_query($link, "SELECT * FROM Messages");
while ($row=mysqli_fetch_assoc($query)){
$MID= $row['mesgID'];
?>
<br><br><br><center><caption><?php echo "The <strong>".$row['type']."</strong> ID: ".$row['mesgID']; ?></caption></center>
<center><table border='4'; style="border-color:darkblue;">
<tr>
<td style="width:70%; text-align:left;"><?php echo "<strong>From: </strong>".$row['email']."<br><strong>About: </strong>".$row['areaCode']; ?></td>
</tr>
<tr>
<td style="width:70%; text-align:center;"><?php echo "<strong>Message content</strong><br><br>".$row['message']."<br>"; ?></td>
</tr>
</table></center>
<form action="ContactCleanersManagementStaffSide.php" method="post">
<center>
<input class="button button3" type="submit" name="<?php echo $MID; ?>"value="DELETE" id="submit"/></center>
</form>
<br><br>
<?php
}
if(isset($_POST[$MID])){
$query = mysqli_query($link, "DELETE FROM Messages WHERE mesgID='$MID'");
}
?>
I create "delete" button with unique name for each button, but when i clicks any button -except the last button- it's not deleting, but when i click the lats button, it's deleted seccessfully.

Instead of using id as name attriute of button, i will ask you to create a hidden filed with name="mesgID" and value="<?php echo $row['mesgID']; ?>" like below:
<?php
$query= mysqli_query($link, "SELECT * FROM Messages");
while ($row=mysqli_fetch_assoc($query)){
?>
<br>
<br>
<br>
<center>
<caption><?php echo "The <strong>".$row['type']."</strong> ID: ".$row['mesgID']; ?></caption>
</center>
<center>
<table border='4'; style="border-color:darkblue;">
<tr>
<td style="width:70%; text-align:left;">
<?php echo "<strong>From: </strong>".$row['email']."<br><strong>About: </strong>".$row['areaCode']; ?>
</td>
</tr>
<tr>
<td style="width:70%; text-align:center;">
<?php echo "<strong>Message content</strong><br><br>".$row['message']."<br>"; ?>
</td>
</tr>
</table>
</center>
<form method="post">
<input type="hidden" name="mesgID" value="<?php echo $row['mesgID']; ?>">
<center>
<input class="button button3" type="submit" name="Delete" value="DELETE" id="submit"/>
</center>
</form>
<br>
<br>
<?php }
if(isset($_POST['mesgID'])){
$query=mysqli_query($link, "DELETE FROM Messages WHERE mesgID=".$_POST['mesgID']);
}
?>
Note:- Current code is wide-open for SQL INJECTION so use prepared statements
Additional Note: A 'quick' fix [only] for SQL Injection is to force type casting to integer for numeric id values.
$query=mysqli_query($link, "DELETE FROM Messages WHERE mesgID=".(int)$_POST['mesgID']);
The above is NOT a replacement for leveling up to parameterised Queries.
References:-
mysqli::prepare
PDO::prepare

It's a bad idea to directly insert the received id from POST in the statement (creates SQL injection vulnerability, you can read about SQLi's here https://www.acunetix.com/websitesecurity/sql-injection/)
I would check whether id was passed and perform the delete query before selecting and echo'ing all messages, as you would always include the message even though it was deleted (because it is being deleted afterwards).
You should add a hidden input field with name 'messageId' and pass the id as a value, then add the submit button afterwards to submit the form with the hidden value -
<form method="post">
<input type="hidden" name="messageId" value="<?= $row['mesgID']; ?>">
<center>
<input class="button button3" type="submit" value="DELETE" id="submit"/>
</center>
</form>
And in the beginning of code receive the POSTed 'messageId' variable by
if (isset($_POST['messageId'])){
$stmt = $conn->prepare("DELETE FROM Messages WHERE mesgID = ?");
$stmt->bind_param("i", $_POST['messageId']);
$stmt->execute();
}

Related

How to add a delete button in the html table to delete entire row from database? [duplicate]

I have outputted the results of a MySQL table to an HTML table. In the last column, I want to add a delete option which calls another form and deletes the user from the MySQL table. I can't seem to get it to work though.
This is my code for the results page:
<?php
$contacts = mysql_query("
SELECT * FROM contacts ORDER BY ID ASC") or die( mysql_error() );
// If results
if( mysql_num_rows( $contacts ) > 0 )
?>
<table id="contact-list">
<thead>
<tr>
<th>Name</th>
<th>Email</th>
<th>Telephone</th>
<th>Address</th>
<th>Delete</th>
</tr>
</thead>
<tbody>
<?php while( $contact = mysql_fetch_array( $contacts ) ) : ?>
<tr>
<td class="contact-name"><?php echo $contact['name']; ?></td>
<td class="contact-email"><?php echo $contact['email']; ?></td>
<td class="contact-telephone"><?php echo $contact['telephone']; ?></td>
<td class="contact-address"><?php echo $contact['address']; ?></td>
<td class="contact-delete"><form action='delete.php' method="post">
<input type="hidden" name="name" value="">
<input type="submit" name="submit" value="Delete">
</form></td>
</tr>
<?php endwhile; ?>
</tbody>
</table>
and, this is my delete.php script
<?php
//Define the query
$query = "DELETE FROM contacts WHERE name={$_POST['name']} LIMIT 1";
//sends the query to delete the entry
mysql_query ($query);
if (mysql_affected_rows() == 1) {
//if it updated
?>
<strong>Contact Has Been Deleted</strong><br /><br />
<?php
} else {
//if it failed
?>
<strong>Deletion Failed</strong><br /><br />
<?php
}
?>
I cannot figure out why this is not working.
You have to pass a variable in the delete link. You have to pass <?php echo $contact['name']; ?> (the name value) in a hidden field or pass this value in URL:
Replace
<td class="contact-delete">
<form action='delete.php' method="post">
<input type="hidden" name="name" value="">
<input type="submit" name="submit" value="Delete">
</form>
</td>
With
<td class="contact-delete">
<form action='delete.php?name="<?php echo $contact['name']; ?>"' method="post">
<input type="hidden" name="name" value="<?php echo $contact['name']; ?>">
<input type="submit" name="submit" value="Delete">
</form>
</td>
USe javascript
<input name="Submit2" type="button" class="button" onclick="javascript:location.href='delete.php?id=<?php echo $your_id;?>';" value="« Back" />
and in delet.php
$id=$_GET['id'];
and put $id in your sql statement.
You are missing to pass name in this line:
<input type="hidden" name="name" value="">
You need to have something (<?php echo $contact['name']; ?>) in the value attribute.
BTW, do not use deprecated mysql_* functions, use PDO or mysqli_* instead.
<input type="hidden" name="name" value="">
You are missing a value which wil be picked up by this line in your delete file.
$query = "DELETE FROM contacts WHERE name={$_POST['name']} LIMIT 1";
Right now it isn't receiving anything, which is why it will not work.
So add a value to it and it will work. Example:
<input type="hidden" name="name" value="<?php echo $contact['name']; ?>">
First, you should not write the code in that way; the code has no protection against SQL injection.
1. Try to use primary IDs instead of using a name (what happens if 2 people has the same name?).
So, you can create a hidden field to know which 'person' you are dealing with.
<input type="hidden" name="contact_id" value="<?php $contact['contact_id']; ?>">
2. Sanitize variables to avoid attacks:
<?php $contact_id = isset($_POST['contact_id'])?intval($_POST['contact_id']):0;
// proceed with the query
if($contact_id>0) { $query = "DELETE FROM contacts WHERE contact_id = '$contact_id'";
}
// redirect to the main table with header("location: main.php");
?>

How to use form and its php processing inside a loop [duplicate]

I have outputted the results of a MySQL table to an HTML table. In the last column, I want to add a delete option which calls another form and deletes the user from the MySQL table. I can't seem to get it to work though.
This is my code for the results page:
<?php
$contacts = mysql_query("
SELECT * FROM contacts ORDER BY ID ASC") or die( mysql_error() );
// If results
if( mysql_num_rows( $contacts ) > 0 )
?>
<table id="contact-list">
<thead>
<tr>
<th>Name</th>
<th>Email</th>
<th>Telephone</th>
<th>Address</th>
<th>Delete</th>
</tr>
</thead>
<tbody>
<?php while( $contact = mysql_fetch_array( $contacts ) ) : ?>
<tr>
<td class="contact-name"><?php echo $contact['name']; ?></td>
<td class="contact-email"><?php echo $contact['email']; ?></td>
<td class="contact-telephone"><?php echo $contact['telephone']; ?></td>
<td class="contact-address"><?php echo $contact['address']; ?></td>
<td class="contact-delete"><form action='delete.php' method="post">
<input type="hidden" name="name" value="">
<input type="submit" name="submit" value="Delete">
</form></td>
</tr>
<?php endwhile; ?>
</tbody>
</table>
and, this is my delete.php script
<?php
//Define the query
$query = "DELETE FROM contacts WHERE name={$_POST['name']} LIMIT 1";
//sends the query to delete the entry
mysql_query ($query);
if (mysql_affected_rows() == 1) {
//if it updated
?>
<strong>Contact Has Been Deleted</strong><br /><br />
<?php
} else {
//if it failed
?>
<strong>Deletion Failed</strong><br /><br />
<?php
}
?>
I cannot figure out why this is not working.
You have to pass a variable in the delete link. You have to pass <?php echo $contact['name']; ?> (the name value) in a hidden field or pass this value in URL:
Replace
<td class="contact-delete">
<form action='delete.php' method="post">
<input type="hidden" name="name" value="">
<input type="submit" name="submit" value="Delete">
</form>
</td>
With
<td class="contact-delete">
<form action='delete.php?name="<?php echo $contact['name']; ?>"' method="post">
<input type="hidden" name="name" value="<?php echo $contact['name']; ?>">
<input type="submit" name="submit" value="Delete">
</form>
</td>
USe javascript
<input name="Submit2" type="button" class="button" onclick="javascript:location.href='delete.php?id=<?php echo $your_id;?>';" value="« Back" />
and in delet.php
$id=$_GET['id'];
and put $id in your sql statement.
You are missing to pass name in this line:
<input type="hidden" name="name" value="">
You need to have something (<?php echo $contact['name']; ?>) in the value attribute.
BTW, do not use deprecated mysql_* functions, use PDO or mysqli_* instead.
<input type="hidden" name="name" value="">
You are missing a value which wil be picked up by this line in your delete file.
$query = "DELETE FROM contacts WHERE name={$_POST['name']} LIMIT 1";
Right now it isn't receiving anything, which is why it will not work.
So add a value to it and it will work. Example:
<input type="hidden" name="name" value="<?php echo $contact['name']; ?>">
First, you should not write the code in that way; the code has no protection against SQL injection.
1. Try to use primary IDs instead of using a name (what happens if 2 people has the same name?).
So, you can create a hidden field to know which 'person' you are dealing with.
<input type="hidden" name="contact_id" value="<?php $contact['contact_id']; ?>">
2. Sanitize variables to avoid attacks:
<?php $contact_id = isset($_POST['contact_id'])?intval($_POST['contact_id']):0;
// proceed with the query
if($contact_id>0) { $query = "DELETE FROM contacts WHERE contact_id = '$contact_id'";
}
// redirect to the main table with header("location: main.php");
?>

How to add a delete button to a PHP form that will delete a row from a MySQL table

I have outputted the results of a MySQL table to an HTML table. In the last column, I want to add a delete option which calls another form and deletes the user from the MySQL table. I can't seem to get it to work though.
This is my code for the results page:
<?php
$contacts = mysql_query("
SELECT * FROM contacts ORDER BY ID ASC") or die( mysql_error() );
// If results
if( mysql_num_rows( $contacts ) > 0 )
?>
<table id="contact-list">
<thead>
<tr>
<th>Name</th>
<th>Email</th>
<th>Telephone</th>
<th>Address</th>
<th>Delete</th>
</tr>
</thead>
<tbody>
<?php while( $contact = mysql_fetch_array( $contacts ) ) : ?>
<tr>
<td class="contact-name"><?php echo $contact['name']; ?></td>
<td class="contact-email"><?php echo $contact['email']; ?></td>
<td class="contact-telephone"><?php echo $contact['telephone']; ?></td>
<td class="contact-address"><?php echo $contact['address']; ?></td>
<td class="contact-delete"><form action='delete.php' method="post">
<input type="hidden" name="name" value="">
<input type="submit" name="submit" value="Delete">
</form></td>
</tr>
<?php endwhile; ?>
</tbody>
</table>
and, this is my delete.php script
<?php
//Define the query
$query = "DELETE FROM contacts WHERE name={$_POST['name']} LIMIT 1";
//sends the query to delete the entry
mysql_query ($query);
if (mysql_affected_rows() == 1) {
//if it updated
?>
<strong>Contact Has Been Deleted</strong><br /><br />
<?php
} else {
//if it failed
?>
<strong>Deletion Failed</strong><br /><br />
<?php
}
?>
I cannot figure out why this is not working.
You have to pass a variable in the delete link. You have to pass <?php echo $contact['name']; ?> (the name value) in a hidden field or pass this value in URL:
Replace
<td class="contact-delete">
<form action='delete.php' method="post">
<input type="hidden" name="name" value="">
<input type="submit" name="submit" value="Delete">
</form>
</td>
With
<td class="contact-delete">
<form action='delete.php?name="<?php echo $contact['name']; ?>"' method="post">
<input type="hidden" name="name" value="<?php echo $contact['name']; ?>">
<input type="submit" name="submit" value="Delete">
</form>
</td>
USe javascript
<input name="Submit2" type="button" class="button" onclick="javascript:location.href='delete.php?id=<?php echo $your_id;?>';" value="« Back" />
and in delet.php
$id=$_GET['id'];
and put $id in your sql statement.
You are missing to pass name in this line:
<input type="hidden" name="name" value="">
You need to have something (<?php echo $contact['name']; ?>) in the value attribute.
BTW, do not use deprecated mysql_* functions, use PDO or mysqli_* instead.
<input type="hidden" name="name" value="">
You are missing a value which wil be picked up by this line in your delete file.
$query = "DELETE FROM contacts WHERE name={$_POST['name']} LIMIT 1";
Right now it isn't receiving anything, which is why it will not work.
So add a value to it and it will work. Example:
<input type="hidden" name="name" value="<?php echo $contact['name']; ?>">
First, you should not write the code in that way; the code has no protection against SQL injection.
1. Try to use primary IDs instead of using a name (what happens if 2 people has the same name?).
So, you can create a hidden field to know which 'person' you are dealing with.
<input type="hidden" name="contact_id" value="<?php $contact['contact_id']; ?>">
2. Sanitize variables to avoid attacks:
<?php $contact_id = isset($_POST['contact_id'])?intval($_POST['contact_id']):0;
// proceed with the query
if($contact_id>0) { $query = "DELETE FROM contacts WHERE contact_id = '$contact_id'";
}
// redirect to the main table with header("location: main.php");
?>

updating database with user edit post

I am trying to update my database with a post that a user has edited in a forum. The whole edit form is functioning except for: when they click edit, the form submits and goes to the main forum page, but the database and the post don't change.
My save edit code is this:
#data preparation for the query
$id=intval($_POST['id']);
$a_id=intval($_POST['a_id']);
$question_id=intval($_POST['question_id']);
foreach ($_POST as $key => $value)
$_POST[$key] =
mysql_real_escape_string($value);
$sql = "UPDATE $tbl_name SET
a_answer='$_POST[a_answer]' WHERE
a_id='$a_id' AND
question_id='$question_id'";
if (!mysql_query($sql)) {
die('Error: ' . mysql_error()); }
mysql_close; header ("location:
main_forum.php");
?>
My code for the edit page is this:
#data preparation for the query
$id=intval($_GET['id']);
$a_id=intval($_GET['a_id']);
$question_id=intval($_GET['question_id']);
# selects title and description fields from database
$sql = "SELECT a_answer FROM $tbl_name WHERE a_id='$a_id' AND question_id='$question_id'";
$result=mysql_query($sql);
$rows=mysql_fetch_array($result);
?>
And the HTML
<h3>Edit</h3>
<form action="save_edit.php" method="get" name="myForm" />
<center>
<table>
<tr>
<td valign="top">
<b>Answer</b>
</td>
<td>
<textarea cols="80%" rows="10" name="a_answer">
<?php echo htmlspecialchars($rows['a_answer']); ?>
</textarea>
</td>
</tr>
<tr>
<td colspan="3">
<input name="a_id" type="hidden" value="<? echo $rows['a_id']; ?>">
<input name="question_id" type="hidden" value="<? echo $rows['question_id']; ?>">
<input type="submit" name="Submit" value="edit post">
<?php mysql_close(); ?>
</input>
</input>
</input>
</td>
</tr>
</table>
</center>
You are mixing up get and post. In your form you use method="get" while you use $_POST in the processing page. Change your form to method="post":
<form action="save_edit.php"
method="post" name="myForm">
PS. You shouldn't close an opening tag with />.

How to retrieve value from the Check boxes?

I'm trying to get the emails corresponding to the checkbox using the following codes. But, I'm not getting the correct checked emails in the new variable. Can anyone please check ??
<?php
include("connection.php");
$username=$_SESSION['username'];
$query=mysql_query("SELECT * FROM contacts WHERE username='$username'");
$num=mysql_num_rows($query);
$info=mysql_fetch_array($query);
$i=0;
$msg='';
?>
<table width="672" border="0">
<?php
$i=0;
while($info)
{
?>
<form action="compose.php" method="post">
<tr style="font-size:14px;">
<td width="21" bgcolor="#f2f2f2"> <input type="checkbox" name="add" onSelect="<?php $msg=$msg.$info['email'].", ";?>"/> </td>
<td width="229" bgcolor="#f2f2f2"> <?php echo $info['email']; ?> </td>
<td width="408" bgcolor="#f2f2f2"> <?php echo $info['name']; ?> </td>
</tr>
<?php
$info=mysql_fetch_array($query);
$i++;
}
$_SESSION['contacts']=$msg;
?>
<tr><td></td><td></td><td><br />
<input class="new-button" type="submit" value="Insert & Compose" name="submit" /></td>
</tr>
</form>
</table>
To get any value back for checkboxes they must have a value=. In your case you probably would want the value to be the according email address.
One problem with your code is using onSelect= instead of value=, and second you didn't print the actual value into the page. Rewrite it to:
<td width="21" bgcolor="#f2f2f2">
<input type="checkbox" name="add"
value="<?php print $info['email']; ?>"/> </td>
If you need the $msg variable to do something, assemble it after the output.
<input type="checkbox" name="add" value="<?php echo $msg.$info['email'];?>"/>
checkbox does not have onSelect event probobly you got value in mind and in PHP code you should echo and what .", " is for?

Categories