I have made a CRUD application using PHP and Bootstrap.
My delete_record.php file contains the following code:
<?php
include("includes/header.php");
include("includes/nav.php");
if (isset($_GET['mid'])) {
$sql = "DELETE FROM medical_records WHERE mid = " . $_GET['mid'];
//echo $sql;
if (mysqli_query($con, $sql)) {
//header("Location: {$_SERVER['HTTP_REFERER']}");
echo "Record successfully deleted";
} else {
echo "Error: " . mysqli_error($con);
}
}?>
<?php include("includes/footer.php"); ?>
The page used to make a simple redirect to the previous url with this line:
header("Location: {$_SERVER['HTTP_REFERER']}");
I have commented it out in order to "Ajaxify" the process. For this purpose I have used:
$('.delete-icn').on('click', function(evt){
evt.preventDefault();
var mid = $(this).data('mid');
if(confirm('Are you sure you want to delete?')) {
$.ajax({
url: 'delete_record.php?mid=' + mid,
method: 'GET',
data: {mid:mid},
success: function(deleteMsg){
$('#delete_msg').slideDown(250);
$('#delete_msg').text(deleteMsg);
}
});
}
});
But this not only does not delete the record, it returns the html of an entire page inside the alert paragraph tag <p id="delete_msg" class="text-center alert alert-success"></p> instead of only "Record successfully deleted";
Where is the mistake? Thank you!
UPDATE: In the delete_record.php file I have kept only:
if (isset($_GET['mid'])) {
$sql = "DELETE FROM medical_records WHERE mid = " . $_GET['mid'];
if (mysqli_query($con, $sql)) {
//header("Location: {$_SERVER['HTTP_REFERER']}");
echo "Record successfully deleted";
} else {
echo "Error: " . mysqli_error($con);
}
}?>
No significant change happened as a result of this.
Ok, your answer may work fine, but here's a question. What happens when someone calls http://example.com/delete_record.php?mid=1&20OR%201%3D1? Answer: you execute the following query and your entire database is wiped out.
DELETE FROM medical_records WHERE mid = 1 OR 1=1;
Try using prepared statements instead:
<?php
include("functions/init.php");
if (isset($_GET['mid'])) {
$sql = "DELETE FROM medical_records WHERE mid = ?";
$stmt = $con->prepare($sql);
$stmt->bind_param("i", $_GET["mid"]);
if ($stmt->execute()) {
echo "Fisa a fost stearsa.";
} else {
echo "Error: $stmt->error";
}
}
Use mysqli_affected_rows to check whether DELETE query worked or not.
Example (from php.net)
<?php
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
if (!$link) {
printf("Can't connect to localhost. Error: %s
", mysqli_connect_error());
exit();
}
/* Insert rows */
mysqli_query($link, "CREATE TABLE Language SELECT * from CountryLanguage");
printf("Affected rows (INSERT): %d
", mysqli_affected_rows($link));
mysqli_query($link, "ALTER TABLE Language ADD Status int default 0");
/* update rows */
mysqli_query($link, "UPDATE Language SET Status=1 WHERE Percentage > 50");
printf("Affected rows (UPDATE): %d
", mysqli_affected_rows($link));
/* delete rows */
mysqli_query($link, "DELETE FROM Language WHERE Percentage < 50");
printf("Affected rows (DELETE): %d
", mysqli_affected_rows($link));
/* select all rows */
$result = mysqli_query($link, "SELECT CountryCode FROM Language");
printf("Affected rows (SELECT): %d
", mysqli_affected_rows($link));
mysqli_free_result($result);
/* Delete table Language */
mysqli_query($link, "DROP TABLE Language");
/* close connection */
mysqli_close($link);
?>