SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Evangelist BJ Duncan's Avatar
    Join Date
    Jun 2007
    Location
    Bowen Mountain, NSW
    Posts
    490
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    a link to delete an entry (was "Can I please get some help!")

    Hey troops,

    Oh man I am getting so frustated with this issue I have

    I have been trying to make a link that will delete an entry to a database. I can get it working with a $_GET method, but I would like to do it via $_POST as I don't want the id number displayed in the url as it would be vulnerable for the others to be deleted too.

    Here is what I have at the moment:

    in the body:
    PHP Code:
    if(isset($message)) {
       echo 
    '<p class="error">'$message,'</p>';
    }

    $i 0;
    $value = array(2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58,60,62,64,66,68,70);
    while (
    $row mysql_fetch_array($result)) {
       echo 
    "<td>".$row['jobCategoryName']."&nbsp;<a href='".$_SERVER['PHP_SELF']."?jobCategoryId=".$row['jobCategoryId']."'>Delete</a></td>";
       
    $i++;
       if (
    in_array($i,$value)) {
          echo 
    "</tr><tr>";
       }

    This is the validation:
    PHP Code:
    if(isset($_GET['jobCategoryId'])) {
       @include (
    '../../signup.php'); # db signup
       
    $jobId $_GET['jobCategoryId'];
       
    $query "SELECT jobCategoryName FROM jobCategory WHERE jobCategoryId = '$jobId' LIMIT 1";
       
    $result mysql_query($query);
       if (
    $result) {
          while (
    $row mysql_fetch_array($result)) {
             
    $jobName $row['jobCategoryName'];
          }
       }
       
    $delete "DELETE FROM jobCategory WHERE jobCategoryId = '$jobId'";
       
    $resultdelete mysql_query($delete);
       if(!
    $resultdelete) {
          
    $message .= "That didn't work!";
       } else {
          
    $message .= "You have just deleted ".$jobName." from the database.";
       }

    How do I get it so it doesn't show in the url?

    Any help would be so much appreciated!
    Regards,
    BJ Duncan

  2. #2
    SitePoint Enthusiast
    Join Date
    Jan 2004
    Location
    Hertfordshire, England
    Posts
    30
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I might be missing something but regardless of what you're trying to do with the form variables you can just change the method of the form like this:
    <form action="" method="POST">
    <form action="" method="GET">
    Then your variables will be available with $_GET[] and $_POST[].

    Hope that helps.
    MH

  3. #3
    SitePoint Zealot
    Join Date
    Oct 2007
    Location
    In the blogosphere
    Posts
    108
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hiding it as POST won't do much good, you'd best just set user permissions. Security via obscurity is a terrible mantra to follow :P
    bLueFrogX's Blog - Random Ramblings of a NEET Techie ★

  4. #4
    SitePoint Guru MikeBigg's Avatar
    Join Date
    Jun 2004
    Location
    Reading, UK
    Posts
    970
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    When I do this (delete a record based on a id in a post variable) I include an additional post variable.

    The additional field must somehow match the id before the delete is attempted.

    I have done this in a few different ways - for example:

    o create and save a random string and store it in the db with the id;
    o concatante several fields (id+name+emailaddr) then encrypt.

    Mike

  5. #5
    SitePoint Addict ruby-lang's Avatar
    Join Date
    Aug 2007
    Posts
    389
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    From a high-level design standpoint, leaving GET for queries is a best practice. Among other things, it prevents spiders and web accelerators from trying to fetch the delete page and accidentally deleting the entry.

    One way to implement it is with Javascript:
    Code PHP:
    ...
     
    echo "<td>".$row['jobCategoryName']."&nbsp;<a href='#' onclick="delete('".$row['jobCategoryId']."')">Delete</a></td>";
     
    ...
     
    <script>
    function delete(id) {
      var form = document.getElementById('deleteForm');
      form.jobCategoryId.value = id;
      form.submit();
    }
    </script>
     
    ...
     
    <form id='deleteForm' action ='<?=$_SERVER['PHP_SELF']?>' method='POST'>
    <input type='hidden' name='jobCategoryId' >
    </form>

  6. #6
    SitePoint Addict tbakerisageek's Avatar
    Join Date
    Sep 2006
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I like to create a token to send along with it. I have 2 functions I've created
    Code PHP:
    function make_token($input){
    		return md5($input.date('mdY').'BIGLONGSCARYSALTTHATCANTBEGUESSED');
     
    	}
     
    	function check_token($input,$token){
    		if(md5($input.date('mdY').'BIGLONGSCARYSALTTHATCANTBEGUESSED') == $token){
    			return TRUE;
    		}else{
    			return FALSE;
    		}
     
     
    	}

    I use this token along with the ID. This way you don't have to store a hashed value in a database. if you do store it in a DB you have to worry about cleaning them up later which is no fun. The Hashed value changes for a given ID on a daily basis so there is no worry that it will be used again.

    for the value of BIGLONGSCARYSALTTHATCANTBEGUESSED, I suggest using https://www.grc.com/passwords

  7. #7
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    By displaying a list of items that can be deleted, I assume there was some logic in choosing that list out of all possible items. Use the same logic when receiving the form or URL for a delete to ensure the ID is one the user is allowed to delete. That permission shouldn't be handled by obscurity or randomness if it can be enforced directly...

  8. #8
    SitePoint Addict tbakerisageek's Avatar
    Join Date
    Sep 2006
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Dan,
    Thats the wonderful part of how I do it. Even if I choose to put the ID to be deleted clear as day in the URL, the associated token that is created can only be created from a page that displays items that the current user is ALLOWED to delete. I do use a permissions system to ensure that the current user is allowed to generate the current page. This means that the ID/token combination should only be available to someone who is allowed to see it.

    They can attempt to change the ID in the url but then the token will not match. If you try to reverse engineer the token, it will take you longer than when the token will change by!!

  9. #9
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    But...WHY?

    If you have a way to know which IDs a user can delete to display them, you already have a way to know which the user can delete when they try to do so. Why create a whole second system?

    For example, if the list of jobs you determined you should show a DELETE button for are those whose creator_id is equal to the user's ID, then when you DELETE, you just append the ID to the WHERE clause...

    Code:
    DELETE FROM jobs WHERE id = $_GET['id'] AND creator_id = $_SESSION['user_id']
    ...and the user's ability to delete only jobs he created is enforced without any secondary system.

  10. #10
    SitePoint Evangelist BJ Duncan's Avatar
    Join Date
    Jun 2007
    Location
    Bowen Mountain, NSW
    Posts
    490
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks to all for your valueable input. It is very much appreciated guys, thanks heaps.
    Regards,
    BJ Duncan

  11. #11
    SitePoint Evangelist BJ Duncan's Avatar
    Join Date
    Jun 2007
    Location
    Bowen Mountain, NSW
    Posts
    490
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    And happy birthday Dan!
    Regards,
    BJ Duncan

  12. #12
    SitePoint Addict tbakerisageek's Avatar
    Join Date
    Sep 2006
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dan Grossman View Post
    But...WHY?

    If you have a way to know which IDs a user can delete to display them, you already have a way to know which the user can delete when they try to do so. Why create a whole second system?

    For example, if the list of jobs you determined you should show a DELETE button for are those whose creator_id is equal to the user's ID, then when you DELETE, you just append the ID to the WHERE clause...

    Code:
    DELETE FROM jobs WHERE id = $_GET['id'] AND creator_id = $_SESSION['user_id']
    ...and the user's ability to delete only jobs he created is enforced without any secondary system.
    It's not always going to be the case that the item is being deleted. Nor is it always the case that the creator is the one deleting (Or modifying, selecting, updating, validating, selecting,... You get the idea) the item. It may be a manager, co-worker, subordinate or someone else who for some reason or another has access to *use* the item. The item will not be available on screen unless the user has access to *use* it, thus no token is created.

  13. #13
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    And whatever rule allowed that manager, co-worker, subordinate or someone else who has access to the item to see it in their list can be applied to letting them delete it without a secondary token system.

    There is no case where a program can determine when it's authorized to show a delete button but can't determine when it's authorized to process that delete button's submission... the user either had the delete permission or not, and the same lookup, however simple or complex, just has to be applied twice.

  14. #14
    SitePoint Addict tbakerisageek's Avatar
    Join Date
    Sep 2006
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How about activating a user account via email. No State can be Session'ed there?

  15. #15
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    That's an unrelated problem. You're not verifying access to part of the application, you're verifying outside data the application doesn't have access to.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •