How do I delete an object in a PHP form?

ignas84 · December 12, 2019, 9:41am

I’m making a quiz page and I want to make a page where you choose which quiz you edit or delete.

I made a delete function which deletes questions of the quiz first and then the quiz itself. However, it deletes quizes randomly. I can’t delete all selected quizes.

Choose_test.php

<?php

        $userid=$_SESSION['userid'];

        $connection = mysqli_connect("localhost", "root", "", "vartvald");
        if ($connection->connect_error) {
            die("Connection failed:" . $connection->connect_error);
        } else {
            $sql = "SELECT * FROM tests WHERE fk_user = '$userid'";
        }

        $result = $connection->query($sql);

        if ($result->num_rows > 0) {
            while ($row = mysqli_fetch_assoc($result)) {
                $id = $row['id'];
                $title = $row['title'];
                $level = $row['level'];
                $teacher = $row['fk_user'];
                echo "<tr style='text-align:center'><td><a href='edit_test.php?id={$row['id']}&level={$row['level']}&teacher={$row['fk_user']}&title={$row['title']}'>" . $row['title'] . "</a>
                </font></center><div><form action='delete_test.php' method='POST'>
                <input id='id' type='hidden' name='id' value=".$id.">
                <button type='submit'>Ištrinti testą</button></form></div></td></tr>";
            }
        } else {
            echo "</table><h2 style='text-align:center'>Nera sukurtu testu..</h2>";
        }

        $connection->close();
        ?>

delete_test.php

<?php
                include("include/meniu.php"); //įterpiamas meniu pagal vartotojo rolę
                ?>
                <center>
                    <font size="5"><?php $title ?></font>
                </center><br>

                <?php

                $connection = mysqli_connect("localhost", "root", "", "vartvald");
                if ($connection->connect_error) {
                    die("Connection failed:" . $connection->connect_error);
                }
                
                if (isset($_POST['id'])) {
                    $id = ($_POST['id']);
                }

                $sql = "DELETE FROM questions WHERE fk_test = $id";
                $sql1 = "DELETE FROM tests WHERE id = $id";
                mysqli_query($connection,$sql);
                mysqli_query($connection,$sql1);
                $connection->close();

                header("Location: choose_test.php");
                ?>

droopsnoot · December 12, 2019, 10:00am

What is in your $_POST array when it gets to the delete_test.php file? What values are in the html that your choose_test.php displays if you view the browser source?

I can’t see how it could be “random”. I could see that it is possible to run that with no value for $id in your queries, but in theory that just wouldn’t delete anything. But you should really only run the two delete queries if the $_POST var is set, not check and then run them anyway, potentially with no value for $id.

In delete_test.php, where do you get the $title variable from?

  <font size="5"><?php $title ?></font>

And you either need to use shorthand syntax, or add an echo in there.

And here:

header("Location: choose_test.php");

this probably won’t work, because you’ve already sent stuff to the browser. You should get a “headers already sent” error message, unless you’re buffering output.

ignas84 · December 12, 2019, 10:40am

I mean, var_dump($sql) var_dump($sql1) gets good parameters. For example i had 4 quizes. first one with one question, the other three empty. empty ones deleted successfully. the first one only the questions got deleted but not the quiz itself

droopsnoot · December 12, 2019, 10:52am

You could check for errors after you have run the queries, see if that tells you anything. At the moment you just run the query and carry on regardless.

OK, that suggests that the $_POST variable must be coming across correctly.

Are the IDs just numeric? I notice that your html in the form doesn’t surround them with quotes - that might be worth changing.

ignas84 · December 12, 2019, 10:54am

id’s are numeric, so i don’t quote them

droopsnoot · December 12, 2019, 11:03am

Well, there’s nothing obvious (to me at least) in the code. Can you show some of the data in the tables, preferably those that don’t delete the way you think they should?

ignas84 · December 12, 2019, 11:17am

Thank you, but I’ve fixed it. I couldn’t delete some of the quizes because of foreign constraints of other tables…

droopsnoot · December 12, 2019, 11:21am

Ah, good that it’s working. That’s one of those details that no-one could possibly have guessed.

benanamen · December 12, 2019, 4:52pm

You do realize anyone can delete your entire database right? Your code is vulnerable to an SQL Injection Attack.

You need to use Prepared Statements. NEVER EVER put variables in a query. I would also suggest you use PDO. https://phpdelusions.net/pdo

Aside from that, if you have Foreign Keys set up properly you would only need to delete the parent record and all the child records will automatically be deleted with it.

Additionally,

the else after your connection is pointless since there is a die right before it. You can remove it.
Do not output internal system errors to the user. That info is useless to the user unless they are a hacker.
Do not create variables for nothing.
There is no need to manually close the connection. Php will do it automatically.
You need to kill the script after header redirects if anything is after it.
You are using deprecated HTML. We use CSS now for formatting. Get rid of the font and center tags.
There is no need to count rows.

if ($result->num_rows > 0)

can simply be

if ($result)

system · March 12, 2020, 11:52pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.