How to delete item from DB item passed by $_POST

[EagleM]

I am try to delete a DB record that is supposed to be passed by $_POST.
Here is my form:

<form method="post" action="<?=$_SERVER['SCRIPT_NAME'];?>" ><br />
<table>
<tr>
    <td><input type="submit" name="btnDelete" id="btnDelete" value="Delete Checked"></td>
</tr>
<tr><td colspan="2"><hr /></td></tr>
<tr>
    <td><input type="text" name="txtNewFeature" width="30" size="20" value=""></td>
    <td><input type="submit" name="btnAdd" id="btnAdd" value="Add New Feature"></td>
</tr>
</table>
</form>

The problem is that such a query:

$qryDeleteFeature = "DELETE FROM tblFeature WHERE id_Feature = '" . $_POST['features'] . "'";

Produces empty "id_feature":

DELETE FROM tblFeature WHERE id_Feature = ''

And looping through $_POST elements like this:

foreach ($_POST as $element) echo $element;

ptints only the value of the btnDelete: "Delete Checked", but the value of txtNewFeature doesn't appear to be set.

What am I doing wrong?

 

[jpadie]

i don't see any checkboxes in your form, nor any field called features.

 

[EagleM]

That was quite stupid of me. I used a function to print the checkboxes outside of the form.

Once I print them in the form, how do I access them for deletion?

$qryGetFeatures = "SELECT id_Feature, FeatureName FROM tblFeature";
$rsGetFeatures = mysql_query($qryGetFeatures);
if (mysql_num_rows($rsGetFeatures) > 0)
{
	while ($row = mysql_fetch_assoc($rsGetFeatures)){ ?>
		<input name="features[]" type="checkbox" value="<?=$row['id_Feature'] . '">' . $row['FeatureName'] . '&nbsp'?>
	<?}
}
else
	echo "No features available"
?>

 

[jpadie]

if (isset($_POST['features'])){
 foreach ($_POST['feature'] as $f){
  mysql_query("delete from table where feature='".mysql_escape_string(trim($f))."'");
 }
}

however some browsers do not pass back the values from checkboxes - just a yes/1 if clicked. so it is better to construct your checkboxes like this

while ($row = mysql_fetch_assoc($rsGetFeatures)){
 echo <<<HTML
   <input name="features[{$row['id_Feature']}]" type="checkbox" /> &nbsp; $row['FeatureName'] <br/>

HTML;
}

and then to process it like this

if (isset($_POST['features'])){
 foreach ($_POST['feature'] as $f=>$val){
  mysql_query("delete from table where feature='".mysql_escape_string(trim($f))."'");
 }
}

 

[EagleM]

Thank you!

Why do you use trim() and mysql_escape_string(), if the values are just numbers that are passed by POST?

(The manual for mysql_escape_string() says: "This function became deprecated, do not use this function. Instead, use mysql_real_escape_string().")

 

[jpadie]

because you should, in general, never ever trust user generated input. even if the site is behind a vpn and you have all the javascript validation one could dream of, it's an excellent practice to get into. always cleanse your data.

a proper cleanse would involve testing the data that's arriving in a superglobal element against the range of permitted (and expected) answers and then escaping it. Pear's quickform class is a neat abstraction for doing all this validation for you.

it is better to use mysql_real_escape_string but for this you must have connected to the database first (so that the function can discern what character set the database is using). i tend to clean up and validate all my variables before I connect to the database, and only thereafter connect when I know that I need to (i.e. valid data). so for me, mysql_escape_string is a more constant friend. doubtless I should change and will do so in due course.

as for trim - this is just habit. i *think* that mysql (recent versions anyway) automatically trims string based entries