Delete button and confirmation

D

3

1

Hi I have a working link to delete a row from my database.

<a href="?action=delete&id=<? echo $id ?>" onclick="return confirm('Are you sure you want to delete?')"><strong>Delete this Case</strong></a></td>
<?php
    if($_POST['action']=="delete")
    {
         $id = $_POST['id'];

         mysql_query("DELETE FROM rmstable2 WHERE id= '$id'");
         echo("> Case # $id has been deleted as requested. To see your changes please click <a href='/martinupdate.php?id=$id'>here</a></b><br>");
    }
?>

what I am looking to do is instead of having a link I want to have a button that when pressed it brings up a confirmation and then deletes the row if true.
I do not want accidental deletions.

<form>
    <input type="button" value="Delete this Case" onclick="return confirm('Are you sure you want to delete?')"; 
    <a href="?action=delete&id=<? echo $id ?>">
</form>

Denture answered 6/6, 2013 at 12:37 Comment(7)

Don't use GET to delete things! All that will happen is a machine will come along and follow all the links and delete everything from your database! – Sines 6/6, 2013 at 12:38

This is an admin page and it is a prototype so I am not worried about that much, its more to get it working and then show it as a prototype that will be rebuilt using another language. – Denture 6/6, 2013 at 12:40

did you hear about csrf? This may be vulnerable to csrf – Cellulous 6/6, 2013 at 12:41

@Denture That's good to know, but nonetheless, others may come along and see this stack overflow post and copy you in production environments. – Sines 6/6, 2013 at 12:43

@messifan you are right about that, what is a better option? – Denture 6/6, 2013 at 12:51

@Denture Use POST instead of GET – Ready 6/6, 2013 at 13:24

And your script is vulnerable against sql-injection. – Hourigan 6/6, 2013 at 13:49

S

5

Try this at the top of your file:

<?php

if ($_SERVER['REQUEST_METHOD'] == 'DELETE' || ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST['_METHOD'] == 'DELETE')) {
    $id = (int) $_POST['id'];
    $result = mysql_query('DELETE FROM rmstable2 WHERE id='.$id);
    if ($result !== false) {
        // there's no way to return a 200 response and show a different resource, so redirect instead. 303 means "see other page" and does not indicate that the resource has moved.
        header('Location: http://fully-qualified-url/martinupdate.php?id='.$id, true, 303);
        exit;
    }
}

With this as the form:

<form method="POST" onsubmit="return confirm('Are you sure you want to delete this case?');">
    <input type="hidden" name="_METHOD" value="DELETE">
    <input type="hidden" name="id" value="<?php echo $id; ?>">
    <button type="submit">Delete Case</button>
</form>

Sines answered 6/6, 2013 at 13:43 Comment(1)

A follow-up note to people who are still coming to this answer: The goal here was for a form that posted to itself with an ID to be deleted. This is not a RESTful design. A better design would be to send the request to a URL that included the ID in the address (rather than the request body), such as /cases/23 or /cases?id=23 The latter could well have been used here, actually, but the poster may have had other code that used $_POST['id'] so I played safe and left it as a POST field in the answer. – Sines 7/7, 2014 at 8:43

T

5

you have to put your confirmation in the onSubmit event of the form

so if the user cancel the confirmation, the form won't be sent

<form onSubmit="return confirm('Are you sure you want to delete?')">
<button type="submit" ...>
</form>

Thetis answered 6/6, 2013 at 12:40 Comment(5)

I am a bit confused, is this separate to the form I have already or should I add onSubmit to button code – Denture 6/6, 2013 at 12:56

he means on the same form, you replace the <a> with a <button> to submit the form though. – Sines 6/6, 2013 at 13:3

@Nicholas I am getting a boolean now :/ – Denture 6/6, 2013 at 13:30

the return value of the dialog should prevent/allow the submission to continue. I will try adding my own answer – Sines 6/6, 2013 at 13:32

@Nicholas Thank you! Maybe I am doing it wrong. The confirmation works but then I get a boolean – Denture 6/6, 2013 at 13:35

S

5

Try this at the top of your file:

<?php

if ($_SERVER['REQUEST_METHOD'] == 'DELETE' || ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST['_METHOD'] == 'DELETE')) {
    $id = (int) $_POST['id'];
    $result = mysql_query('DELETE FROM rmstable2 WHERE id='.$id);
    if ($result !== false) {
        // there's no way to return a 200 response and show a different resource, so redirect instead. 303 means "see other page" and does not indicate that the resource has moved.
        header('Location: http://fully-qualified-url/martinupdate.php?id='.$id, true, 303);
        exit;
    }
}

With this as the form:

<form method="POST" onsubmit="return confirm('Are you sure you want to delete this case?');">
    <input type="hidden" name="_METHOD" value="DELETE">
    <input type="hidden" name="id" value="<?php echo $id; ?>">
    <button type="submit">Delete Case</button>
</form>

Sines answered 6/6, 2013 at 13:43 Comment(1)

A follow-up note to people who are still coming to this answer: The goal here was for a form that posted to itself with an ID to be deleted. This is not a RESTful design. A better design would be to send the request to a URL that included the ID in the address (rather than the request body), such as /cases/23 or /cases?id=23 The latter could well have been used here, actually, but the poster may have had other code that used $_POST['id'] so I played safe and left it as a POST field in the answer. – Sines 7/7, 2014 at 8:43

K

2

HTML:

<form id="delete-<?php echo $id; ?>" action="?action=delete" method="post">
    <input type="hidden" name="id" value="<?php echo $id; ?>" />
    <input type="submit" value="Delete this Case" /> 
</form>

JS im assuming jquery for ease:

$("#delete-<?php echo $id; ?>").submit(function() {
    return confirm("Are you sure you want to delete?");
});

What this does is prevent the default submit action if the js confirm returns false (doesn't submit) otherwise lets the regular post go through.

Note: you really shouldn't use html attributes to declare event handlers, this code separates the logic.

EDIT: @Nicholas comment

This is a non-jquery solution. I didn't test it, and i don't believe that preventDefault works in IE <= 8 so I probably wouldn't use it in production BUT it could be done w/o too much code jquery just makes it cross browser and easier.

function loaded()
{
    document.getElementById("delete-<?php echo $id; ?>").addEventListener(
        "submit",
        function(event)
        {
            if(confirm("Are you sure you want to delete?"))
            {
                event.preventDefault();
            }
            
            return false;
        },
        false
     );
}
window.addEventListener("load", loaded, false);

Knighton answered 6/6, 2013 at 13:47 Comment(1)

No indication was given that jQuery was available. Without jQuery (or another library) separating out the logic is going to be a fair bit more long-winded. – Sines 6/6, 2013 at 13:50

EDIT: @Nicholas comment

Recommended topics

Hot tags