53416

Delete MySQLi record without showing the id in the URL

I'm trying to delete records from the DB by their ID. The code works as it should but the problem is the ID is coming up in the URL, which from my knowledge it's unsafe.

URL: "http://localhost/Project/includes/delete.php?id=27"

I have used prepared statement to delete the records but the problem comes from the button. IS there any other approach to the one I'm already using to make it safe?

Here is the code:

while($row = $result->fetch_assoc()) { echo '<tr>'; echo '<td>' . $row['row1'] . '</td>'; echo '<td>' . $row['row2'] . '</td>'; echo '<td>' . $row['row3'] . '</td>'; echo '<td><a href="delete.php?id=' . $row['id'] . '">Delete</a></td>'; echo '</tr>'; } if (isset($_GET['id']) && is_numeric($_GET['id'])) { $id = $_GET['id']; if ($stmt = $mysqli->prepare("DELETE FROM table WHERE id = ? LIMIT 1")) { $stmt->bind_param("i", $id); $stmt->execute(); printf("Affected rows (DELETE): %d\n", $mysqli->affected_rows); $stmt->close(); } }

Basically I'd like to the make the whole row clickable, whenever the user clicks on the row to delete the records, rather than using the buttons. However, my big challenge is how not to show its ID in the URL.

Any help is highly appreciated.

Thank you

Answer1:

Set the Id in $_SESSION and you can pass it between pages.

OR

You can do it with ajax

while($row = $result->fetch_assoc()) { echo '<tr class=\"deleted\">'; echo '<td>' . $row['row1'] . '</td>'; echo '<td>' . $row['row2'] . '</td>'; echo '<td>' . $row['row3'] . '</td>'; echo '<td><a href="#" id="'. $row['id'] .'" class=\"delete\">Delete</a></td>'; echo '</tr>'; }

Add this script in page where above code is located ;

<script type="text/javascript"> $(function() { $(".delete").click(function(){ var element = $(this); var del_id = element.attr("id"); var info = 'id=' + del_id; if(confirm("Are you sure you want to delete this?")){ $.ajax({ type: "POST", url: "delete.php", data: info, success: function(){ } }); $(this).parents(".deleted").hide(500); } return false; }); }); </script>

create a delete.php in root and it will be like

<?php //Add your database connection first here if (isset($_POST['id']) && is_numeric($_POST['id'])) { $id = $_POST['id']; if ($stmt = $mysqli->prepare("DELETE FROM table WHERE id = ? LIMIT 1")) { $stmt->bind_param("i", $id); $stmt->execute(); //Set if condition here to check and show response if ($stmt) { echo "<font color='red'>Record Deleted Successful</font>"; } else { echo "<font color='red'>Error While Trying To Delete Record, Please Try Again</font>"; } //printf("Affected rows (DELETE): %d\n", $mysqli->affected_rows); $stmt->close(); } } ?>

With Ajax, your page won't be refreshed and data will be deleted from database and deleted row will be hidden from user

Answer2:

Encode the ID with a two-way encryption, so that it is 'sent' encoded, and decoded to use.

Answer3:

To do this you could place a form in the last table cell:

echo '<td><form action="delete.php" method="post">'; echo '<input type="hidden" name="id" value="' . $row['id'] . '/>'; echo '<input type="submit" value="Delete" />'; echo '</form></td>';

The form uses a hidden input for your id value.

In your PHP you would then change to the $_POST array, $_POST['id']

Recommend

  • Reset MySqli pointer?
  • How to call mysqli_stmt with call_user_func_array?
  • Problems with inserting registering information into a Mysql database
  • Are mysqli_result::free and mysqli_stmt::free_result the same?
  • Execute Success but num_rows return 0 [PHP-MySQL]
  • MySQLi using an IN in a where
  • Passing inputs to program prompt in a batch file
  • PHP PDO Update prepared statement problem
  • Can't connect with PDO using ssl but mysqli with ssl works
  • Inserting NULL/empty string using libpqxx library
  • Encode string to match encoded form field name in PHP POST array
  • array_search() in Session Array
  • Let a function return any type in C++ class
  • Why cout is producing no output on Code Blocks?
  • Magento site down due to mysql error General error: 1030 Got error -1 from storage engine
  • User messaging system
  • How to print columns containing value
  • Undefined references when compiling gSOAP client
  • Low TTL with Leveled Compaction, should I reduce gc_grace_seconds to improve read performance withou
  • Security issues with PHP's Readfile method
  • Button click event not firing in jQuery
  • onBackPressed() not being executed
  • Webgrid not refreshing after delete MVC
  • Limiting recursion to certain level - Duplicate rows
  • Unity3D & Android: Difference between “UnityMain” and “main” threads?
  • why overloaded new operator is calling constructor even I am using malloc inside overloading functio
  • Adding a button at the bottom of a table view
  • Using $this when not in object context
  • Getting last autonumber in access
  • Submit form in a displaytag pagination
  • How to limit post in wp_query
  • Upload files with Ajax and Jquery
  • Do I've to free mysql result after storing it?
  • GridView Sorting works once only
  • php design question - will a Helper help here?
  • Unanticipated behavior
  • Comma separated Values
  • Hits per day in Google Big Query
  • Trying to get generic when generic is not available
  • Programmatically clearing map cache