PHP - User Management Delete Problem
I am working on a custom content management system. I was instructed to do some changes, and this is what I need to do. I need to create a user management page which allows the administrator to delete (or disable his status) a user from the database.
This is my User Management Page:
<?php
$query = 'SELECT author_id, author_email as Email, author_name as Name
FROM authors
ORDER BY Name
LIMIT 0, 30';
$result = mysql_query($query);
?>
<table class="listing">
<thead>
<tr>
<td>Author ID</td>
<th>Author E-Mail</th>
<th>Author Name</th>
<th>Delete</th>
</tr>
</thead>
<tbody>
<?php
for ($i = 0; $row = mysql_fetch_array($result); $i++) {
if ($i % 2 == 0) {
echo '<tr class="even">';
} else {
echo '<tr class="odd">';
}
echo "<td>{$row['author_id']}</td>";
echo "<td>{$row['Email']}</td>";
echo "<td>{$row['Name']}</td>";
echo "<td><a href=\"del-user.php?term={$row['author_id']}\" onclick=\"javascript:return confirm('Are you sure you want to delete this user?')\">X</a></td>";
echo '</tr>';
}
?>
</tbody>
</table>
This is my del-user.php page:
<?php
include('inc/config.php');
$title = 'Delete Individual User';
include('inc/db.php');
include('inc/header.php');
echo '<h2>Delete</h2>';
if (isset($GET['term'])) {
$query = "DELETE FROM authors WHERE author_id = {$GET['ter开发者_如何转开发m']} LIMIT 1";
mysql_query($query) or die('Failed to delete user');
echo '<p>User Deleted</p>';
echo '<p>Back to <a href="manage-users.php">Manage Users </>.</p>';
} else {
echo '<p>Tried to Delete: "';
echo ($GET['term']);
echo '"</p>';
echo '<p>Nothing to Delete</p>';
}
include('inc/footer.php');
?>
I am new to PHP, but this is not working, the author_id value is not being passed to the other page, and it is being left empty. So I cannot delete anything from the del-users.php page.
I'm guessing that this is the problematic part:
echo "<td><a href=\"del-user.php?term={$row['author_id']}\" onclick=\"javascript:return confirm('Are you sure you want to delete this user?')\">X</a></td>";
Anybody knows why this is happening?
Several issues:
You send data like this:
del-user.php?term={$row['author_id']}
So that means that actualy $_GET['term'] contains the id.
You catch the value like this:
if (isset($_GET['author_id'])) {
$query = "DELETE FROM authors WHERE author_id = {$_GET['author_id']} LIMIT 1";
And it is not good, since $_GET['term'] contains the id, so you have to fix the lower one to look like this:
if (isset($_GET['term']))
$query = "DELETE FROM authors WHERE author_id = {mysql_real_escape_string($_GET['term'])} LIMIT 1";
Also you need to expand the select query, since you are not actualy fetching the author_id from the db:
$query = 'SELECT author_email as Email, author_name as Name, author_id
FROM authors
ORDER BY Name
LIMIT 0, 30';
Please, escape your variables before you trow them to the database...
http://php.net/manual/en/function.mysql-real-escape-string.php
Cheers
the problem is your query!
$query = 'SELECT author_email as Email, author_name as Name
FROM authors
ORDER BY Name
LIMIT 0, 30';
you are not selecting the author_id
You pass your user id in the url like this :
echo "<td><a href=\"del-user.php?term={$row['author_id']}\"
The you must GET term, not author_id :
$query = "DELETE FROM authors WHERE author_id = {$GET['term']} LIMIT 1";
And by the way, you should read about prepared query and sql injection ;)
use author_id in your query
<?php
$query = 'SELECT author_id, author_email as Email, author_name as Name
FROM authors
ORDER BY Name
LIMIT 0, 30';
$result = mysql_query($query);
?>
加载中,请稍侯......
精彩评论