开发者

PHP delete script, return to 'viewsubjects.php?classroom_id=NO VALUE'

As the title states... I am deleting a 'subject' from a 'classroom' I view classrooms, then can click on a classroom to view the subject for that classroom. So the link where I am viewing subjects looks like:

viewsubjects.php?classroom=23

When the user selects the delete button (in a row) to remove a subject from a class, I simply want the user to be redirected back to the list of subjects for the classroom (exactly where they were before!!)

So I though this is simply a case of calling up the classroom ID within my delete script. Here is what I have:

EDIT: corrected spelling mistake in code (this was not the problem)

    $subject_id = $_GET['subject_id'];
    $classroom_id = $_GET['classroom_id'];

$sql = "DELETE FROM subjects WHERE subject_id=".$subject_id;
$result = mysql_query($sql, $connection)
    or die("MySQL Error: ".mysql_error());


header("Location: viewsubjects.php?classroom_id=".$classroom_id);
exit();

The subject is being removed from the DB, but when I am redirected back the URI is displaying with an empty classroom ID like:

viewsubjects.php?classroom_id=

Is there a way to carry the classroom ID thr开发者_JAVA百科ough successfully through the delete script so it can be displayed after, allowing the user to be redirected back to the page? Thanks for any help!


Spelling mistake in your code?

Change line 2 to: $classroom_id = $_GET['classroom'];


Just to note, if this is an admin function: great.

If this is on the front end, you need to consider making sure the subject_id is clean as it would be very easy to hack into your site.


It should be $classroom_id = $_GET['classroom'];

Not: $classroom_id = $_GET['classrom_id'];

EDIT You have edited your code but does the string in the $_GET variable match that string in the URL?


Why don't you add classroom_id to the delete form in a hidden field?


This may be a little verbose ...but let's see what happens with

if ( !isset($_GET['subject_id']) ) {
  echo 'DEBUG: missing GET parameter subject_id';
  var_dump($_GET);
  die;
}
if ( !isset($_GET['classrom_id']) ) {
  echo 'DEBUG: missing GET parameter classroom_id';
  var_dump($_GET);
  die;
}
else if ( 0===strlen(trim($_GET['subject_id'])) ) {
  echo 'DEBUG: empty GET parameter subject_id';
  var_dump($_GET);
  die;
}
else if ( 0===strlen(trim($_GET['classrom_id'])) ) {
  echo 'DEBUG: empty GET parameter classroom_id';
  var_dump($_GET);
  die;
}

$subject_id = mysql_real_escape_string($_GET['subject_id'], $connection);

$sql = "DELETE FROM subjects WHERE subject_id='$subject_id'";
$result = mysql_query($sql, $connection) or die("MySQL Error: ".mysql_error());
if ( 0===mysql_affected_rows($connection) ) {
  echo 'no such subject_id found. no records have been deleted';
  die;
}

header("Location: viewsubjects.php?classroom_id=".urlencode($_GET['classrom_id']));
exit();

(it also fixes the sql injection vulnerability)


If response to above, it'd be easier todo:

if (!isset($_GET['subject_id']) || empty($_GET['subject_id']) || !is_numeric($_GET['subject_id'])) {
 throw new exception('Subject Id is not set');
}
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜