Row deletion

[Hooch]

I am making an admin area, and am close to finishing. I was wanting the ability to delete users. The deletion code is within a searchquery. The admin can either edit or delete the user. The edit link works perfect. The delete link kinda works. It's deleting the person who is doing the deletion. (The admin pages are using cookies.) Here's the config.php file

<?    ob_start();    $conn = mysql_connect("localhost","*&*&*","****");    mysql_select_db(*****) or die(mysql_error());    $logged = MYSQL_QUERY("SELECT * from users WHERE id='$_COOKIE[id]' AND password = '$_COOKIE[pass]'");    $logged = mysql_fetch_array($logged);	?>

Then I use

ob_start();

at the top of the admin pages. Here is how I select the row to delete.

<a href="delete_chk.php?id=<? echo $row['id']; ?>" class="link">Delete</a>

Then here is my delete_chk.php page

<?phpinclude '../includes/config.php';$sql="DELETE FROM users WHERE id='$id'";$result=mysql_query($sql);// if query successful do this if($result){echo "Delete Successful";echo "<BR>";echo "<a href='admin.php'>Back to main page</a>";}else {echo "ERROR";}mysql_close();?>

Somehow the logged in Admin's id is getting deleted, and not the one that is selectedfrom the search query. While still in the search query page, the link to the deletion is still ok...it's show the selected user when you hover over the delete link. Once I am directed to the delete_chk.php page, that seems to be the error. I hope I have explained well. Thank you for any help. Hooch

[murfitUK]

From what I can work out, you are using a hyperlink to call the page called "delete_chk.php" and passing an id to that page by sticking "?id=something" on the end of the hyperlink.If this is correct I think you need to use $id=$_GET['id'] in your delete_chk page so that the variable $id now holds the value of id that it found at the end of the hyperlink.Try putting it immediately below the <?php declaration on delete_chk page.If that doesn't work let us know and we'll suggest other things.

[Hooch]

Perfect. Thank you!!

[justsomeguy]

You also need to account for SQL injection, and you might also want to do some checking on the user to delete. For example, you probably don't want users to be able to delete themselves, and maybe no one should be able to delete the main admin. Also, if $id is deleting the logged in user, then you probably want to keep the value of $id (in case it gets used somewhere else) and use a new variable for the delete.

<?phpinclude '../includes/config.php';$del_id = $_GET['id'];if ($del_id == "admin")  $error = "You can't delete the admin"; //make some errorelseif ($del_id == $_COOKIE['id'])  $error = "You can't delete yourself"; //some other errorelse{  $sql="DELETE FROM users WHERE id='" . mysql_real_escape_string($del_id) . "'";  ...}

[Hooch]

Thanks guy!! It's in place now. Could you please explain

'" . mysql_real_escape_string($del_id) . "'

[skym]

Look for SQL injection on Google.http://php.net/mysql_real_escape_stringIf $_GET['id'] would be' OR '1'='1how would the query look like without escaping it?