Connecting Tech Pros Worldwide Forums | Help | Site Map
bytes > topic > php > answers

Confirming deletion of records

Newbie
  
Join Date: Nov 2009
Posts: 3
#1: 6 Days Ago
I have been developing a website over the past couple for my wife who is an artist. During that time I have taught myself PHP and mySQL and developed a content management system that allows her to upload and edit pictures, and and delete information like links and exhibitions and generally stop hassling me.

I have now extended it cover a couple of her art groups where she can create and delete new artists and they then have the same control.

As t has been just a hobby and only for her security hasn't been my greatest concern. However now that others are using it I am a bit concerned about hackers.

So my question is: How can I intercept a delete artist command and send an email to the person who has administrative rights to confirm that they really want to continue with the deletion as it could mean deleting hundreds of pictures. I already have an "are you really sure" page for accidents.

Many thanks in advance,

Simon

PS Her site is here and the group site here

Atli's Avatar
Moderator
  
Join Date: Nov 2006
Location: Iceland
Posts: 3,751
#2: 4 Days Ago

re: Confirming deletion of records

Hey Simon.

A simple way to do something like that is to just to generate a unique string, send it to the user via email, and ask them to copy/paste the string into a input box.

Simply put:
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. session_start();
  3. $_SESSION['confirmation_key'] = md5(microtime(true) . mt_rand(1000));
  4.  
  5. $to      = 'user@example.com';
  6. $subject = 'Artist deletion confirmation.';
  7. $message = 'This is your key: ' . $_SESSION['confirmation_key'];
  8. $headers = 'From: no-reply@example.com' . "\r\n" .
  9.     'Reply-To: no-reply@example.com' . "\r\n" .
  10.     'X-Mailer: PHP/' . phpversion();
  11.  
  12. if(!mail($to, $subject, $message, $headers)) {
  13.     die('Failed to send the confirmation email. Please go whine about it to the webmaster.');
  14. }
  15. ?>
  16. <!DOCTYPE html>
  17. <html>
  18.     <head><title>Delete stuff</title></head>
  19.     <body>
  20.         <form action="deleteStuff.php" method="post">
  21.             The Key: <input type="text" name="the_key" />
  22.             <input type="submit" />
  23.         </form>
  24.     </body>
  25. </html>
Expand|Select|Wrap|Line Numbers
  1. <?php
  2. if(isset($_POST['the_key'])) {
  3.     if($_POST['the_key'] == $_SESSION['confirmation_key']) {
  4.         // Delete stuff
  5.     }
  6.     else {
  7.         echo "Better luck next time.";
  8.     }
  9. }
  10. ?>
That's at least the general idea.
Newbie
  
Join Date: Nov 2009
Posts: 3
#3: 4 Days Ago

re: Confirming deletion of records

Alti,

Many thanks for your response. The adminstrator already has to log in and I control access to the page that deletes all the pictures and the user and using the $_SESSION variable. I have written the code to delete the pictures and user and then got worried about hackers.

What I had in mind was that once the administrator had hit the delete key the PHP code would be suspended until a confirmation response is recieved and if it isn't within, say 24hours, it would cancel the delete.

On reflection and researching a bit further I think this is a bit fanciful and I'll rely on the login script and regular backups!

Once again, many thanks for your time and the code; which I will adapt for email confirming when a new user is created.
Atli's Avatar
Moderator
  
Join Date: Nov 2006
Location: Iceland
Posts: 3,751
#4: 4 Days Ago

re: Confirming deletion of records

Ok, no problem.

One good way to avoid getting hacked and having all your info deleted, is to not use delete statements. Rather than DELETE the user and all the data belonging to it, you could add a 'deleted' field to the user table and UPDATE it to read TRUE. Then you could just omit the users marked deleted from the data you display.

To further protect against this, you could restrict the database user to only be allowed to use the SELECT and INSERT commands on most tables, and UPDATE on only the tables that need it. That way, even if somebody managed to hack his way into a admin account, or get a hold of your database login, the worst he would be able to do is replace the data in the UPDATE'able tables and add more data to the others.
Newbie
  
Join Date: Nov 2009
Posts: 3
#5: 3 Days Ago

re: Confirming deletion of records

Alti, once again thanks for your time and some very good ideas. I'll implement the delete flag idea and then write something so I can purge the database regularly.

Reagrds,

Simon
Reply

« previous question | next question »

Similar PHP bytes

/bytes/development

/bytes/it

Forums
Visit our community forums for general discussions and latest on Bytes

Our staff and community areas have moved to bytes.com/forums/

/bytes/about

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over 226,449 network members.

dev questions:
algorithms | asp | asp.net | c/c++ | coldfusion | c# | flash | html/css | java | javascript |
mobile dev | .net | perl | php | python | ruby | software dev | vb.net | visual basic | xml
it questions:
access | apache | careers | db2 | iis | macosx | mysql | networking | oracle | postgresql | sql server | unix | windows

About Bytes | Copyright 1995-2009 BYTES. All rights Reserved