delete.php?ID=1

You didn't really actually specify a question, but i think what your saying is how to stop some from using the url to delete all database records, well when posting to delete.php perhaps you should change the method so that its encrypted and can't be seen i.e. instead of put use post that way its not possible to see which record it is that is been specified to be deleted.

Hopes this helps a little bit to answer your question,

I am not properly getting u.If u can show me a example i might be able to understand better.

Thanks,
Pradeep

My guess is that your using a form to submit to your delete.php page if so, look at the tags for the form, is there one that says method? and is the also one that says enctype?

if so all you should need to do to alleviated your problems is:
set method = "POST" and
set enctype = "multipart/form-data"


hope this helps,

Yes i use <form method="POST"

you are posting a varible of which database number you want to delete right??
if so then if you have method = post and enctype = to what i said above then noby will see what value it is that you are posting in the url bar.

And therefore if your passing a varible called Id, then no one can monkey around with the value in the url bar.

Hopefully this is what you were looking for

Is this a user submitted form?

If it is, then why shouldn't the user be able to delete all the records?

hey see
http://xyz.com/delepe.php?ID=43 and this is visible

this is whts stored in browser.so if any one knowing php can get this url he can play rite and i hve not set enctype to anything.yes the user fills the form ..and wht i was talking is of maintainance of data by the admin.he can delete the old records na...


Thanks,
Pradeep

Why should the user manipulate a url to delete a record while you have given him a pretty good interface to do the same thing?

If there's a kind of check which you are doing before displaying the "select-to-delete" page (page containing your form) to check whether the user is genuine, just do the same check before running delete.php, so that only authenticated user could reach the delete.php script.

This is my php script for deleting records

[PHP]<?php

$id=$_GET[Id];
$sql1="delete from abc where ID=$id";

$res_id1=mysql_query($sql1);

if($res_id1== TRUE)
{
echo "Selected record deleted";
}
else
{
$msg = "error while deleting record!!<br><INPUT Type=\"Button\" Name=\"Back\" Value=\"Back\" onclick=\"history.back()\" class=\"button\">" ;
print $msg;
}
?>[/PHP]

This is my php script for deleting records

[PHP]<?php

$id=$_GET[Id];
$sql1="delete from abc where ID=$id";

$res_id1=mysql_query($sql1);

if($res_id1== TRUE)
{
echo "Selected record deleted";
}
else
{
$msg = "error while deleting record!!<br><INPUT Type=\"Button\" Name=\"Back\" Value=\"Back\" onclick=\"history.back()\" class=\"button\">" ;
print $msg;
}
?>[/PHP]

Like Harpreet said: You must be uaing some sort of check to allow only an administrator to access the delete page (sessions?). Do the same check on delete.php before anything is deleted.

Hey i hve done for all edit pages and create page it takes them to login page but not for delete page..it takes them to login page but the record is getting deleted also..so i tht this must be something to do with url..and ya i am using drupal tool


Thanks,
Pradeep

This is where you are not secure. This means anyone could use your delete.php script.
Don't think POST will work. One who has to misuse your system knows how to create a POST request.

Ideally, you validate a cookie (or session) for every page.

If you are using sessions:

Yeah, so anyone who uses the delete.php script must be logged in and be admin:

[PHP]if ($_SESSION['user_name'] = NULL) {
echo("You are not logged in.");
header(location:login.php);
exit;
}
if ($_SESSION['user_type'] != "admin") {
echo("You are authrized to use this.");
header(location:homephp);
exit;
}
[/PHP]

I'm a little wrecked, so my apologies if I have made a mistake, but this is the general thing you should have on protected pages.

If you are using sessions:

Yeah, so anyone who uses the delete.php script must be logged in and be admin:

[PHP]if ($_SESSION['user_name'] = NULL) {
echo("You are not logged in.");
header(location:login.php);
exit;
}
if ($_SESSION['user_type'] != "admin") {
echo("You are authrized to use this.");
header(location:homephp);
exit;
}
[/PHP]

I'm a little wrecked, so my apologies if I have made a mistake, but this is the general thing you should have on protected pages.

Your logic is right, but I wonder if header would work after echo. ;)

thank You all guys for helping me out..since i am using drupal i cld solve the prob..the last sessions script u ppl gave helped me a lot to think of this for me

[PHP]global $user;
if(!$user->uid){
echo("You are not logged in.");
header( 'Location: ?q=user&' . drupal_get_destination() );
exit;
}[/PHP]

Thanks ,
Pradeep

thank You all guys for helping me out..since i am using drupal i cld solve the prob..the last sessions script u ppl gave helped me a lot to think of this for me

[PHP]global $user;
if(!$user->uid){
echo("You are not logged in.");
header( 'Location: ?q=user&' . drupal_get_destination() );
exit;
}[/PHP]

Thanks ,
Pradeep

As I already said in the above post, header won't work after echo.

ok..the msg in echo doesnot get printed ..the header is working fine..anyways i wll remove the echo command.

Thanks,
Pradeep

Your logic is right, but I wonder if header would work after echo. ;)

lol, should have seen that... Thanks for the correction tho.