Multiple deleting using checkboxes

Hi,

I have a system in place like an inbox which people can select a check box next to each message and then press delete which will delete the selected.

<input name="delete[]" type="checkbox" id="delete[]" value="<?php print $rows['id']; ?>" />

This is my code:

$delete = $_POST['delete'];

 	foreach ($delete as $deleted) {

		 $sql = mysql_query("DELETE * FROM messages WHERE id='$deleted'");

  	}

PHP:

This is not working though as nothing is being passed through from the form. Any ideas?

Cheers,
Adam

 

DELETE queries don't have an asterisk like SELECT queries do. Take it out.

And you stress your database less, if you do all in one run:

$ids = array_map('intval', (array)$_POST['delete']);

mysql_query("DELETE FROM messages WHERE id IN(" . implode(', ', $ids) . ")") OR die(mysql_error());

PHP:

 

Hi Nico, thanks again for the help and advice.

I have just tried this out but i get the following error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1

 

Did you check at least one checkbox?

Try it this way:

if ($ids = array_map('intval', (array)$_POST['delete']))
{
    $query = "DELETE FROM messages WHERE id IN(" . implode(', ', $ids) . ")";

    mysql_query($query) OR die(mysql_error() . ' QUERY: ' . $query);
}

PHP:

 

I have just check and yes 2 out of 3 check boxes were checked. Also i have just tried your alternative option and this does nothing and does not show an error just simply gives me a white page.

Any ideas?

 

Do a:

print_r($_POST);

PHP:

And see if the values from the form are being passed correctly.

Or give this a try:

$ids = array_map('intval', $_POST['delete']);

$query = "DELETE FROM messages WHERE id IN(" . implode(", ", $ids) . ")";
mysql_query($query) OR die(mysql_error() . ' QUERY: ' . $query);

PHP:

I don't see any apparent reasons why this wouldn't work. Unless your IDs are not numeric values?

 

Right i have just tried the above and i now get:

Array ( [delete] => [Submit22] => Remove ) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1 QUERY: DELETE FROM messages WHERE id IN()

I am definitely using numeric values for the ids so i cannot see where the problem would be?

 

Looks like the error is in your form. Can you post it?

 

Here is the form:
I am using smarty php so thats why i am using tags like e.g. {php}

 <form action="send-message-process.php?type=delete" method="post" name="frm1" id="frm1">
                              <p>
                                <input type="submit" name="Submit3" value="Remove" class="buttons" />
                              </p>
						      <table width="100%" border="0" cellspacing="0" cellpadding="3">
                                <tr>
                                  <td width="4%" height="30" background="images/red-nav-bar.jpg"><h2 class="white">
                                      <input name="allbox2" type="checkbox" id="allbox2" value="checkbox" onclick='checkedAll(frm1);'/>
                                  </h2></td>
                                  <td colspan="2" background="images/red-nav-bar.jpg"><h2><span class="white">Sender</span></h2>                                    </td>
                                  <td width="61%" background="images/red-nav-bar.jpg"><h2><span class="white">Subject</span></h2></td>
                                  <td width="15%" background="images/red-nav-bar.jpg"><h2 class="white">Date</h2></td>
                                </tr>
						        {php} 
						        $sqls = mysql_query("SELECT * FROM messages WHERE profileid = '$_COOKIE[id]'"); 
						        while($rows = mysql_fetch_array($sqls)){ 
						        {/php}
						        <tr>
                                        <td bgcolor="#FCE4E5"><input name="delete[]" type="checkbox" id="delete[]" value="{php} print $rows['id']; {/php}" /></td>
						          <td width="10%" bgcolor="#FCE4E5"> {php} 
						            $sql = mysql_query("SELECT * FROM users WHERE id = '$rows[userid]'"); 
						            while($row = mysql_fetch_array($sql)){ 
						            {/php} <a href="message-details.php?id={php} print $row['id']; {/php}"><img src="profile/thumbs/{php} print $row['image_1']; {/php}" width="50" height="40" border="0" /></a> {php} } {/php} <br />                                        </td>
						          <td width="10%" bgcolor="#FCE4E5"><a href="message-details.php?id={php} print $row['id']; {/php}">{php} print $rows[username]; {/php}</a></td>
						          <td bgcolor="#FCE4E5"><a href="message-details.php?id={php} print $rows[id]; {/php}">{php} print $rows[title]; {/php}</a></td>
						          <td bgcolor="#FCE4E5">{php} print $rows['sdate']; {/php}</td>
					            </tr>
						        {php} } {/php}
					          </table>
						      <p><a href="#" onclick='checkedAll(frm1);'>Select All</a> / <a href="#" onclick='checkedAll(frm1);'>Unselect All</a> </p>
						      <p>
                                <input type="submit" name="Submit22" value="Remove" class="buttons" />
                              </p>
						      </p>
					        </form>

Code (markup):

 

I don't see any apparent errors there. Can you post the output of this code?

And btw, I guess this line gets messages for a specific users form the database?

 $sqls = mysql_query("SELECT * FROM messages WHERE profileid = '$_COOKIE[id]'"); 

PHP:

What if I changed the value in the cookie? I guess I could read anyone's messages?

 

All i get is Resource id #32

Also i know that it is bad to use cookies but when i used sessions i was having all types of problems as the server has problems with them. Also another server is not an option so had to go down the cookie route.

 

No, I mean the output of your form. When you did the print_r($_POST);, it shows that the values aren't submitted for some reason. And it seems to be an error in your form.


I've never heard that a server cannot handle sessions. Maybe you were doing something wrong. If it's a bigger site, you really should get someone to make your code more secure. I wouldn't love it if anyone could read my messages.

 

How do you want me to display the output of the form?

I have done the print_r($_POST) but all it displays is

Array ( [delete] => [Submit22] => Remove )

Yes i will get someone to have a look at the session issue, thanks for the advice.

 

Open the page in your web browser, see the source code (CTRL + U, on Firefox), and copy and paste it.

 

Sorry i am an idiot

Here is the source code.

<form action="send-message-process.php?type=delete" method="post" name="frm1" id="frm1">
                              <p>
                                <input type="submit" name="Submit3" value="Remove" class="buttons" />
                              </p>
						      <table width="100%" border="0" cellspacing="0" cellpadding="3">
                                <tr>

                                  <td width="4%" height="30" background="images/red-nav-bar.jpg"><h2 class="white">
                                      <input name="allbox2" type="checkbox" id="allbox2" value="checkbox" onclick='checkedAll(frm1);'/>
                                  </h2></td>
                                  <td colspan="2" background="images/red-nav-bar.jpg"><h2><span class="white">Sender</span></h2>                                    </td>
                                  <td width="61%" background="images/red-nav-bar.jpg"><h2><span class="white">Subject</span></h2></td>
                                  <td width="15%" background="images/red-nav-bar.jpg"><h2 class="white">Date</h2></td>
                                </tr>

						        Resource id #26						        <tr>
                                        <td bgcolor="#FCE4E5"><input name="delete[]" type="checkbox" id="delete[]" value="5" /></td>
						          <td width="10%" bgcolor="#FCE4E5">  <a href="message-details.php?id=12"><img src="profile/thumbs/75825365.jpg" width="50" height="40" border="0" /></a>  <br />                                        </td>
						          <td width="10%" bgcolor="#FCE4E5"><a href="message-details.php?id=">cutie</a></td>
						          <td bgcolor="#FCE4E5"><a href="message-details.php?id=5">This is a test2</a></td>
						          <td bgcolor="#FCE4E5">2008-01-18</td>

					            </tr>
						        						        <tr>
                                        <td bgcolor="#FCE4E5"><input name="delete[]" type="checkbox" id="delete[]" value="4" /></td>
						          <td width="10%" bgcolor="#FCE4E5">  <a href="message-details.php?id=12"><img src="profile/thumbs/75825365.jpg" width="50" height="40" border="0" /></a>  <br />                                        </td>
						          <td width="10%" bgcolor="#FCE4E5"><a href="message-details.php?id=">cutie</a></td>
						          <td bgcolor="#FCE4E5"><a href="message-details.php?id=4">This is a test</a></td>

						          <td bgcolor="#FCE4E5">2008-01-22</td>
					            </tr>
						        						        <tr>
                                        <td bgcolor="#FCE4E5"><input name="delete[]" type="checkbox" id="delete[]" value="6" /></td>
						          <td width="10%" bgcolor="#FCE4E5">  <a href="message-details.php?id=12"><img src="profile/thumbs/75825365.jpg" width="50" height="40" border="0" /></a>  <br />                                        </td>
						          <td width="10%" bgcolor="#FCE4E5"><a href="message-details.php?id=">cutie</a></td>

						          <td bgcolor="#FCE4E5"><a href="message-details.php?id=6">cutie to cutie</a></td>
						          <td bgcolor="#FCE4E5">2008-02-11</td>
					            </tr>
						        					          </table>
						      <p><a href="#" onclick='checkedAll(frm1);'>Select All</a> / <a href="#" onclick='checkedAll(frm1);'>Unselect All</a> </p>

						      <p>
                                <input type="submit" name="Submit22" value="Remove" class="buttons" />
                              </p>
						      </p>
					        </form>

Code (markup):

 

I copied and pasted your form, and tried it locally. I get the expected output: (with print_r($_POST);)

Array
(
    [delete] => Array
        (
            [0] => 5
            [1] => 4
            [2] => 6
        )

    [Submit22] => Remove
)

Code (markup):

So... do you have an code snippets that modify the $_POST variable anywhere?

This is the code I tried (I left your form in tact, and just edited my PHP snippet, so that it shows the query instead of executing it)

<?php

if (!empty($_POST))
{
	if ($ids = array_map('intval', (array)$_POST['delete']))
	{
		$query = "DELETE FROM messages WHERE id IN(" . implode(', ', $ids) . ")";
	
		//  mysql_query($query) OR die(mysql_error() . ' QUERY: ' . $query);
	   
		echo $query;
	}
}

?>

<form action="" method="post" name="frm1" id="frm1">
                              <p>
                                <input type="submit" name="Submit3" value="Remove" class="buttons" />
                              </p>
						      <table width="100%" border="0" cellspacing="0" cellpadding="3">
                                <tr>

                                  <td width="4%" height="30" background="images/red-nav-bar.jpg"><h2 class="white">
                                      <input name="allbox2" type="checkbox" id="allbox2" value="checkbox" onclick='checkedAll(frm1);'/>
                                  </h2></td>
                                  <td colspan="2" background="images/red-nav-bar.jpg"><h2><span class="white">Sender</span></h2>                                    </td>
                                  <td width="61%" background="images/red-nav-bar.jpg"><h2><span class="white">Subject</span></h2></td>
                                  <td width="15%" background="images/red-nav-bar.jpg"><h2 class="white">Date</h2></td>
                                </tr>

						        Resource id #26						        <tr>
                                        <td bgcolor="#FCE4E5"><input name="delete[]" type="checkbox" id="delete[]" value="5" /></td>
						          <td width="10%" bgcolor="#FCE4E5">  <a href="message-details.php?id=12"><img src="profile/thumbs/75825365.jpg" width="50" height="40" border="0" /></a>  <br />                                        </td>
						          <td width="10%" bgcolor="#FCE4E5"><a href="message-details.php?id=">cutie</a></td>
						          <td bgcolor="#FCE4E5"><a href="message-details.php?id=5">This is a test2</a></td>
						          <td bgcolor="#FCE4E5">2008-01-18</td>

					            </tr>
						        						        <tr>
                                        <td bgcolor="#FCE4E5"><input name="delete[]" type="checkbox" id="delete[]" value="4" /></td>
						          <td width="10%" bgcolor="#FCE4E5">  <a href="message-details.php?id=12"><img src="profile/thumbs/75825365.jpg" width="50" height="40" border="0" /></a>  <br />                                        </td>
						          <td width="10%" bgcolor="#FCE4E5"><a href="message-details.php?id=">cutie</a></td>
						          <td bgcolor="#FCE4E5"><a href="message-details.php?id=4">This is a test</a></td>

						          <td bgcolor="#FCE4E5">2008-01-22</td>
					            </tr>
						        						        <tr>
                                        <td bgcolor="#FCE4E5"><input name="delete[]" type="checkbox" id="delete[]" value="6" /></td>
						          <td width="10%" bgcolor="#FCE4E5">  <a href="message-details.php?id=12"><img src="profile/thumbs/75825365.jpg" width="50" height="40" border="0" /></a>  <br />                                        </td>
						          <td width="10%" bgcolor="#FCE4E5"><a href="message-details.php?id=">cutie</a></td>

						          <td bgcolor="#FCE4E5"><a href="message-details.php?id=6">cutie to cutie</a></td>
						          <td bgcolor="#FCE4E5">2008-02-11</td>
					            </tr>
						        					          </table>
						      <p><a href="#" onclick='checkedAll(frm1);'>Select All</a> / <a href="#" onclick='checkedAll(frm1);'>Unselect All</a> </p>

						      <p>
                                <input type="submit" name="Submit22" value="Remove" class="buttons" />
                              </p>
						      </p>
					        </form>

PHP:

If you get different output, then you must have something else in your code which we can't see...

 

I'm not sure if you're one of these, but I think it was you. I saw some people using functions that automatically clean all $_POST, $_GET, $_COOKIE variables. Are you using this?

If so, post it, so it can be modified to work with arrays.

 

DOH!!

I know exactly what it is :S

You wrote this function for me a while ago which i was using as an include one every page using a init.php

//Check for SQL injection
function real_escape_array(&$array)
{
    static $func, $magic_quotes;
    
    if (!isset($func))
    {
        $func = ((@mysql_ping() AND function_exists('mysql_real_escape_string'))
            ? 'mysql_real_escape_string'
            : 'mysql_escape_string'
        );
    }
    
    if (!isset($magic_quotes))
    {
        $magic_quotes = get_magic_quotes_gpc();
    }
    
    if ($magic_quotes)
    {
        $array = is_array($array) ? array_map('stripslashes', $array) : stripslashes($array);
    }
    
    $array = is_array($array) ? array_map($func, $array) : $func($array);
}

real_escape_array($_GET);
real_escape_array($_POST);
real_escape_array($_COOKIE);

PHP:

This must have been stopping the page from working. As soon as i removed this it worked fine.

Thanks for seeing this one through and seems to work fine now. Thanks a lot

Adam

 

This function was meant to be a "lazy workaround" for you. (I remember your code being horribly insecure)

I think I told you that, but I would recommend filtering the input properly for each case. Instead of using an all-purpose function.

 

EEEEEK.

I would get some escape shell going there as well as data validation. If you put that code live you deserve to get hacked (no offense)