A bit stuck, again Options

[Mikeplyts]

Hrm, well, I'm setting up a little administrator account privileges and all for my new project, and I have a page for where I can delete users, but, it's not exactly turning out too well. What I have is a while() loop that displays each username and a "clean" version of it for a query string in the URL. So, I was wondering, how could I execute some certain code based on a query string URL that is put in a while() loop?

Here's the code:

CODE

<?php
if (isset($_GET['delete'])) {
$delete = $_GET['delete'];
}

if (!$delete) {
// Set Parameters
$database['server'] = 'localhost';
$database['username'] = 'username';
$database['password'] = 'password';
$database['name'] = 'database';

// Connect to MySQL Database
$connection = mysql_connect($database['server'], $database['username'], $database['password']);
mysql_select_db($database['name'], $connection);

// Get Usernames
$result = mysql_query("SELECT username FROM users");
$number = mysql_num_rows($result);
$i = 0;

echo '<ul>';

while ($i < $number) {
$username = mysql_result($result, $i, 'username');
$clean_username = strtolower($username);
echo '
<li><a href="users?delete=' . $clean_username . '">' . $username . '</a></li>';
$i++;
}

echo '
</ul>
<br />
';
}

else if ($delete == $clean_username) {
mysql_query("DELETE FROM users WHERE username = '$username'");
header ('Location: ' . root . '/account/admin/delete/users');
}

else {
header ('Location: ' . root . '/account/admin/delete/users');
}
?>

I have a feeling it could be a very quick fix. :\

[mipadi]

Well, first of all, in general you probably shouldn't delete users based on a GET request -- you should use a POST parameter. This is because a URL can be reached from, e.g., a search spider. Imagine if a search spider follows a link to a delete URL, then, poof! user is deleted. I'm speaking from personal experience, for I did something like this back when I was a web developer, and it was a bad thing. In your case it probably won't matter, since your URLs are password-protected (presumably) so a crawler can't reach them anyway, but it's better to get into the habit of using POSTs for destructive operations (deletes, edits, and so forth).

Secondly, I wouldn't use the "clean" username as a delete parameter, I'd use the user ID since it's less ambiguous.

Anyway, here's a bit of code. Is this what you were looking for?

CODE

<?php
if (!isset($_GET['delete'])) {
// Set Parameters
$database['server'] = 'localhost';
$database['username'] = 'username';
$database['password'] = 'password';
$database['name'] = 'database';

// Connect to MySQL Database
$connection = mysql_connect($database['server'], $database['username'], $database['password']);
mysql_select_db($database['name'], $connection);

// Get Usernames
$result = mysql_query("SELECT username, id FROM users");
$number = mysql_num_rows($result);

echo '<ul>';

for ($i = 0; $i < $number, $i++) {
$username = mysql_result($result, $i, 'username');
$id = mysql_result($result, $i, 'id');
echo '
<li><a href="users?delete=' . $id . '">' . $username . '</a></li>';
$i++;
}

echo '
</ul>
<br />
';
} else {
// Should probably ask for confirmation before deleting
$id = $_GET['delete']
mysql_query("DELETE FROM users WHERE id = $id");
header ('Location: ' . root . '/account/admin/delete/users');
}
?>

[Mikeplyts]

^Hm, well, thanks for the advice. Also, it partially worked and by partially, I mean that the user actually doesn't get deleted from the database. Something with the MySQL query, or what?

I added a little echo statement under the MySQL query to echo the ID number that was deleted, yet the user with that ID number wasn't deleted at all.

[Mikeplyts]

Oh, I figured out the problem. The MySQL connection was in the if statement, and not in the else so the MySQL query couldn't be executed because there was no connection to start with. Solved by simply placing the connection outside of each statement to be used "globally".

Excuse the double post, by the way, but this topic may be closed now.

[Mickey]

Topic closed & moved.