A bit stuck, again Options

[Mikeplyts]

Hrm, well, I'm setting up a little administrator account privileges and all for my new project, and I have a page for where I can delete users, but, it's not exactly turning out too well. What I have is a while() loop that displays each username and a "clean" version of it for a query string in the URL. So, I was wondering, how could I execute some certain code based on a query string URL that is put in a while() loop?

Here's the code:

CODE

<?php
if (isset($_GET['delete'])) {
$delete = $_GET['delete'];
}

if (!$delete) {
// Set Parameters
$database['server'] = 'localhost';
$database['username'] = 'username';
$database['password'] = 'password';
$database['name'] = 'database';

// Connect to MySQL Database
$connection = mysql_connect($database['server'], $database['username'], $database['password']);
mysql_select_db($database['name'], $connection);

// Get Usernames
$result = mysql_query("SELECT username FROM users");
$number = mysql_num_rows($result);
$i = 0;

echo '<ul>';

while ($i < $number) {
$username = mysql_result($result, $i, 'username');
$clean_username = strtolower($username);
echo '
<li><a href="users?delete=' . $clean_username . '">' . $username . '</a></li>';
$i++;
}

echo '
</ul>
<br />
';
}

else if ($delete == $clean_username) {
mysql_query("DELETE FROM users WHERE username = '$username'");
header ('Location: ' . root . '/account/admin/delete/users');
}

else {
header ('Location: ' . root . '/account/admin/delete/users');
}
?>

I have a feeling it could be a very quick fix. :\

[mipadi]

Well, first of all, in general you probably shouldn't delete users based on a GET request -- you should use a POST parameter. This is because a URL can be reached from, e.g., a search spider. Imagine if a search spider follows a link to a delete URL, then, poof! user is deleted. I'm speaking from personal experience, for I did something like this back when I was a web developer, and it was a bad thing. In your case it probably won't matter, since your URLs are password-protected (presumably) so a crawler can't reach them anyway, but it's better to get into the habit of using POSTs for destructive operations (deletes, edits, and so forth).

Secondly, I wouldn't use the "clean" username as a delete parameter, I'd use the user ID since it's less ambiguous.

Anyway, here's a bit of code. Is this what you were looking for?

CODE

<?php
if (!isset($_GET['delete'])) {
// Set Parameters
$database['server'] = 'localhost';
$database['username'] = 'username';
$database['password'] = 'password';
$database['name'] = 'database';

// Connect to MySQL Database
$connection = mysql_connect($database['server'], $database['username'], $database['password']);
mysql_select_db($database['name'], $connection);

// Get Usernames
$result = mysql_query("SELECT username, id FROM users");
$number = mysql_num_rows($result);

echo '<ul>';

for ($i = 0; $i < $number, $i++) {
$username = mysql_result($result, $i, 'username');
$id = mysql_result($result, $i, 'id');
echo '
<li><a href="users?delete=' . $id . '">' . $username . '</a></li>';
$i++;
}

echo '
</ul>
<br />
';
} else {
// Should probably ask for confirmation before deleting
$id = $_GET['delete']
mysql_query("DELETE FROM users WHERE id = $id");
header ('Location: ' . root . '/account/admin/delete/users');
}
?>