Search code examples

PHP Delete function broken

Im trying to get the delete function to work, however it is constantly failing. I have been looking at this for hours, and trawling the web looking for answers, but nothing seems to work. The idea is that in the table, there is a button to click. When clicked it will run the delete code on the row selected.


ini_set("display_errors", 1);

if (isset($_COOKIE["user_cookie"])){
    $username = $_COOKIE["user_cookie"];     
    $username = '';
if (isset($_GET['New'])) {  
   Cookie("Event", $_GET['New']);  
if (isset($_COOKIE["user_type"])){
    $userType = $_COOKIE["user_type"];     
    $userType = '';

if (isset($_GET['delID']) && true){ // COOKIE HERE

  $result = $mysqli->query("DELETE FROM oneuuid WHERE uuid = " . $_GET['delID']); 
  if ($result === false){
      <script type='text/javascript'>
        alert('Failed to delete event')


<!DOCTYPE html>
<html lang="en">

  <title>UUID </title>  <!-- !!!!!!!!!!!!!!!!!!!!!!!!!LOOK HERE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!-->
  <meta name="viewport" content="width = device-width, initial-scale = 1.0" />
  <link href = "css/bootstrap.min.css" rel = "stylesheet">
  <link href = "css/styles.css" rel = "stylesheet">
  <link href = "loginstylesheet.css" rel = "stylesheet">
  <style type="text/css"> 

      cursor: pointer; 
      cursor: hand;
  .highcontrast {
      background-color: #696969;
      a, a:visited { color: white; }


  <!--          div for toggle                             -->
  <div id="toggle" style="height:260px">
    <!--          div for toggle                             -->
        <!--/.nav-collapse -->  
 <div class="col-md-3" id="leftCol">
          <form action = "printStuff2.php" method = "post">
            <input type = "text" name = "search" size="28" placeholder="Enter name..."/>
            <input type = "Submit" class="styled-button-8" value = "Search"/>

  <div class="container">
    <div class="row">
      <div class="col-md-9">
        <!-- Main content on page -->

      <?php error_reporting(E_ALL); ini_set('display_errors', 1);

//search bar code.

//Establish connection
      $mysqli = new mysqli($host,$user,$password,$db); 
      if ($mysqli->connect_error) {
        die('Error : ('. $mysqli->connect_errno .') '. $mysqli->connect_error);
//variable to store user input, which we can work with.
        $searchq = $_POST['search'];

    //SQL Query, it selects all from DB where users input is similar to, either school name, headmaster name or address
        $query = mysqli_query($mysqli, "SELECT * FROM oneuuid WHERE name LIKE '%$searchq%'") or die(mysqli_error($mysqli));
        $count = mysqli_num_rows($query);
    // if the $search contains at least one row
        print '<table class = "table table-hover">';
        print '<tr>';
        print '<th> SEARCH RESULT GENERATED </th>';
        print '</tr>';
        print '</table>';
        if ($query->num_rows > 0) {
        // output data of each row from $result

          print '<table class = "table table-hover">';

            print '<tr>';

            print'<th> UUID</th>';
            print'<th> Name</th>';  
            print' <th> Delete </th>';            
            print '</tr>';

          while($row = $query->fetch_assoc()) {

            print '<tr>';
            print '<td>'.$row["uuid"].'</td>';
            print '<td>'.$row["name"].'</td>';
            print("<td class='centered clickable' onclick='deleteEvent(\"$row[uuid]\", \"$row[name]\")'><span class='glyphicon glyphicon-remove'></span></td>");            
            print '</tr>';


           print '</table>';
        else {
          echo '0 results';
      <div class="container">
        <div class="col-md-9">
          <div class="panel panel-default">
            <div class="panel-heading">Look UP!</div>
            <table class="table table-hover">



 <script type="text/javascript">

   function deleteEvent(uuid, name){
      if (confirm("You are about to delete \"" + uuid + "\" this can not be undone.") == true) {
        window.location.href = "printStuff2.php?" + "&delID=" + uuid;





  • You're sending UUIDs, but not quoting them, so your query ends up being

      DELETE ... WHERE uuid=12345-6789-a0735...
                               ^---^--- numbers
                                         ^---unknown field name

    Depending on the contents of the sections between the -, those are going to be treated as numbers or strings, which means you're doing mathematic subtraction, or specifying unknown/illegal field names.

    You need at bare minimum:

    DELETE ... WHERE uuid='$_GET[id]'

    and really really REALLY need to learn about sql injection attacks before someone trashes your server.