PHP delete script, return to 'viewsubjects.php?classroom_id=NO VALUE'

Question

Hi, As the title states... I am deleting a 'subject' from a 'classroom' I view classrooms, then can click on a classroom to view the subject for that classroom. So the link where I am viewing subjects looks like:

viewsubjects.php?classroom=23

When the user selects the delete button (in a row) to remove a subject from a class, I simply want the user to be redirected back to the list of subjects for the classroom (exactly where they were before!!)

So I though this is simply a case of calling up the classroom ID within my delete script. Here is what I have:

EDIT: corrected spelling mistake in code (this was not the problem)

    $subject_id = $_GET['subject_id'];
    $classroom_id = $_GET['classroom_id'];

$sql = "DELETE FROM subjects WHERE subject_id=".$subject_id;
$result = mysql_query($sql, $connection)
    or die("MySQL Error: ".mysql_error());


header("Location: viewsubjects.php?classroom_id=".$classroom_id);
exit();

The subject is being removed from the DB, but when I am redirected back the URI is displaying with an empty classroom ID like:

viewsubjects.php?classroom_id=

Is there a way to carry the classroom ID through successfully through the delete script so it can be displayed after, allowing the user to be redirected back to the page? Thanks for any help!

Answer 1

Why don't you add classroom_id to the delete form in a hidden field?

Answer 2

Spelling mistake in your code?

Change line 2 to: $classroom_id = $_GET['classroom'];

Answer 3

It should be $classroom_id = $_GET['classroom'];

Not: $classroom_id = $_GET['classrom_id'];

EDIT You have edited your code but does the string in the $_GET variable match that string in the URL?

Answer 4

Just to note, if this is an admin function: great.

If this is on the front end, you need to consider making sure the subject_id is clean as it would be very easy to hack into your site.

Answer 5

This may be a little verbose ...but let's see what happens with

if ( !isset($_GET['subject_id']) ) {
  echo 'DEBUG: missing GET parameter subject_id';
  var_dump($_GET);
  die;
}
if ( !isset($_GET['classrom_id']) ) {
  echo 'DEBUG: missing GET parameter classroom_id';
  var_dump($_GET);
  die;
}
else if ( 0===strlen(trim($_GET['subject_id'])) ) {
  echo 'DEBUG: empty GET parameter subject_id';
  var_dump($_GET);
  die;
}
else if ( 0===strlen(trim($_GET['classrom_id'])) ) {
  echo 'DEBUG: empty GET parameter classroom_id';
  var_dump($_GET);
  die;
}

$subject_id = mysql_real_escape_string($_GET['subject_id'], $connection);

$sql = "DELETE FROM subjects WHERE subject_id='$subject_id'";
$result = mysql_query($sql, $connection) or die("MySQL Error: ".mysql_error());
if ( 0===mysql_affected_rows($connection) ) {
  echo 'no such subject_id found. no records have been deleted';
  die;
}

header("Location: viewsubjects.php?classroom_id=".urlencode($_GET['classrom_id']));
exit();

(it also fixes the sql injection vulnerability)

Answer 6

If response to above, it'd be easier todo:

if (!isset($_GET['subject_id']) || empty($_GET['subject_id']) || !is_numeric($_GET['subject_id'])) {
 throw new exception('Subject Id is not set');
}