php delete confirm box

c00kie · 14 Mar 2007 at 15:07

I have a table containing a triplist, which basically i want to be able to remove people from using a delete button. to avoid CSRF attacks i gather the best thing is to send the values to delete.php using a form.

so at the moment, for each of the rows i have:

Code:

echo "\t\t<form method=\"post\" action=\"del.php\">\n";
echo "\t\t<input type=\"hidden\" name=\"token\" value=\"$token\" />\n";
echo "\t\t<input type=\"hidden\" name=\"user_id\" value=\"".$user_id."\"/>\n";
echo "\t\t<input type=\"submit\" value=\"remove\" name=\"del\" />\n";
echo "\t\t</form>\n";

The trouble is, with ~100 users this makes an unneccessarily large and slow page with all that for every row.

Im wondering if theres any way of maknig a confirmation box which then generates that code for the relevant user and submits it.

Maybe a javascript box which when ok is clicked will POST the values to del.php?

I know i can do it in a seperate page, but what about a facebook style thing?

thanks

Clarkey · 14 Mar 2007 at 15:15

javascript confirm('Message'); would do it. This has compatibility problems though. Facebook uses AJAX to do the cool confirmation boxes, this is much more complex and has worse compatibility issues.

Beansprout · 14 Mar 2007 at 15:24

Javascript won't stop someone loading del.php?user=1.....a Javascript alert merely stops an errant click by an administrator

The token is what stops the Evil Hacker Attacker.

You could have one form by using checkboxes or radio buttons instead

c00kie · 14 Mar 2007 at 19:19

indeed. so i guess one giant form with a text box next to each person and then a "submit" button at the bottom to delete them?

It all works perfectly at the mo, just seems like a long way round having 100 forms on the page :confused:

Beansprout · 14 Mar 2007 at 19:56

Surely adding a checkbox at the beginning/end of a row is simpler than a lot of forms

psyr33n · 14 Mar 2007 at 20:03

Problem aside, it might just be me, but I find

Code:

	<form method="post" action="del.php">
	<input type="hidden" name="token" value="<?php echo $token; ?>" />
	<input type="hidden" name="user_id" value="<?php echo $user_id; ?>" />
	<input type="submit" value="remove" name="del" />
	</form>

a lot cleaner than

Code:

echo "\t\t<form method=\"post\" action=\"del.php\">\n";
echo "\t\t<input type=\"hidden\" name=\"token\" value=\"$token\" />\n";
echo "\t\t<input type=\"hidden\" name=\"user_id\" value=\"".$user_id."\"/>\n";
echo "\t\t<input type=\"submit\" value=\"remove\" name=\"del\" />\n";
echo "\t\t</form>\n";