[wp-hackers] Delete Row - Refreshes Page but not DB

Nikola Nikolov nikolov.tmw at gmail.com
Sat Oct 19 18:16:04 UTC 2013


So something like this is what you should use instead:

<button type="submit" name="deleteItem" value="<?php echo $row['id']; ?>"
file="<?php echo $row['file']; ?>" data-nonce="<?php echo wp_create_nonce(
'delete_' . $row['id'] . '_' . $row['file'] ); ?>" class="delete-box"><span
class="glyphicon glyphicon-remove"></span></button>

You would have to add the value of the data-nonce attribute to your AJAX
request(in the below example it's value is set to the 'nonce' parameter)
and then on the PHP side of the request, you should do this:

if ( ! wp_verify_nonce( $_POST['nonce'], 'delete_' . $id . '_' . $file ) ) {
    exit( 'Cheatin, huh?' );
}

This way if someone changes the value of the file OR "value" attributes,
they won't be able to delete the item they were trying to delete.


On Sat, Oct 19, 2013 at 8:56 PM, J.D. Grimes <jdg at codesymphony.co> wrote:

> Yes, you should be using nonces -
> http://codex.wordpress.org/WordPress_Nonces
>
> On Oct 19, 2013, at 1:53 PM, Gregory Lancaster <greglancaster71 at gmail.com>
> wrote:
>
> > Yep, I had to add true.  So all this is executing based on the values of
> > this button:
> > <button type="submit" name="deleteItem" value="<?php echo $row['id']; ?>"
> > file="<?php echo $row['file']; ?>" class="delete-box"><span
> > class="glyphicon glyphicon-remove"></span></button>
> >
> > But couldnt someone just change the values of the fileid or rowid and
> > delete other peoples content?
> >
> >
> > On Sat, Oct 19, 2013 at 10:40 AM, J.D. Grimes <jdg at codesymphony.co>
> wrote:
> >
> >> Hey man, that's tough. I'm glad you've got the code working though.
> >>
> >>> I finally got JDs code working but I have to place this in my functions
> >> for
> >>> ajax to work:
> >>>
> >>> add_action('wp_head','custom_head');
> >>>
> >>> function custom_head()
> >>> {
> >>>      echo '';
> >>> }
> >>>
> >>>
> >>> Is that alright?  Otherwise I get ajaxurl undefined error.
> >>
> >> I'm not sure why this would have an effect… If you are using the code on
> >> the front end of your site, ajaxurl won't be defined - it is only
> defined
> >> by default in the administration panels. You would need to use
> >> wp_localize_script().
> >>
> >>> Additionally, the json response works too! However one query always
> >> fails.
> >>>
> >>> $file = $_POST['file'];
> >>> $del_image = wp_delete_attachment( $row['file'] ); - fail
> >>>
> >>> I also tried this as an sql query:
> >>>
> >>> $file = $_POST['file'];
> >>> $fileQry = $wpdb->prepare("DELETE FROM wp_posts WHERE id = %s", $file);
> >>> $go_fileQry = $wpdb->query($fileQry);
> >>>
> >>> It still fails.  It IS possible to run multiple queries this way right?
> >>
> >> Is it completely failing? The wp_delete_attachment() call will only move
> >> the attachment to the trash by default -if you want to delete it
> >> permanently you need to set the second parameter to true.
> >>
> >> -J.D.
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list