[wp-hackers] Delete Row - Refreshes Page but not DB

Nikola Nikolov nikolov.tmw at gmail.com
Sun Oct 20 09:55:34 UTC 2013


I don't think the problem is in the wpdb class. If you take a look at the
source code for the query() method (
http://core.trac.wordpress.org/browser/tags/3.6.1/wp-includes/wp-db.php#L1170
),
you will see that all that the class does is

$this->result = @mysql_query( $query, $this->dbh );

and it will only return false if

if ( ! $this->ready )
return false;

Which on the other hand would happen only if the database connection fails,
or if you call the query() method, before $wpdb->db_connect() is
called(which happens when the $wpdb object is created).

So I would suggest to enable WP_DEBUG and also before you do your query, do

$wpdb->show_errors();

Then look at the AJAX response(you can do that in the "Network" tab of
Google Chrome's developer tools) and see if it says something.


On Sun, Oct 20, 2013 at 3:53 AM, Gregory Lancaster <
greglancaster71 at gmail.com> wrote:

> The ajax delete fails on non admin accounts.  The form inserts an entry
> into a custom table so I think $wpdb access is restricted to admins- which
> I do not want to change.  However these people need the ability to enter
> data.  I apologize for my lazy post before by the way, frustration was
> setting in.
>
> As for the right to delete or post, I currently am matching the
> current_member against the current_user->ID.  That seems to control who can
> delete what on what users page.  Maybe there is a better way? That is the
> only connection to the profile page owner I have though.
>
> I feel dumb asking but, maybe you would tell me what part of the codex I
> need to read to modify the user roles for posting?  This is a little
> confusing because the form is unattached to wordpress other than it posts
> withinthe wpdb.  For that reason the ability to delete and add entries
> (seems) as though it would not be controlled by a user role.
>
> I do not want to grant all subscribers the ability to create and delete
> posts for the sake of this form.
>
> On Saturday, October 19, 2013, Nikola Nikolov wrote:
>
> > What do you mean by "ajax is not supported unless I register people as
> > admins"?
> >
> > Does the AJAX never occur, or does the AJAX not trigger the deletion of
> the
> > rows?
> >
> > If the AJAX doesn't occur - then you should look at the code that prints
> > the AJAX itself - you probably have some sort of a check there that
> decides
> > whether to print out the JS or not.
> >
> > If the deletion of the rows doesn't happen, then it's the code that
> deletes
> > the rows that doesn't work.
> >
> > Also - if you're going to let all kind of users delete data, you should
> > make sure that they actually have the right to delete that data or
> not(for
> > instance check if "is_super_admin()" and if that's true - allow them to
> > delete without further checks - if it's false, check if the record
> they're
> > trying to delete actually belongs to them).
> >
> >
> > On Sat, Oct 19, 2013 at 11:37 PM, Gregory Lancaster <
> > greglancaster71 at gmail.com <javascript:;>> wrote:
> >
> > > Well it finally all works... and then I tested the user accounts and
> ajax
> > > is not supported unless I register people as admins.   I know I can
> add a
> > > user role, but is it possible to give them the ability to use ajax?
> > >
> > >
> > > On Sat, Oct 19, 2013 at 11:32 AM, Gregory Lancaster <
> > > greglancaster71 at gmail.com <javascript:;>> wrote:
> > >
> > > > like this?
> > > >
> > > > *jQuery( document ).ready( function( $ ) { *
> > > > *        *
> > > > *        // When a button is clicked within the table with
> > id="mytable" *
> > > > *        $( '#mytable button' ).click( function( event ) { *
> > > > * *
> > > > *                event.preventDefault(); *
> > > > *
> > > > *
> > > > *                if ( ! confirm( 'Are you sure you want to continue'
> )
> > )
> > > *
> > > > *                        return; *
> > > > *
> > > > *
> > > > * var $button = $(this);*
> > > > * var nonce = $( this ).attr('data-nonce');*
> > > > *                **                **var rowID = $( this
> > ).attr('value');
> > > > *
> > > > * var file = $( this ).attr('file'); *
> > > > * *
> > > > * $button.closest("tr").css('background-color', '#C60').fadeIn();*
> > > > * *
> > > > *
> > > > *
> > > > *                var data = { *
> > > > *                        'action': 'my_delete_row_action', *
> > > > *                        'id': rowID,*
> > > > * 'file': file*
> > > > *                } *
> > > > *
> > > > *
> > > > *                $.post( *
> > > > *                        ajaxurl, *
> > > > *                        data,*
> > > > *                        function ( response ) { *
> > > > *                                if ( ! response.success ) { *
> > > > *
> > > > *
> > > > *                                        alert( 'Failure!' ); *
> > > > *                                } *
> > > > *                                        *
> > > > * $button.closest("tr").hide();*
> > > > *                                *
> > > > *                        } *
> > > > *                ); *
> > > > *        }); *
> > > > *}); *
> > > > *
> > > > *
> > > > *
> > > > *
> > > > *
> > > > *
> > > > and my remove_row function would function like this?
> > > >
> > > > *function my_delete_row_action() {*
> > > > * global $wpdb;*
> > > > *
> > > > *
> > > > * if ( ! wp_verify_nonce( $_POST['nonce'], 'delete_' . $id . '_' .
> > $file
> > > > ) ) {*
> > > > *    exit( 'Cheatin, huh?' );*
> > > > *}*
> > > > *
> > > > *
> > > > * $id = $_POST['id'];*
> > > > * $file = $_POST['file'];*
> > > >
> > > > seems to fail regardless if I change an item or not.
> > > >
> > > >
> > > > On Sat, Oct 19, 2013 at 11:16 AM, Nikola Nikolov <
> > nikolov.tmw at gmail.com
> > > >wrote:
> > > >
> > > >> So something like this is what you should use instead:
> > > >>
> > > >> <button type="submit" name="deleteItem" value="<?php echo
> $row['id'];
> > > ?>"
> > > >> file="<?php echo $row['file']; ?>" data-nonce="<?php echo
> > > wp_create_nonce(
> > > >> 'delete_' . $row['id'] . '_' . $row['file'] ); ?>"
> > > >> class="delete-box"><span
> > > >> class="glyphicon glyphicon-remove"></span></button>
> > > >>
> > > >> You would have to add the value of the data-nonce attribute to your
> > AJAX
> > > >> request(in the below example it's value is set to the 'nonce'
> > parameter)
> > > >> and then on the PHP side of the request, you should do this:
> > > >>
> > > >> if ( ! wp_verify_nonce( $_POST['nonce'], 'delete_' . $id . '_' .
> > $file )
> > > >> ) {
> > > >>     exit( 'Cheatin, huh?' );
> > > >> }
> > > >>
> > > >> This way if someone changes the value of the file OR "value"
> > attributes,
> > > >> they won't be able to delete the item they were trying to delete.
> > > >>
> > > >>
> > > >> On Sat, Oct 19, 2013 at 8:56 PM, J.D. Grimes <jdg at codesymphony.co>
> > > wrote:
> > > >>
> > > >> > Yes, you should be using nonces -
> > > >> > http://codex.wordpress.org/WordPress_Nonces
> > > >> >
> > > >> > On Oct 19, 2013, at 1:53 PM, Gregory Lancaster <
> > > >> greglancaster71 at gmail.com>
> > > >> > wrote:
> > > >> >
> > > >> > > Yep, I had to add true.  So all this is executing based on the
> > > values
> > > >> of
> > > >> > > this button:
> > > >> > > <button type="submit" name="deleteItem" value="<?php echo
> > > $row['id'];
> > > >> ?>"
> > > >> > > file="<?php echo $row['file']; ?>" class="delete-box"><span
> > > >> > > class="glyphicon glyphicon-remove"></span></button>
> > > >> > >
> > > >> > > But couldnt someone just change the values of the fileid or
> rowid
> > > and
> > > >> > > delete other peoples content?
> > > >> > >
> > > >> > >
> > > >> > > On Sat, Oct 19, 2013 at 10:40 AM, J.D. Grimes <
> > jdg at codesymphony.co>
> > > >> > wrote:
> > > >> > >
> > > >> > >> Hey man, that's tough. I'm glad you've got the code working
> > though.
> > > >> > >>
> > > >> > >>> I finally got JDs code working but I have to place this in my
> > > >> functions
> > > >> > >> for
> > > >> > >>> ajax to work:
> > > >> > >>>
> > > >> > >>> add_action('wp_head','custom_head');
> > > >> > >>>
> > > >> > >>> function custom_head()
> > > >> > >>> {
> > > >> > >>>      echo '';
> > > >> > >>> }
> > > >> > >>>
> > > >> > >>>
> > > >> > >>> Is that alright?  Otherwise I get ajaxurl undefined error.
> > > >> > >>
> > > >> > >> I'm not sure why this would have an effect… If you are using
> the
> > > >> code on
> > > >> > >> the front end of your site, ajaxurl won't be defined - it is
> only
> > > >> > defined
> > > >> > >> by default in the administration panels. You would need to use
> > > >> > >> wp_localize_script().
> > > >> > >>
> > > >> > >>> Additionally, the json response works too! However one query
> > > always
> > > >> > >> fails.
> > > >> > >>>
> > > >> > >>> $file = $_POST['file'];
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list