php deleting a table row

Question

I am writing a booking system for uni and have encountered an issue i need help with.

<?php
        $title = 'Room Booking';
        require_once 'header.php';
    ?>
    <ul>
    <?php

        $query = "SELECT * FROM `room1booking` ORDER BY date, start, id";

        if ($result = mysqli_query($db_server, $query)) {
            if (mysqli_num_rows($result) > 0) {    

                while ($row = mysqli_fetch_array($result, MYSQLI_BOTH)) {
                    echo '<li>
                            ' . $row['name'] . '
                            ' . $row['date'] . '
                            ' . $row['start'] . '
                        <form action="confirmBooking.php?tid=' . $row['id'] . '" method="post">
                            <button type="submit" name="submit"><a href="confirmBooking.php?tid=' . $row['id'] . '">Confirm</a></button>
                            </form>
                            <form action="denyBooking.php?tid=' . $row['id'] . '" method="post">
                            <button type="submit" name="submit"><a href="denyBooking.php?tid=' . $row['id'] . '">Deny</a></button>
                         </form>
                         </li>
                         ';

                }

            } else {
                echo '<li>There are no results</li>';
            }

            mysqli_free_result($result);
        }


        mysqli_close($db_server);
    ?>
    </ul>
    </form>

This code is for the selecting of which row in the table that you want to delete

<?php
$title = 'Delete The Booking';
    require_once 'header.php';

    if(isset($_GET['submit'])){

        $tid = mysqli_real_escape_string($db_server, trim($_GET['tid']));

        if(!empty($tid)){

            $query = "DELETE FROM room1booking WHERE id = '$tid'";

            mysqli_query($db_server, $query);

            echo '<p>You have successfully deleted the booking.</p>';

    }
    } else {
        echo '<p>There is a problem with the system.</p>';

}


?>

And this is the code to delete the row

Any suggestions on where i am going wrong as the row won't delete

Answer 1

it seems like you are passing the tid as a GET variable in the query string but the method of the form is POST. Note that both the confirmBooking and denyBooking forms have the same problem

<form action="denyBooking.php?tid=' . $row['id'] . '" method="post">

should be

 <form action="denyBooking.php?tid=' . $row['id'] . '" method="get">

Answer 2

You have a combination of problems that would cause your record to not delete in the database:

1. Buttons don't send values in POST. You need to add the id to a hidden input and retrieve the value in POST.
2. You've also mixed GET and POST. Your form method is POST, but you're attempting to retrieve the variable from GET. Since the action here is a delete, it's better to use POST (otherwise you need to account for users being able to delete any record by changing an url parameter).

Solution:

Create a hidden field and assign it's value using $row['id']

<input type="hidden" name="rowId" value="' . $row['id'] . '">

And the id will be in $_POST['rowId']

Other notes:

1. you should use isset() to verify 'rowId' exists in $_POST before you access it
2. if rowId should always be an integer, you should get the integer value of the string varaible using intval() before using it in your SQL query.
3. you should use prepared statements with parameter binding in your query.