Trying to delete a member from the database

Question

I am having some trouble trying to delete a member from the database I'm using, I don't think it is getting the Username correctly. Here is the form I am using for HTML

deleteForm.php

<?php
    //begin our session
    session_start();
?>
    <html> 
        <head> 
            <title>Welcome</title> 
        </head> 
            <form action="deleteUser.php">
               <p>
                   <center><label for="Username">Enter username to delete</center></label> 
                   <center><input type="text" id="Username" name="Username" value="" maxlength="20" /></center>
                   <center><input type="submit" value="Delete Member"></center>
               </p> 
            </form>
        </body> 
    </html>

And this is the code to handle the deletion itself:

deleteUser.php

<?php
//begin our session
session_start();

//Check if username, password have been sent
if((!filter_input(INPUT_POST, 'Username')))
{
    echo 'Please enter a valid username';
}
else
{
    //Enter the valid data into the database
    $memberUsername = filter_input(INPUT_POST, 'Username', FILTER_SANITIZE_STRING);
    
    echo $memberUsername;
    
    $SQLhostname = "****";
    $SQLusername = "****";
    $SQLpassword = "****";
    $databaseName = "****";
    
    try
    {
      echo "in the try block";
        // Create connection
        $conn = mysqli_connect($SQLhostname, $SQLusername, $SQLpassword)
                or die("Unable to connect MySQL");

        $db_selected = mysqli_select_db($conn, $databaseName)
            or die("Could not select database");

        $deleteMember = "DELETE FROM customers
                        WHERE name = 
                        '$memberUsername'";

        $result = $conn->query($deleteMember);

        if(! $result ){
            die('Could not delete member: ' . $conn->error);}
        else{
            echo "Member deleted <br/>";
        }
        
        mysqli_close($conn);
    }
    catch (Exception $ex) 
    {
       //To be added

    }
}
?>

The problem is it always enters the if statement and asks for a valid username which I'm assuming is not being set.

Answer 1

Just as a quick FYI:

Whenever a method is omitted in a form, it defaults to GET and you're using INPUT_POST therefore you should either be using INPUT_GET or add a post method, i.e: method="post".

Consult the manual:

• http://php.net/manual/en/function.filter-input.php

Plus, and for your added safety, your code is open SQL injection. Do use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

Answer 2

in the form tag add "method" attribute:

<form ... method="POST">

In the PHP script you van find the value of inputs in the variable $_GET:

$_GET[Username'']

Kevin

Answer 3

Add method attribute to your form.

<form action="deleteUser.php" method="post">
                            <!--^^^^^^^^^^-->
    <p>
        <center><label for="Username">Enter username to delete</center></label>
        <center><input type="text" id="Username" name="Username" value="" maxlength="20" /></center>
        <center><input type="submit" value="Delete Member"></center>
    </p>