CodeIgniter Forums
How Confirm before delete? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: How Confirm before delete? (/showthread.php?tid=9810)

Pages: 1 2

How Confirm before delete? - El Forum - 05-07-2009

[eluser]Michael Wales[/eluser]
Quote:I would not do a delete action via..
Completely agree - any potentially destructive request (the C, U and D in CRUD) should only be performed via POST with a nonce field.

How Confirm before delete? - El Forum - 05-07-2009

[eluser]bobbob[/eluser]
For deleting from the database I also use a a token to prevent cross site forgery requests. Very rare but they do happen.

Code:
function deleteCategory($id,$yn)
    {
        //verify admin first
        
        if($yn == $this->session->userdata('deletetoken')) {
            $this->db->where('id', $id);
            $this->db->delete('categories');
            $this->session->unset_userdata('deletetoken');
            redirect('admin');
            //delete
        }
        if($yn == 'no') {
            $token = substr(sha1(microtime()),4,30);
            $this->session->set_userdata('deletetoken', $token);
            echo 'Are you sure you want to delete the category?<br>';
            $url = "admin/deleteCategory/$id/$token";
            echo '<a href="'.site_url($url).'">YES</a>';
            $url = "admin/deleteCategory/$id/cancel";
            echo '<br><br><a href="'.site_url($url).'">CANCEL</a>';
            //get confirm
        }
        if($yn == 'cancel') {
            
            //do nothing and return
            redirect('admin');
        }
        
        
        
    }

This prevents a cross site forgery request as the token is unique each delete. Even better would be to do the same thing via Post

How Confirm before delete? - El Forum - 09-23-2009

[eluser]augustowloch[/eluser]
agree with Michael Wales,

It's also useful sometimes to show something else than just a confirm popup.
When i'm deleting a record, I like to show a complete detail of the record to be deleted, so the user can be sure what's deleting. btw, sometimes I also make some validations and show extra-warnings in this confirmation form, before real deletion.

So, in conclusion, if the nature of the data being deleted doesn't deserves more atention than a simple pop-up warning, just use a JS, or nothing at all, but if you are developing an ERP and want to confirm before deleting an invoice, well.. I recomend to show a form detailing the invoice, and spend 1 extra trip(POST) to the server. (it could be showed via ajax to make it look nice, but it keeps being an extra trip to the server Smile )