Verify Delete JS function

[driveflexfuel]

I am using the following JS to verify whether they wish to delete or not. For some reason when i click the delete button and click ok it does not delete the entry, but if i click it a second time it does delete it. Anyone have any suggestions to how i can solve this issue?

Code:

function delete_record (form)
{
 var coupon1 = form.coupon1.value;
 var where_to = confirm("Do you really want to delete " + coupon1 + "?");
 if (where_to == true)
 {
     var delete_var = form.delete_id.value;
    var delete_url = "delete.php?id=" + delete_var;
   window.location = delete_url;
 }
}

This is the form

Code:

<form class='delete_buttons' method='POST'>
<input type='hidden' value='" . $recc['coupon'] . "' name='coupon1' />
<input type='hidden' value='" . $recc['id'] . "' name='delete_id' />
<input type='image' src='images/delete.gif' title='". $index_delete . $recc['coupon'] ."' onClick='delete_record(this.form)' />
</form>

This is the delete.php

Code:

$delete_id = $_GET['id'];
$query = "DELETE FROM coupons where id=" . $delete_id . " LIMIT 1";
mysql_query($query);
echo '<meta http-equiv="refresh" content="0;url=index.php" />';

[misson]

This is the form

Code:

<form class='delete_buttons' method='POST'>
<input type='hidden' value='" . $recc['coupon'] . "' name='coupon1' />
<input type='hidden' value='" . $recc['id'] . "' name='delete_id' />
<input type='image' src='images/delete.gif' title='". $index_delete . $recc['coupon'] ."' onClick='delete_record(this.form)' />
</form>

The image input type is a submit button. If you use it, you must prevent the default submit handler. The more semantically sound approach is to use a <button> element with a style reset.

Code:

$delete_id = $_GET['id'];
$query = "DELETE FROM coupons where id=" . $delete_id . " LIMIT 1";

NO! NO! NO! You've opened yourself to SQL injection. Don't trust user input. Filter it with a filter function or escape it with either mysql_real_escape_string or mysql_escape_string

[lemon-tree]

NO! NO! NO! You've opened yourself to SQL injection. Don't trust user input. Filter it with a filter function or escape it with either mysql_real_escape_string or mysql_escape_string

Glad you showed me that. My site already has type error checking, length checking, format checking and so on. But the 'mysql_real_escape_string' function would add even more security.
Thanks

[driveflexfuel]

Thanks for the info. I'm not worried about the security on this because it is under password protection and on an internal network server, but thanks for your concern.

[misson]

You trust your users (and their computers) much more than I. Hopefully none of their computers will get infected by a worm that uses SQL injection. Remember Storm?