Use the Erase Option to Erase a Record Outside of CMS

5 posts by 3 authors in: Forums > CMS Builder
Last Post: July 13, 2015   (RSS)

By gkornbluth - July 11, 2015

Hi  Andy,

I know that you can use something like the following to insert a value into an existing field in a logged in user's record in the accounts table in CMSB

mysql_query("INSERT INTO `{$TABLE_PREFIX}accounts` SET

 updatedDate      = NOW(),
  updatedByUserNum = '0'")
      or die("MySQL Error Creating Record:<br/>\n". htmlspecialchars(mysql_error()) . "\n");
      $userNum = mysql_insert_id();
      ?>

You might be able to use something like this and change the values to your table and the record to be deleted (this code will delete a current user's account!!!).

 // delete account
  if (@$_POST['deleteAccount']) {
    if ($CURRENT_USER['isAdmin']) { die("Error: Deleting admin accounts is not permitted!"); }

    // delete uploads
    $GLOBALS['tableName'] = 'accounts';
    eraseRecordsUploads( $CURRENT_USER['num'] );

    // delete account
    $query = mysql_escapef("DELETE FROM `{$TABLE_PREFIX}accounts` WHERE num = ?", $CURRENT_USER['num']);
    mysql_query($query) or die("MySQL Error:<br/>\n". htmlspecialchars(mysql_error()) . "\n");

<form method="post" action="?" onsubmit="return confirm('Are you sure you want to delete your account?')">
  <input type="submit" name="deleteAccount" value="Delete Account" />
  </form>

but I'd certainly back up everything and runs some thorough tests before you roll this out. There should also be some way to insure that only the particular member can access only their authorized records.

Front end access to a database is a pretty scary thing in these times of hackers and such, but probably can be  made reasonably secure.

If you're using the website membership plugin, take a look at the user profile form

Another approach might be to flag a record for deletion by changing the value of an approved_for_deletion  check box by using something like this using something like the INSERT INTO code above.

approved_for_deletion         = '0',

then either set these to auto delete after a period of time (cron job?) or ask for confirmation of the list to be deleted from your client before deleting (the possibility to change their mind and set the check box value to 0).
After you've come up with a workable plan, I'd pass it on to the Ross at consulting, and check for any vulnerability issues.

Please post your solution so we can all learn from it. (don't post any personal or compromising information)

Best of luck,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By gregThomas - July 13, 2015

Hey Andy,

You can recreate the delete function with two function calls:

  //Remove the uploads first
  removeUploads("`recordNum` = '5' AND `tableName` = 'blog'");
 
  //Next remove the record itself
  mysql_delete('blog', 5);

So the code above would remove record num 5 from the section blog after it's deleted any uploads associated with the record. The function removeUpload's variable is a where string for the uploads table for the uploads you want to delete. The mysql_delete function takes the tablename as its first variable, and the record number as the second. 

I'd recommend making a full backup of the database before testing out these functions. 

Thanks,

Greg

Greg Thomas







PHP Programmer - interactivetools.com

By gkornbluth - July 13, 2015

Hi Andy,

Well, that sounds easier, and certainly cleaner, but still a dangerous approach IMHO

I think security and vulnerability will be the larger concern.

Still, I was glad to learn about the removeUploads function.

Best,

Jerry Kornbluth

The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

By andybarn - July 13, 2015

Thanks Greg (and Jerry for your input)

That looks pretty straight forward and could be exactly what I was looking for. I will give it a go.

As always great support!

Thanks again

Andy