I recently had to revamp some code that I wrote in 2004 for deleting records from a file.
Page 1 - find the record to delete
Page 2 - confirm deletion
Page 3 - deletion success.
Page 1 took a value from a form, sent it using the get method to another page which included a form that requested the user to confirm file deletion. When the "confirm button was pressed, form on this page deleted the file and passed the user to a page that gave a message "deletion success" also using the get method.
I revamped the server side code to change the database used, and the username to the one on our new server (lots of editing needed here)
When I tested the delete user page, it ran straight through the second page, deleted the record without confirmation, and showed the success page.
It took me a long time to work out what the problem was.
Both forms used the get method with a variable name of ID. When the second form received the ID, it assumed that the ID was the same one as on its own page, and passed it straight to the deletion success page, deleting the record in the process, but not asking for confirmation.
The solution was to change the method of the second form to POST. Simple to do but hard to solve. Took me some three hour of puzzling.
It could also have been solved by changing the variable name in the second form.
Hope someone finds this useful.
Merry Christmas to you all
