Forum Moderators: open
<script type="text/javascript">
function confirmDelete() {
return confirm("Are you sure you want to delete?");
}
</script>
<form action="del.php" onsubmit="return confirmDelete();">
<div>
<input type="submit" name="delete" value="Delete">
</div>
</form>
On the next page (del.php) you need to generate a form ... and then have a confirm button which submits the form as a confirmation.
... and if JavaScript is disabled, it deletes without confirmation.
If you have to use JavaScript, perhaps a slightly more secure way is to do everything in JavaScript, including the redirect...
function performDelete(DestURL) {
var ok = confirm("Are you sure you want to delete?");
if (ok) {location.href = DestURL;}
return ok;
}
<a href="#" onclick="performDelete('del.php'); return false;">Delete</a>If you don't have JavaScript enabled then you simply have a dead link. Not very good really, but perhaps safer. (Although could href to a 'safe' page instead.)
But if someone takes a look at the code they can then see the intended action and bypass the confirmation anyway - but then it is still a deliberate action.
You could perhaps pass a query string (eg. 'del.php?confirmed=true') in your link to del.php if it is confirmed by the user. Then check in del.php for 'confirmed=true' - if its not present then perhaps provide a form (server side), like DrDoc suggests.
<a href="del.php" onclick="performDelete('del.php?confirmed=true'); return false;">Delete</a>
If you have to use JavaScript, perhaps a slightly more secure way is to do everything in JavaScript, including the redirect...
That would be a very, very, very bad idea.
If you don't have JavaScript enabled then you simply have a dead link. Not very good really, but perhaps safer. (Although could href to a 'safe' page instead.)
Not good at all. The foundation markup should be 100% usable even if progressive enhancements like client side confirmations are not available (IE - the user doesn't have JavaScript enabled).
I guess it really depends on how important the confirmation is. If it's really important, then what you were saying about a 'safe' page is more along the correct lines. But I would avoid making your buttons javascript dependant.
Here's an updated example. You could then check the value of confirm on the del.php page as well if you wanted, and present a confirmation page if the value is false.
<script type="text/javascript">
function confirmDelete() {
var confirm = document.getElementById("confirm");
confirm.value = confirm("Are you sure you want to delete?");
return confirm.value;
}
</script>
<form action="del.php" onsubmit="return confirmDelete();">
<div>
<input type="hidden" name="confirm" id="confirm" value="false">
<input type="submit" name="delete" value="Delete">
</div>
</form>
[edited by: Fotiman at 4:38 pm (utc) on Oct. 5, 2006]
The foundation markup should be 100% usable even if progressive enhancements like client side confirmations are not available...
Yep, agree 100%. 'dead link'?! I should be fed to the lions for even hinting at the suggestion ... wasn't meant to be a recommendation. :)
