What'd I mess up on? (Delete row MySQL) - Webmaster Forums - Webmaster forum for HTML, PHP, ASP, CSS and more

zTagged · 11-05-2007, 10:23 AM

I'm trying to develop a script that would allow deletion of a specific row, and it's working semi-okay.

Only problem is, it's not deleting.

Figures, eh?

PHP Code:


			
<?php

connection info here



mysql_connect($DBhost,$DBuser,$DBpass) or die("There was a connection error and I am unable to continue");



@mysql_select_db("$DBName") or die("I was not able to connect to the database");





if($_GET['delete']){

$item = $_GET['delete'];

mysql_query("DELETE FROM $table WHERE pilot_id='$id'") or die(mysql_error());

}



// Get all the data from the "example" table

$result = mysql_query("SELECT * FROM $table WHERE status='P5' ORDER BY pilot_id")

or die(mysql_error());



echo "<table width='100%' border='0'>";

echo "<tr> <td class='heading' width='15'><span style='font-size:8px';>Edit</span></td> <td class='heading' width='25'><span style='font-size:8px';>Delete</span></td> <td class='heading' width='25'>ID</td> <td class='heading' width='200'>Name</td> <td class='heading' width='100'>Hub</td> <td class='heading'>Email</td>";

// keeps getting the next row until there are no more to get

while($row = mysql_fetch_array( $result )) {

// Print out the contents of each row into a table

echo "<tr><td style='font-size:8px'>";

echo "Edit";

echo "</td><td style='font-size:8px'>";

echo '<a href="?delete='.$row['pilot_id'].'">Delete</a>';

echo "</td><td>";

echo $row['pilot_id'];

echo "</td><td>";

echo $row['name'];

echo "</td><td>";

echo $row['hub'];

echo "</td><td>";

echo $row['email'];

echo "</td><td>";

}



echo "</table>";

?>

I'm sure it's a simple fix, but I just can't see where I went wrong. Any advice?

edpudol · 11-06-2007, 05:18 AM

I guess at this line the problem

Code:

if($_GET['delete']){
$item = $_GET['delete'];
mysql_query("DELETE FROM $table WHERE pilot_id='$id'") or die(mysql_error());
}

You may try the following code

Code:

if($_GET['delete']){
$item = $_GET['delete'];
mysql_query("DELETE FROM $table WHERE pilot_id='$item'") or die(mysql_error());
}

websiterepairguys · 11-17-2007, 01:12 PM

Quote:

Originally Posted by edpudol

I guess at this line the problem

Code:

if($_GET['delete']){
$item = $_GET['delete'];
mysql_query("DELETE FROM $table WHERE pilot_id='$id'") or die(mysql_error());
}

You may try the following code

Code:

if($_GET['delete']){
$item = $_GET['delete'];
mysql_query("DELETE FROM $table WHERE pilot_id='$item'") or die(mysql_error());
}

I'd like to point out that doing things like this:

Code:

mysql_query("DELETE FROM $table WHERE pilot_id='$item'") or die(mysql_error());

Is a bad habit to get into. You should be very careful when feeding variables into SQL strings. This can lead to whats called an SQL Injection attack, if the variable came from user entered content, such as on a form post or a GET var.

The better practice to get yourself into the habit of:

Code:

$item = mysql_escape_string($_GET['delete']); 
mysql_query("DELETE FROM $table WHERE pilot_id='$item'") or die(mysql_error());

If I were a hacker on your site, I could easily delete all the rows in your table by adding some extra content on the URL (unless you escape the incoming data)

See the PHP manual:

PHP: mysql_escape_string - Manual

Regards,
Mark