So simple, yet not working

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
drumking88
Forum Newbie
Posts: 9
Joined: Tue Apr 28, 2009 4:32 pm

So simple, yet not working

Post by drumking88 »

I can't believe this, but my simple query isnt working. My code is as follows:

(all database configs are already included at the top of the page.


Code: Select all


$bName = $_POST['building_name'];



$delete_query1 = "DELETE FROM locations WHERE Name = '$bName'";

$delete_query = mysql_query(($delete_query1));

if ($delete_query)
{
	echo "$bName has successfully been deleted from the system. ";
}

User avatar
Technocrat
Forum Contributor
Posts: 127
Joined: Thu Oct 20, 2005 7:01 pm

Re: So simple, yet not working

Post by Technocrat »

With out more code or information I dont know if we can help you. What you have here appears fine.

However you do realize your code is very insecure and open to XSS attacks?
User avatar
Weiry
Forum Contributor
Posts: 323
Joined: Wed Sep 09, 2009 5:55 am
Location: Australia

Re: So simple, yet not working

Post by Weiry »

drumking88 wrote:I can't believe this, but my simple query isnt working. My code is as follows:

(all database configs are already included at the top of the page.


Code: Select all


$bName = $_POST['building_name'];



$delete_query1 = "DELETE FROM locations WHERE Name = '$bName'";

$delete_query = mysql_query(($delete_query1));

if ($delete_query)
{
	echo "$bName has successfully been deleted from the system. ";
}

Please try to get into the habit of using proper formatting in your SQL. So many problems I've seen can be fixed just by doing it correctly.
I also agree with Technocrat, you do need to ensure that you are protecting your database against SQL injections. Check my posted code for answer.
Also, make sure you specify your database connection when using mysql_query()

Code: Select all

$bName = $_POST['building_name']
$delete_query1 = sprintf("DELETE FROM `locations` WHERE `Name` = '%s' ",
                      mysql_real_escape_string($bName)
        // This is where you add some protection against SQL injections.
        // %s simple means the variable at the same position after the string.
        // name='%s', age='%s'  could be  $name, $age  as an example
        // Read up on sprintf() and mysql_real_escape_string() functions.
                  );
$delete_query = mysql_query($delete_query1,$databaseConnection); // Define your database connection too.

if ($delete_query){
	print "{$bName} has successfully been deleted from the system. ";
}else{
	print "{$bName} was not deleted.<br/>MySQL Error: ".mysql_error($databaseConnection);
        // Make sure you print out a worth while answer, it may hold some clues.
}
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: So simple, yet not working

Post by timWebUK »

Out of interest Weiry, is there any need to use sprintf, if you're going to format them as a string anyway?
User avatar
Weiry
Forum Contributor
Posts: 323
Joined: Wed Sep 09, 2009 5:55 am
Location: Australia

Re: So simple, yet not working

Post by Weiry »

sprintf() is usually used in conjunction with mysql_real_escape_string() where queries are associated.
Mainly i think for code tidyness.
I dont like to have 10 lines of code defining variables, then 10 lines of escaping, then 10 lines for inserting into the query. (slight exaggeration)
I would rather have 11 lines, which define the query and insert formatted escaped string variables.
You could indeed not use sprintf(), but you might end up with something like this.

Code: Select all

$myQuery = "INSERT INTO `table` (`id`,`name`,`age`,`city`,`street`,`postCode`) VALUES ";
$myQuery .= "('".mysql_real_escape_string($id)."', '".mysql_real_escape_string($name)."', '".mysql_real_escape_string($age)."'";

$myQuery = sprintf(INSERT INTO `table` (`id`,`name`,`age`,`city`,`street`,`postCode`) VALUES ('%s','%s','%s','%s','%s','%s')",
mysql_real_escape_string($id),
mysql_real_escape_string($name),
mysql_real_escape_string($age),
Post Reply