Page 1 of 1

So simple, yet not working

Posted: Thu Apr 15, 2010 7:54 am
by drumking88
I can't believe this, but my simple query isnt working. My code is as follows:

(all database configs are already included at the top of the page.


Code: Select all


$bName = $_POST['building_name'];



$delete_query1 = "DELETE FROM locations WHERE Name = '$bName'";

$delete_query = mysql_query(($delete_query1));

if ($delete_query)
{
	echo "$bName has successfully been deleted from the system. ";
}


Re: So simple, yet not working

Posted: Thu Apr 15, 2010 7:58 am
by Technocrat
With out more code or information I dont know if we can help you. What you have here appears fine.

However you do realize your code is very insecure and open to XSS attacks?

Re: So simple, yet not working

Posted: Thu Apr 15, 2010 9:50 am
by Weiry
drumking88 wrote:I can't believe this, but my simple query isnt working. My code is as follows:

(all database configs are already included at the top of the page.


Code: Select all


$bName = $_POST['building_name'];



$delete_query1 = "DELETE FROM locations WHERE Name = '$bName'";

$delete_query = mysql_query(($delete_query1));

if ($delete_query)
{
	echo "$bName has successfully been deleted from the system. ";
}

Please try to get into the habit of using proper formatting in your SQL. So many problems I've seen can be fixed just by doing it correctly.
I also agree with Technocrat, you do need to ensure that you are protecting your database against SQL injections. Check my posted code for answer.
Also, make sure you specify your database connection when using mysql_query()

Code: Select all

$bName = $_POST['building_name']
$delete_query1 = sprintf("DELETE FROM `locations` WHERE `Name` = '%s' ",
                      mysql_real_escape_string($bName)
        // This is where you add some protection against SQL injections.
        // %s simple means the variable at the same position after the string.
        // name='%s', age='%s'  could be  $name, $age  as an example
        // Read up on sprintf() and mysql_real_escape_string() functions.
                  );
$delete_query = mysql_query($delete_query1,$databaseConnection); // Define your database connection too.

if ($delete_query){
	print "{$bName} has successfully been deleted from the system. ";
}else{
	print "{$bName} was not deleted.<br/>MySQL Error: ".mysql_error($databaseConnection);
        // Make sure you print out a worth while answer, it may hold some clues.
}

Re: So simple, yet not working

Posted: Thu Apr 15, 2010 10:26 am
by timWebUK
Out of interest Weiry, is there any need to use sprintf, if you're going to format them as a string anyway?

Re: So simple, yet not working

Posted: Thu Apr 15, 2010 10:42 am
by Weiry
sprintf() is usually used in conjunction with mysql_real_escape_string() where queries are associated.
Mainly i think for code tidyness.
I dont like to have 10 lines of code defining variables, then 10 lines of escaping, then 10 lines for inserting into the query. (slight exaggeration)
I would rather have 11 lines, which define the query and insert formatted escaped string variables.
You could indeed not use sprintf(), but you might end up with something like this.

Code: Select all

$myQuery = "INSERT INTO `table` (`id`,`name`,`age`,`city`,`street`,`postCode`) VALUES ";
$myQuery .= "('".mysql_real_escape_string($id)."', '".mysql_real_escape_string($name)."', '".mysql_real_escape_string($age)."'";

$myQuery = sprintf(INSERT INTO `table` (`id`,`name`,`age`,`city`,`street`,`postCode`) VALUES ('%s','%s','%s','%s','%s','%s')",
mysql_real_escape_string($id),
mysql_real_escape_string($name),
mysql_real_escape_string($age),