Delete Record via URL Variable

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
CGoal
Forum Newbie
Posts: 4
Joined: Fri Jul 30, 2010 3:13 pm

Delete Record via URL Variable

Post by CGoal »

I have a display_news.php page that displays records from a database

Code: Select all

<tr>
<td width="10%" bgcolor="<?php echo $row_color; ?>">
<?php echo $row["NEWS_DATE2"]; ?></td>
<td width="30%" bgcolor="<?php echo $row_color ?>"><b>
<?php echo $row["NEWS_TITLE"];?></b></td>
<td width="50%" bgcolor="<?php echo $row_color ?>">
<?php echo $row["NEWS_DESC"];?></td>
<td width="10%" bgcolor="<?php echo $row_color ?>">
<a class="menuLink" href="/prep_admin/delete_news.php?d_id=<?php echo $row["DB_ID"]; ?>">delete</a></td>
</tr>
That delete from the last line will call delete_news.php

I cant figure out what my delete_news.php would be
This is not working

Code: Select all

<?php

$con = mysql_connect("*******","********","********");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }mysql_select_db("**********", $con);
  $sql="DELETE FROM PREP_NEWS WHERE DB_ID = $d_ID ";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
mysql_close($con) ;
header('Location:http://*************/prep_admin/display_news.php');

?>
ive tried putting $d_id in the delete statement in single quotes.. no luck
Reviresco
Forum Contributor
Posts: 172
Joined: Tue Feb 19, 2008 4:18 pm
Location: Milwaukee

Re: Delete Record via URL Variable

Post by Reviresco »

Code: Select all

<?php
$d_ID = $_GET['d_id'];

$con = mysql_connect("*******","********","********");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }mysql_select_db("**********", $con);
  $sql="DELETE FROM PREP_NEWS WHERE DB_ID = '$d_ID' ";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
mysql_close($con) ;
header('Location:http://*************/prep_admin/display_news.php');

?>
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: Delete Record via URL Variable

Post by John Cartwright »

Note the following script would allow for SQL injection.

For instance, imagine someone put

[text]delete_news.php?d_id=' OR '1' = '1[/text]

which creates..

Code: Select all

$sql="DELETE FROM PREP_NEWS WHERE DB_ID = '' OR '1' = '1' ";
which deletes your entire tables contents.

Simple solution, if you are expecting an integer, cast it to an integer through (int) or intval(). Furthurmore, be sure to pass ALL USER INPUT through mysql_real_escape_string().

Google has a ton of information on the subject if you require further explanation.
Post Reply