Page 1 of 1

Delete Record via URL Variable

Posted: Fri Sep 10, 2010 1:35 pm
by CGoal
I have a display_news.php page that displays records from a database

Code: Select all

<tr>
<td width="10%" bgcolor="<?php echo $row_color; ?>">
<?php echo $row["NEWS_DATE2"]; ?></td>
<td width="30%" bgcolor="<?php echo $row_color ?>"><b>
<?php echo $row["NEWS_TITLE"];?></b></td>
<td width="50%" bgcolor="<?php echo $row_color ?>">
<?php echo $row["NEWS_DESC"];?></td>
<td width="10%" bgcolor="<?php echo $row_color ?>">
<a class="menuLink" href="/prep_admin/delete_news.php?d_id=<?php echo $row["DB_ID"]; ?>">delete</a></td>
</tr>
That delete from the last line will call delete_news.php

I cant figure out what my delete_news.php would be
This is not working

Code: Select all

<?php

$con = mysql_connect("*******","********","********");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }mysql_select_db("**********", $con);
  $sql="DELETE FROM PREP_NEWS WHERE DB_ID = $d_ID ";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
mysql_close($con) ;
header('Location:http://*************/prep_admin/display_news.php');

?>
ive tried putting $d_id in the delete statement in single quotes.. no luck

Re: Delete Record via URL Variable

Posted: Fri Sep 10, 2010 2:29 pm
by Reviresco

Code: Select all

<?php
$d_ID = $_GET['d_id'];

$con = mysql_connect("*******","********","********");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }mysql_select_db("**********", $con);
  $sql="DELETE FROM PREP_NEWS WHERE DB_ID = '$d_ID' ";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
mysql_close($con) ;
header('Location:http://*************/prep_admin/display_news.php');

?>

Re: Delete Record via URL Variable

Posted: Fri Sep 10, 2010 6:52 pm
by John Cartwright
Note the following script would allow for SQL injection.

For instance, imagine someone put

[text]delete_news.php?d_id=' OR '1' = '1[/text]

which creates..

Code: Select all

$sql="DELETE FROM PREP_NEWS WHERE DB_ID = '' OR '1' = '1' ";
which deletes your entire tables contents.

Simple solution, if you are expecting an integer, cast it to an integer through (int) or intval(). Furthurmore, be sure to pass ALL USER INPUT through mysql_real_escape_string().

Google has a ton of information on the subject if you require further explanation.