PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
cbrian
Forum Commoner
Posts: 97 Joined: Sun Feb 27, 2005 12:29 pm
Post
by cbrian » Sun Mar 20, 2005 5:19 pm
Code: Select all
if($_REQUEST['delete'] == "yes") {
$id = $_POST['id'];
$if = mysql_query("SELECT * FROM mail WHERE `id`='$id' AND `to`='$userid' AND `flag`='0'");
/*$if = mysql_fetch_array($if);
$if = $if[0]; */
if(mysql_num_rows($if) <= 0) {
print("You can't delete that mail!");
} else {
mysql_query("DELETE FROM users WHERE id='$id'");
}
It returns "You can't delete that mail!" even though it is in the database just like that.
Last edited by
cbrian on Sun Mar 20, 2005 5:24 pm, edited 1 time in total.
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Sun Mar 20, 2005 5:20 pm
echo out your query.. and please work on making better topic titles.. thanks.
cbrian
Forum Commoner
Posts: 97 Joined: Sun Feb 27, 2005 12:29 pm
Post
by cbrian » Sun Mar 20, 2005 5:24 pm
What do you mean by echo out my query?
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Sun Mar 20, 2005 5:27 pm
Code: Select all
echo "SELECT * FROM mail WHERE `id`='$id' AND `to`='$userid' AND `flag`='0'";
I'd bet $userid is blank.
John Cartwright
Site Admin
Posts: 11470 Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:
Post
by John Cartwright » Sun Mar 20, 2005 6:37 pm
why are you checking to see if there are less than 0 rows found?
change <= to ==
cbrian
Forum Commoner
Posts: 97 Joined: Sun Feb 27, 2005 12:29 pm
Post
by cbrian » Sun Mar 20, 2005 7:04 pm
I found the problem. It was here:
It should be
d3ad1ysp0rk
Forum Donator
Posts: 1661 Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA
Post
by d3ad1ysp0rk » Sun Mar 20, 2005 7:07 pm
cbrian wrote: I found the problem. It was here:
It should be
Or even just use $_GET['id'] within the query. No need to use another variable if it's only going to be used once.
magicrobotmonkey
Forum Regular
Posts: 888 Joined: Sun Mar 21, 2004 1:09 pm
Location: Cambridge, MA
Post
by magicrobotmonkey » Sun Mar 20, 2005 7:26 pm
although iyou should probably scrub that variable before putting it into a query
Todd_Z
Forum Regular
Posts: 708 Joined: Thu Nov 25, 2004 9:53 pm
Location: U Michigan
Post
by Todd_Z » Sun Mar 20, 2005 7:56 pm
Speaking of scrubing, what are ways to exploit sql queries that could be harmful... I'm logging my sql's so that i can see if anything fishy is going on, but i have no catches at the moment, so if someone does try to screw me over, im not protected. Anyways, so are there any specific things that people do to ensure no dropping or any other problems that may occur?
John Cartwright
Site Admin
Posts: 11470 Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:
Post
by John Cartwright » Sun Mar 20, 2005 8:14 pm
just validate your variables for what you are expecting..
if your expecting a number.. check if your var is numbers only
if your expecting a string .. check if your var is only a string
to be safe you should always mysql_real_escape_string your queries, and strip possible harmful attacks, that usually include <, / etc.