MySQL Query Problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
cbrian
Forum Commoner
Posts: 97
Joined: Sun Feb 27, 2005 12:29 pm

MySQL Query Problem

Post by cbrian »

Code: Select all

if($_REQUEST['delete'] == "yes") {
$id = $_POST['id'];
$if = mysql_query("SELECT * FROM mail WHERE `id`='$id' AND `to`='$userid' AND `flag`='0'");
/*$if = mysql_fetch_array($if);
$if = $if[0]; */
if(mysql_num_rows($if) <= 0) {
print("You can't delete that mail!");
} else {
mysql_query("DELETE FROM users WHERE id='$id'");
}
It returns "You can't delete that mail!" even though it is in the database just like that.
Last edited by cbrian on Sun Mar 20, 2005 5:24 pm, edited 1 time in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

echo out your query.. and please work on making better topic titles.. thanks.
cbrian
Forum Commoner
Posts: 97
Joined: Sun Feb 27, 2005 12:29 pm

Post by cbrian »

What do you mean by echo out my query?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Code: Select all

echo "SELECT * FROM mail WHERE `id`='$id' AND `to`='$userid' AND `flag`='0'";
:roll:

I'd bet $userid is blank.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

why are you checking to see if there are less than 0 rows found?

change <= to ==
cbrian
Forum Commoner
Posts: 97
Joined: Sun Feb 27, 2005 12:29 pm

Post by cbrian »

I found the problem. It was here:

Code: Select all

$id = $_POST['id'];
It should be

Code: Select all

$id = $_REQUEST['id'];
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

cbrian wrote:I found the problem. It was here:

Code: Select all

$id = $_POST['id'];
It should be

Code: Select all

$id = $_REQUEST['id'];
Or even just use $_GET['id'] within the query. No need to use another variable if it's only going to be used once.
magicrobotmonkey
Forum Regular
Posts: 888
Joined: Sun Mar 21, 2004 1:09 pm
Location: Cambridge, MA

Post by magicrobotmonkey »

although iyou should probably scrub that variable before putting it into a query
User avatar
Todd_Z
Forum Regular
Posts: 708
Joined: Thu Nov 25, 2004 9:53 pm
Location: U Michigan

Post by Todd_Z »

Speaking of scrubing, what are ways to exploit sql queries that could be harmful... I'm logging my sql's so that i can see if anything fishy is going on, but i have no catches at the moment, so if someone does try to screw me over, im not protected. Anyways, so are there any specific things that people do to ensure no dropping or any other problems that may occur?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

just validate your variables for what you are expecting..

if your expecting a number.. check if your var is numbers only
if your expecting a string .. check if your var is only a string

to be safe you should always mysql_real_escape_string your queries, and strip possible harmful attacks, that usually include <, / etc.
Post Reply