Page 1 of 1

MySQL Query Problem

Posted: Sun Mar 20, 2005 5:19 pm
by cbrian

Code: Select all

if($_REQUEST['delete'] == "yes") {
$id = $_POST['id'];
$if = mysql_query("SELECT * FROM mail WHERE `id`='$id' AND `to`='$userid' AND `flag`='0'");
/*$if = mysql_fetch_array($if);
$if = $if[0]; */
if(mysql_num_rows($if) <= 0) {
print("You can't delete that mail!");
} else {
mysql_query("DELETE FROM users WHERE id='$id'");
}
It returns "You can't delete that mail!" even though it is in the database just like that.

Posted: Sun Mar 20, 2005 5:20 pm
by feyd
echo out your query.. and please work on making better topic titles.. thanks.

Posted: Sun Mar 20, 2005 5:24 pm
by cbrian
What do you mean by echo out my query?

Posted: Sun Mar 20, 2005 5:27 pm
by feyd

Code: Select all

echo "SELECT * FROM mail WHERE `id`='$id' AND `to`='$userid' AND `flag`='0'";
:roll:

I'd bet $userid is blank.

Posted: Sun Mar 20, 2005 6:37 pm
by John Cartwright
why are you checking to see if there are less than 0 rows found?

change <= to ==

Posted: Sun Mar 20, 2005 7:04 pm
by cbrian
I found the problem. It was here:

Code: Select all

$id = $_POST['id'];
It should be

Code: Select all

$id = $_REQUEST['id'];

Posted: Sun Mar 20, 2005 7:07 pm
by d3ad1ysp0rk
cbrian wrote:I found the problem. It was here:

Code: Select all

$id = $_POST['id'];
It should be

Code: Select all

$id = $_REQUEST['id'];
Or even just use $_GET['id'] within the query. No need to use another variable if it's only going to be used once.

Posted: Sun Mar 20, 2005 7:26 pm
by magicrobotmonkey
although iyou should probably scrub that variable before putting it into a query

Posted: Sun Mar 20, 2005 7:56 pm
by Todd_Z
Speaking of scrubing, what are ways to exploit sql queries that could be harmful... I'm logging my sql's so that i can see if anything fishy is going on, but i have no catches at the moment, so if someone does try to screw me over, im not protected. Anyways, so are there any specific things that people do to ensure no dropping or any other problems that may occur?

Posted: Sun Mar 20, 2005 8:14 pm
by John Cartwright
just validate your variables for what you are expecting..

if your expecting a number.. check if your var is numbers only
if your expecting a string .. check if your var is only a string

to be safe you should always mysql_real_escape_string your queries, and strip possible harmful attacks, that usually include <, / etc.