Page 1 of 1

broken code after register globals are off

Posted: Thu Apr 17, 2003 2:10 pm
by decoy1
Hi,

The following (abbreviated) code used to work before register globals was turned off, now it doesn't. Actually the update part works, the delete part doesn't. I've gone through a ton of code and was able to fix everything but this.

The while loop justs pulls the links from the db and displays them. I pass the variable $task=delete_link in the querystring to invoke the top block of code. Simple stuff, but not working after upgrading to 4.2

Code: Select all

if($task == 'delete_link')  
{ 
  $sql = "DELETE FROM links WHERE linkid = $linkid";
  $result = mysql_query($sql); 
  if(!$result)
  {
    echo("ERROR: " . mysql_error() . "\n$sql\n");
    exit();
  }
}

$sql = "SELECT * FROM links order by linkid asc"; 
$result = mysql_query($sql);
while($myrow = mysql_fetch_array($result))
{ 
  $linkname = $myrow["name"]; 
  $linkid = $myrow["linkid"]; 
  echo "<tr>"; 
  echo "<td>$linkname</td>\n"; 
  echo "<td><A HREF="update.php?linkid=$linkid" class=mediumbold>Edit</a></td>"; 
  echo "<td><A HREF="admin.php?linkid=$linkid&task=delete_link" class=mediumbold>Delete</a></td>"; 
  echo "</tr>"; 
}
Can someone point me in the right direction?

Thanks :)

Posted: Thu Apr 17, 2003 2:38 pm
by McGruff
With register globals off, you need to write query string vars like $task in this way: $_GET['task']

So replace:

if($task == 'delete_link')

with..

if($_GET['task'] == 'delete_link')

Also, where does $linkid come from? If it's in the global scope you can get it into a function scope with $GLOBALS['linkid']. I don't know the rest of your code though - that might not be necessary.

Posted: Thu Apr 17, 2003 2:46 pm
by decoy1
Hi there,

The linkid comes directly from the query. You can see in my first post. Also, I tried doing

Code: Select all

if($_GET['task'] == 'delete_link')
from the start thinking that was the problem, but always got and sql error on that line?

Posted: Thu Apr 17, 2003 3:01 pm
by twigletmac
What was the error you got?

Mac

Posted: Thu Apr 17, 2003 3:15 pm
by decoy1
Hi,
This is the error...
ERROR: You have an error in your SQL syntax near '' at line 1 DELETE FROM links WHERE linkid =

This happens when I use

Code: Select all

if($_GET['task'] == 'delete_link')
Obviously it doesn't recognize $linkid when I use that. Driving me nuts

Posted: Thu Apr 17, 2003 3:44 pm
by volka
just think about it. if you had to replace
if($task == 'delete_link')
by

Code: Select all

if($_GET['task'] == 'delete_link')
what need's to be done with
$sql = "DELETE FROM links WHERE linkid = $linkid";
?
You have 1 guess ;)
Just one tip: start from

Code: Select all

$sql = "DELETE FROM links WHERE linkid = " . $linkid;
otherwise you might get another error if you implement the changes straight forward.

and please read: Sticky: Before Post Read: Concerning Passing Variables in PHP 4.2+

Posted: Thu Apr 17, 2003 4:32 pm
by decoy1
Hi,

I read the sticky posts and it didn't help. There were a ton of things broken when I first upgraded and I've got them all addressed, its just this one thing. I don't know if I need to sleep on it or what, but It's not registering.

Could you tell me how to fix it? :D

Posted: Thu Apr 17, 2003 4:50 pm
by volka
try

Code: Select all

$sql = "DELETE FROM links WHERE linkid=".$_GET['linkid'];
or even better

Code: Select all

$sql = "DELETE FROM links WHERE linkid=".(int)$_GET['linkid'];
(linkid is a numerical field in your table?)

Posted: Thu Apr 17, 2003 5:01 pm
by decoy1
Man...that worked and boy do I feel stupid :oops:

After your last post I immediately did this

Code: Select all

$sql = "DELETE FROM links WHERE linkid=".$_GET['linkid'];
But wasn't using

Code: Select all

if($_GET['task'] == 'delete_link')
and THEN did it vice versa, never using them at the same time. I'ts so obvious now.

I'll slink off now. Thanks to you and everyone else for your time, much appreciated.

Posted: Thu Apr 17, 2003 6:42 pm
by McGruff
One tiny amendment:

$sql = "DELETE FROM links WHERE linkid='".$_GET['linkid']."'";

I half-remember being advised always to enclose column vars in single quotes (even numerical input) for security reasons. Think it's something to do with query injection ie forcing mysql to treat the item as a string so that any ";" are neutralised.

I guess the (int) cast achieves much the same thing though - just thought I'd mention another option.

Posted: Fri Apr 18, 2003 4:02 am
by volka
if you're passing user input as a string to mysql, you should use something like mysql_escape_string()

http://www.php.net/manual/en/function.m ... string.php