PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Can anyone tell me what's wrong in this code because when I try to delete "news" It says that the "news" deleted, but still the "news" is in the table:
if (mysql_query("DELETE FROM lajmet WHERE id='$id'"))
{
echo "News deleted";
}
else
{
echo "Epic fail :-(";
}
Oh, and by the way: deleting rows based on an ID directly specified by the user seems tricky business to me. Besides the fact that you don't escape anything, so your code is extremely vulnerable to SQL injections.
if (isset($id))
{
mysql_query("DELETE FROM lajmet WHERE id='$id'");
if (mysql_query("DELETE FROM lajmet WHERE id='$id'"))
{
echo "News deleted";
}
else
{
echo "Epic fail :-(";
}
}
Based on what do you suggest to delete the rows?
------------------------------------------------------------------- By the way:
When I use this code everything it's ok, the news delete, but I don't want to use this because when I delete a news the message and the table are showed in the same time, I want that when I click Delete, to show just the message not the table:
Remove the first myql_query() call. You'd be better off refactoring your code to include some debugging info, such as using mysql_query($query) or die(mysql_error()). Also, you should really sort out your security vulnerabilities as Apollo said.
Again, use "or die(mysql_error())" after the mysql_select_db() call. Don't use quotes around your database name variable. Have you actually established a database connection and saved the handle to $lidhja?
Use mysql_real_escape_string() to safe-guard against SQL injection.
These points I am raising are extremely common. I have brought them up about 3 times in the last couple of days. Simply searching Google or reading the PHP manual would have told you all this and more.
Look, when I delete the code in the 49 line, the news doesn't delete. Why the 23 line doesn't work for all the code but I have to use the same code twice?
MicroBoy wrote:Based on what do you suggest to delete the rows?
1. An escaped id, not just a plain id from the URL. What do you think will happen if some smartass fills in id=1'; DELETE * FROM lajmet; ?
Use mysql_real_escape_string. Or in the case of a numeric ID, use intval.
2. Not an id that can be freely chosen by the user. Someone can call the delete script with id=1, id=2, etc. Why would you allow that? So verify / validate the id.