This is the code I am working with:
$pemail = $_POST['email'];
$query = "DELETE FROM hope WHERE email = $pemail";
Now, I tested and $pemail is recieving the var. from the post form, so I am assuming that my problem is in the query syntax, since the error message I set up keeps coming up when I run this portion of the script.
Thank you in advance for any help with this. Let me know if you need more of the source code.
{ d }
Cannot figured out what is wrong with DELETE command
Moderator: General Moderators
- URWhatUXpress
- Forum Newbie
- Posts: 11
- Joined: Sat Aug 30, 2003 5:00 pm
- Location: Grand Rapids, MI
quotes
It is probably a quote issue. In mysql you need to put quotes around variables that are strings.
So try
notice the ' ' around $penmail
try it and see what happens.
phpScott
So try
Code: Select all
$query = "DELETE FROM hope WHERE email = '$pemail'";try it and see what happens.
phpScott
- URWhatUXpress
- Forum Newbie
- Posts: 11
- Joined: Sat Aug 30, 2003 5:00 pm
- Location: Grand Rapids, MI
Just to clarify, for security reasons, you should always quote integer vars as well. If the var was obtained from user input, it might not be an integer at all.m3rajk wrote:as i found out the hard way: the only time you don't need (but even then it doesn't hurt) to put it in '' or "" is when you're sending NUMBERS
Also, never put vars in db queries unless they have either been escaped or intval() 'd. This, and quotes, are essential steps to protect against query hijacking.
- URWhatUXpress
- Forum Newbie
- Posts: 11
- Joined: Sat Aug 30, 2003 5:00 pm
- Location: Grand Rapids, MI
i did that just to be safe. and everything that is input that isn't done via a select boxe that gives me a number, i "clean" with a function made specifically for thatMcGruff wrote:Just to clarify, for security reasons, you should always quote integer vars as well. If the var was obtained from user input, it might not be an integer at all.m3rajk wrote:as i found out the hard way: the only time you don't need (but even then it doesn't hurt) to put it in '' or "" is when you're sending NUMBERS
Also, never put vars in db queries unless they have either been escaped or intval() 'd. This, and quotes, are essential steps to protect against query hijacking.