Page 1 of 1
Cannot figured out what is wrong with DELETE command
Posted: Sat Aug 30, 2003 5:00 pm
by URWhatUXpress
This is the code I am working with:
$pemail = $_POST['email'];
$query = "DELETE FROM hope WHERE email = $pemail";
Now, I tested and $pemail is recieving the var. from the post form, so I am assuming that my problem is in the query syntax, since the error message I set up keeps coming up when I run this portion of the script.
Thank you in advance for any help with this. Let me know if you need more of the source code.
{ d }
quotes
Posted: Sat Aug 30, 2003 5:20 pm
by phpScott
It is probably a quote issue. In mysql you need to put quotes around variables that are strings.
So try
Code: Select all
$query = "DELETE FROM hope WHERE email = '$pemail'";
notice the ' ' around $penmail
try it and see what happens.
phpScott
Posted: Sat Aug 30, 2003 5:24 pm
by URWhatUXpress
Thank you so much, that worked like a charm.
{ d }
Posted: Sat Aug 30, 2003 7:13 pm
by m3rajk
as i found out the hard way: the only time you don't need (but even then it doesn't hurt) to put it in '' or "" is when you're sending NUMBERS
Posted: Sat Aug 30, 2003 8:32 pm
by McGruff
m3rajk wrote:as i found out the hard way: the only time you don't need (but even then it doesn't hurt) to put it in '' or "" is when you're sending NUMBERS
Just to clarify, for security reasons, you should always quote integer vars as well. If the var was obtained from user input, it might not be an integer at all.
Also, never put vars in db queries unless they have either been escaped or intval() 'd. This, and quotes, are essential steps to protect against query hijacking.
Posted: Sun Aug 31, 2003 12:11 am
by URWhatUXpress
Thanks for all that advice. This really helps me out.
{ d }
Posted: Sun Aug 31, 2003 11:48 am
by m3rajk
McGruff wrote:m3rajk wrote:as i found out the hard way: the only time you don't need (but even then it doesn't hurt) to put it in '' or "" is when you're sending NUMBERS
Just to clarify, for security reasons, you should always quote integer vars as well. If the var was obtained from user input, it might not be an integer at all.
Also, never put vars in db queries unless they have either been escaped or intval() 'd. This, and quotes, are essential steps to protect against query hijacking.
i did that just to be safe. and everything that is input that isn't done via a select boxe that gives me a number, i "clean" with a function made specifically for that