SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Member
    Join Date
    Aug 2004
    Location
    UK
    Posts
    24
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Simple MySQL which is stumping me

    Hello everybody,

    I'm making my very first PHP/MySQL app and I'm getting on well so far... except I'm stumped with the following code:

    $cvid = $_GET['cvid'];
    $sql_delete_cv = "DELETE FROM cvdb WHERE ID=$cvid";
    if (@mysql_query($sql_delete_cv)) {
    echo("The CV has been deleted from the database!<br>");
    } else {
    echo("Error deleting CV:" . mysql_error());
    }
    Basically, the page is linked from a main list of CVs:
    echo("$cvname | $cvstamp | <a href='editcv.php?id=$cvid'>Edit</a> | <a href='deletecv.php?id=$cvid'>Delete</a><br>");
    And the deletecv.php page loads fine with the variable of $cvid in the query string of the URL, but the actual MySQL trickery isn't carried out. It gives the following error:

    You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
    I hope you can help me! I very much appreciate it!

    -Sion

  2. #2
    SitePoint Guru
    Join Date
    Jun 2004
    Location
    Finland
    Posts
    703
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    $cvid $_GET['cvid'];
    $sql_delete_cv "DELETE FROM cvdb WHERE ID=$cvid";
    if (@
    mysql_query($sql_delete_cv)) {
    echo(
    "The CV has been deleted from the database!<br>");
    } else {
    echo(
    "Error deleting CV:" mysql_error());

    Well, the problem is that there is no $_GET["cvip"]. Here's why:

    PHP Code:
    echo("$cvname | $cvstamp | <a href='editcv.php?id=$cvid'>Edit</a> | <a href='deletecv.php?id=$cvid'>Delete</a><br>"); 
    You should call it as $_GET["id"] HOWEVER, your system is not safe at all.
    You might want to modify your script as follows:

    PHP Code:
    $cvid $_GET['id'];
    $sql_delete_cv sprintf("DELETE FROM cvdb WHERE ID='%s'",mysql_escape_string((string) $cvid));
    if (@
    mysql_query($sql_delete_cv)) {
      echo(
    "The CV has been deleted from the database!<br>");
    } else {
      echo(
    "Error deleting CV:" mysql_error());

    Or otherwise your script would be open to SQL-injection attacks. Consider reading http://www.sitepoint.com/article/sql...n-attacks-safe.

  3. #3
    SitePoint Member
    Join Date
    Aug 2004
    Location
    UK
    Posts
    24
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's smashing. Works a treat thanks!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •