Simple MySQL which is stumping me

[Sion]

Hello everybody,

I'm making my very first PHP/MySQL app and I'm getting on well so far... except I'm stumped with the following code:

$cvid = $_GET['cvid'];
$sql_delete_cv = "DELETE FROM cvdb WHERE ID=$cvid";
if (@mysql_query($sql_delete_cv)) {
echo("The CV has been deleted from the database!<br>");
} else {
echo("Error deleting CV:" . mysql_error());
}

Basically, the page is linked from a main list of CVs:

echo("$cvname | $cvstamp | <a href='editcv.php?id=$cvid'>Edit</a> | <a href='deletecv.php?id=$cvid'>Delete</a><br>");

And the deletecv.php page loads fine with the variable of $cvid in the query string of the URL, but the actual MySQL trickery isn't carried out. It gives the following error:

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

I hope you can help me! I very much appreciate it!

-Sion

[Sorccu]

PHP Code:

$cvid = $_GET['cvid'];
$sql_delete_cv = "DELETE FROM cvdb WHERE ID=$cvid";
if (@mysql_query($sql_delete_cv)) {
echo("The CV has been deleted from the database!<br>");
} else {
echo("Error deleting CV:" . mysql_error());
} 


Well, the problem is that there is no $_GET["cvip"]. Here's why:

PHP Code:

echo("$cvname | $cvstamp | <a href='editcv.php?id=$cvid'>Edit</a> | <a href='deletecv.php?id=$cvid'>Delete</a><br>"); 


You should call it as $_GET["id"] HOWEVER, your system is not safe at all.
You might want to modify your script as follows:

PHP Code:

$cvid = $_GET['id'];
$sql_delete_cv = sprintf("DELETE FROM cvdb WHERE ID='%s'",mysql_escape_string((string) $cvid));
if (@mysql_query($sql_delete_cv)) {
  echo("The CV has been deleted from the database!<br>");
} else {
  echo("Error deleting CV:" . mysql_error());
} 


Or otherwise your script would be open to SQL-injection attacks. Consider reading http://www.sitepoint.com/article/sql...n-attacks-safe.

[Sion]

That's smashing. Works a treat thanks!