Get variable not sending

[lostty84]

please i am trying to delete from a table and sending the id through a "get variable", but it is not sending the values which means i cant transfer the values to the delete page.please help me have a look

PHP Code:


<?


$connect = mysql_connect('localhost','xxxxxx','xxxxxx') or die('error connecting: ' . mysql_error());
mysql_select_db('reachea2_registeringmembers')or die('error selecting db: ' . mysql_error());

$pplresult = mysql_query("SELECT * FROM repplac");
echo "<table border='1'><tr><th> SHOP NAME</th><th> PRODUCT NAME</th><th> PRODUCT SIZE</th><th> PRODUCT COLOUR</th><th> PRODUCT QUANTITY</th><th> PRICE</th><th> </th></tr>";
while($row = mysql_fetch_assoc($pplresult)){
echo "<tr><td>" .$row['Sname'] ."</td><td>" .$row['Pname'] ."</td><td>" .$row['Psize'] ."</td><td>" .$row['Pcolour'] ."</td><td>" .$row['Pquantity'] ."</td><td>" .$row['Price'] ."</td><td>" ?>
<a href="deleteproduct.php?del=$row['Pidno']">delete</a></td></tr><?php }
    // table closing tag
echo"</table>"
?>

PHP Code:

<?php
$rowdelete = $_GET['del'];
//echo "$rowdelete";

//open database
$connect = mysql_connect('localhost','xxxxxxx','xxxxxxxx') or die('error connecting: ' . mysql_error());
mysql_select_db('reachea2_registeringmembers')or die('error selecting db: ' . mysql_error());//select database


$queryreg = mysql_query("

DELETE FROM pplac where pidno =   {$rowdelete} LIMIT 1

");
?>

[guido2004]

Check the link in the HTML code of the page in your browser. What do you see?

[lostty84]

checked it but discovered that a escaped php tag, was before the link, so its been rectified guido, thanks

[lostty84]

guido, for the delete scripts itself, its giving this error
Unknown column 't555' in 'where clause'

PHP Code:

<?php
$rowdelete = $_GET['del'];
//echo "$rowdelete";

//open database
$connect = mysql_connect('localhost','xxxxxxx','xxxxx') or die('error connecting: ' . mysql_error());
mysql_select_db('reachea2_registeringmembers')or die('error selecting db: ' . mysql_error());//select database


$delete = mysql_query("DELETE FROM repplac where pidno = {$rowdelete}");
if (mysql_affected_rows() == 1){
echo "yeah";
}else die(mysql_error()); 
?>

[Immerse]

You need to enclose variable values in apostrophes when executing queries, otherwise MySQL will think it's a column name:

PHP Code:

$delete = mysql_query("DELETE FROM repplac where pidno = '{$rowdelete}'"); 


p.s. you need to read up about escaping variables to send to queries, as I could drop your entire database using this! http://php.net/manual/en/function.my...ape-string.php

[lostty84]

thanks immerse, will read, and correct all posibble pitfall before continuing the work.thanks

[Immerse]

Awesome!
Let us know if you need something explaining or help with securing your script

[guido2004]

You need to enclose variable values in apostrophes when executing queries

String values, yes. Numeric values, no. In this case it's a string value, so yes

[Immerse]

@guido2004 ; Yes, good point!

[lostty84]

i am having this error warning
Warning: Wrong parameter count for mysql_query() in /home/reachea2/public_html/deleteproduct.php on line 8
i guess its because i have assigned the string to a variable $rowdelete, so ow will i correct that please

PHP Code:

<?php require_once("include/dataconnect.php");?>
<?php require_once("include/functions.php");?>
<?php
$rowdelete = $_GET['del'];
//echo "$rowdelete";
$delete = mysql_query("DELETE FROM repplac where pidno = '{$rowdelete}'",
mysql_real_escape_string($pidno),
 mysql_real_escape_string(${$rowdelete}));
if (mysql_affected_rows() == 1){
//echo "yeah";
redirect_to('youraccount.php');
}else die(mysql_error()); 
?>