开发者

PHP - $GET and delete from MySQL

问答 作者:

I have an a href 开发者_运维技巧which looks like that: <a href="delete-news.php?deleteID=11">Delete</a>

And file delete-news.php is as follow:

<?php 

if(isset($_GET["?deleteID='.$id."])) 
{

    $result = mysql_query("DELETE FROM 'news' WHERE id='$id'");
    echo mysql_error();
    if($result)
        echo "succces";
}
else { echo "GET NOT SET"; }

?>

But it is returning GET NOT SET. What I'm doing wrong?

Use this, and for god's sake escape your inputs.

if(isset($_GET['deleteID'])) {
    $result = mysql_query("DELETE FROM `news` WHERE id='".mysql_real_escape_string($_GET['deleteID']). "'");
    echo mysql_error();
    if($result)
        echo "succces";

} else {
    echo 'GET NOT SET';
}

$_GET will have each element of the GET variables already broken down, so no need to include the URL data. So, in your example, the link ?deleteID=123 would produce $_GET['deleteID'].

Try using that, but also remember to sanitize the values you receive in from URLs. If it's going to be a numeric value, I suggest casting it:

$deleteID = (int)$_GET['deleteID'];

Please also note that changes to the system should only happen via POST, and never GET. Otherwise (for example), you might get a spidering bot that deletes your whole site. See this post for more references:

https://stackoverflow.com/questions/679013/get-vs-post-best-practices

You need to check $_GET for just deleteID. Later, reference it as $_GET['deleteID']. Also, call mysql_real_escape_string() on $_GET['deleteID'] to retrieve your query parameter $id.

if(isset($_GET["deleteID"])) 
{
    $id = mysql_real_escape_string($_GET['deleteID']);
    $result = mysql_query("DELETE FROM `news` WHERE id='$id'");
    echo mysql_error();
    if($result)
        echo "succces";
}
else { echo "GET NOT SET"; }

Try this instead:

<?php 
    if(isset($_GET['deleteID'])) 
    {
        $id = intval($_GET['deleteID']);
        $result = mysql_query("DELETE FROM `news` WHERE id='$id'");
        echo mysql_error();
        if($result) echo "succces";

    } else { 

        echo "GET NOT SET";

     }
?>

Note that I'm making the given deleteID into an int, meaning that values other than some form of number will become 0.

Also, you can't wrap a table- and/or column name with ' - backticks are the way to go!

<?php 

if(isset($_GET["deleteID"])) 
{
    $id = ($_GET['deleteID']);
    $result = mysql_query("DELETE FROM news WHERE id='".mysql_real_escape_string($id)."'");
    echo mysql_error();
    if($result)
        echo "succces";
}
else { echo "GET NOT SET"; }

?>

is correct one

You obtain GET NO SET, because the $_GET associative array does not contain ?deleteID='.$id.

In order for you to obtain the id, you need to so something like this:

$id = $_GET['deleteID'];

Also

$result = mysql_query("DELETE FROM 'news' WHERE id='$id'");

That is very unsafe as it allows SQL injections. Instead, do:

$query = sprintf("DELETE * FROM news WHERE id=%d",
         mysql_real_escape_string($id),
$result = mysql_query($query);

I hope this helped.

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9