开发者

Delete ID From DB

问答 作者:

Original Form

  <?php
echo '<td><form action="episodesdelete.php" method="POST">';
echo '<input type="hidden" name="epid" value="'.$row['epid'].'">';  
?>

episodesdelete.php

<?php
$connection = mysql_connect("localhost","root","")
or die ("Couldn't Connect To Server");
$db = mysql_select_db("shows", $connection)
or die ("Couldn't Select Database");
$query = "DELETE FROM shows WHERE epid= "'.$_开发者_Python百科POST['epid']'";
$result = mysql_query($query)
or die ("Query Failed: " . mysql_error());

?>

First of all, you have in-correct usage of double quotes:

$query = 'DELETE FROM shows WHERE epid= ".$row['epid']"';

Should be:

$query = "DELETE FROM shows WHERE epid= ".$row['epid']";

You have one more problem:

You also need to use $_POST array with correct field name like:

$query = "DELETE FROM shows WHERE epid= " . $_POST['id'];

Because you are using POST as method of the form:

<form action="episodesdelete.php" method="POST">

You need to use $_POST

And because your hidden field is named id:

echo '<input type="hidden" name="id" value="'.$row['epid'].'">';

You need to specify that in your query:

$_POST['id']

So here is how your query should be:

$query = "DELETE FROM shows WHERE epid= " . $_POST['id'];

please check the source code of the generated html page in the browser.

  • Is the value of the hidden input field filled with the correct id and not empty?
  • Is the at most one input field with the name id per <form>?

On the server, check that the form was submitted, not just fetched for displaying:

if (isset($_POST)) {
    ...
}

You wrote: $query = 'DELETE FROM shows WHERE epid= ".$row['epid']"';

There is a number of issues with this line:

  • Instead of $row you need to use $_REQUEST or $_POST as it is data sent from the browser
  • Instead of "epid", you named it just "id" in the html code.
  • Inside single quotes, variables are not substituted
  • There is a security issue called SQL injection which allows the users to execute any SQL statement they want by sending it as "id"-parameter; for example by using Firebug.

The line should look like this:

$query = "DELETE FROM shows WHERE epid='"
          .mysql_real_escape_string($_POST['id'])."'";

PS: Speaking of security, make sure that you escape untrusted data with htmlspecialchars before inserting it into the html page. And you need an unguessable token in the form to prevent other websites, a logged in user may visit, from blindly submitting delete requests. See CSRF.

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9