writing query problem - Webmaster Forum - Web Design, Programming and SEO forums

04-03-2007, 03:50 PM

jabberwocky

Status: Member
Join date: Oct 2005
Location: Calgary, Alberta, Canada
Expertise:
Software:

Posts: 278

iTrader: 0 / 0%

jabberwocky is on a distinguished road

writing query problem

I'm reading this book, "Begining PHP5, Apache and MySQL web development", and in an exercise I am trying to delete a record. However I keep getting this error message;

Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE _id = '8' LIMIT 1' at line 2

This is the code that seems to be causing the problem

Code:

    // generate SQL
    $sql = "DELETE FROM " . $_GET['type'] . "
            WHERE " . $_GET['type'] . "_id = '" . $_GET['id'] . "'
            LIMIT 1";

This is exactly what is in the book, but I'm still getting an error. Could this mean something is not activated in my local php? some kind of setting on how SQL statements are sent or something?

04-03-2007, 05:45 PM

localhost

Status: Dediport Hosting
Join date: Jul 2006
Location: Berkshire
Expertise: programming, business
Software: Dreamweaver

Posts: 1,316

iTrader: 17 / 100%

localhost is on a distinguished road

isn't really a safe script becuase you could get hacked:

PHP Code:


			
$type = mysql_real_escape_string($_GET['type']);
$id = mysql_real_escape_string($_GET['id']);
$sql = "DELETE FROM `$type` WHERE `$type` = '$id' LIMIT 1";

I think that shoudl work..

04-03-2007, 06:01 PM

Salathe

Status: Community Archaeologist
Join date: Jul 2004
Location: Scotland
Expertise: Software Development
Software: vim, PHP

Posts: 3,820

iTrader: 25 / 100%

Salathe will become famous soon enough

Are you sure you're passing along "type" in the query string, along with "id"? That seems to be your problem.

localhost is right that your code isn't secure at all, but that's not a concern right at this very moment (I assume that security will be covered later in the book).

04-03-2007, 06:17 PM

jabberwocky

Status: Member
Join date: Oct 2005
Location: Calgary, Alberta, Canada
Expertise:
Software:

Posts: 278

iTrader: 0 / 0%

jabberwocky is on a distinguished road

heh i hope it is. at the moment this is all just local. what part of this makes it unsafe?

maybe the type and id are not being passed? I'll double check and see if i miss typed there.

cheers

04-03-2007, 06:28 PM

jabberwocky

Status: Member
Join date: Oct 2005
Location: Calgary, Alberta, Canada
Expertise:
Software:

Posts: 278

iTrader: 0 / 0%

jabberwocky is on a distinguished road

Yup! i wasn't passing the type or id variables. i got it working now. Thanks!

04-06-2007, 04:23 AM

powerspike

Status: I'm new around here
Join date: Feb 2007
Location: Sydney, Australia
Expertise:
Software:

Posts: 23

iTrader: 0 / 0%

powerspike is on a distinguished road

Originally Posted by jabberwocky

heh i hope it is. at the moment this is all just local. what part of this makes it unsafe?

maybe the type and id are not being passed? I'll double check and see if i miss typed there.

cheers

sql injections, using data from external sources (forms databasees files etc) should have some type of checks on them mysql_escape_string is one of the easiesy ways to do it, if you don't check your data, someone could delete your entire database, or worse, get a copy of it etc etc.