0

Hi,
I am having a few issues trying to get this to work.
When I click the link delete i want the record to be deleted from MySQL if 2 parameters are true.
The following is the delete link:

http://domain.com/records.php?url=21313

So the first parameter is "url" the second will be the users account id

the record in MySQL is as follows:

id: 23423424
URL: 21313
FIELD: HERE AND THERE
USERID: 222

So I need a statement that basically says
DELETE from masterdb where url = $_GET and userid = S_SESSION[userid'] then return to index.php

I cannot seem to work this out

Any help would be appreciated

Cheers

4
Contributors
8
Replies
10
Views
6 Years
Discussion Span
Last Post by happytogether
0

Hi,

Firstly, and most importantly, you're not escaping parameters that come in over the URL before using them in an SQL query. That is a serious security risk.

Secondly, are you checking that the user id is set in the session before use?

Third, is your table called masterdb? And are you field names in caps or lowercase? The table definition you've included doesn't match your SQL query.

And to add some security, you could modify your query to:

$sql = sprintf("DELETE FROM `table` WHERE `url` = %d AND `userid` = %d LIMIT 1;", (int)$_GET['url'], (int)$_SESSION['user_id]);

R.

0
mysql("delete from masterdb where url='".$_GET['url']."' and userid='".$_SESSION['userid']."'");
if(!mysql_error()){
header("location:/index.php");
}
else {
echo mysql_error();
}
0
mysql("delete from masterdb where url='".$_GET['url']."' and userid='".$_SESSION['userid']."'");
if(!mysql_error()){
header("location:/index.php");
}
else {
echo mysql_error();
}

What if a user sets the URL argument to:

'; SHOW TABLES; --

or

'; DROP DATABASE `masterdb`; --

??

And displaying the database error to the user is very helpful. Allows people trying to hack your site to see exactly where the error is in their SQL injection attacks.

Sorry, I don't mean to burn. Am just trying to highlight my point :)

Edited by blocblue: n/a

0

its just a sample...im not telling to use that in his official script;
echo mysql_error is just to test if his query is running correctly..
newbie in php need to see the error if there is...
hope you got my point

Edited by happytogether: ;

0

No, not at all. As I said, I didn't mean to burn. But as you say, if the original poster is a novice PHP programmer, I think it's better than they learn about things like SQL injection and other potential security holes sooner rather than later.

No hard feelings.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.