use one php file to process two mysql queries?

Question

Is there a way i can use the same php file 'favorite.php' to carry out two separate mysql queries each time it's accessed.

Basically i have a link on a users profile page called add to favorites, which links to favorite.php and runs the query to add users to the session users favorites list. I want to add another query to the file to run on a separate occasion, so on the next time that links clicked to say if the favorite id exists in the table to delete it removing that user from the session users favorites list?

here i have my insert into query, and now i just need to find a way of saying delete favorite id if exists for the second time the link is clicked?

<?php

require_once('includes/session.php');
require_once('includes/functions.php');
require('includes/_config/connection.php');


session_start();


    confirm_logged_in();




    if (isset ($_GET['to'])) {
    $user_to_id = $_GET['to'];


}


if (!isset($_GET['to']))
    exit('No user specified.');

$user_id = $_GET['to'];

$result = mysql_query("INSERT INTO ptb_favorites (user_id, favorite_id) VALUES (".$_SESSION['user_id'].", ".$user_to_id.")") 
or die(mysql_error()); 

if($result = mysql_query($query))

$result = mysql_query("DELETE FROM ptb_favorites (user_id, favorite_id) VALUES (".$_SESSION['user_id'].", ".$user_to_id.")") 
or die(mysql_error()); 

header("Location: profile.php?id=" . $user_to_id['user_id']);


?>

Hope that makes sense thanks.

surely that would cause the previous sql to cause an error? i'll try it — James Matthews, Dec 27 '12 at 02:47
Note that mysql_query() is [deprecated](http://php.net/manual/en/function.mysql-query.php) — Jay, Dec 27 '12 at 02:47
Your code is vulnerable to SQL injection, please use PDO prepared statements instead — Adam Elsodaney, Dec 27 '12 at 02:50
You have exactly the same errors like on your other question http://stackoverflow.com/questions/14048367/redirect-user-after-clicking-link-to-sql-process/14048558#comment19411828_14048558. The same mysql injections are possible etc. And you have not accepted an answer on that question too while I see here that you fixed some of the code. These are not good manners. — Mihai P., Dec 27 '12 at 02:53

Adam Elsodaney · Answer 1 · 2012-12-29T16:28:23.393

Here's how I'd write your script to avoid SQL injection, assuming you have PHP 5.3 or greater. I tend to use closures / anonymous functions for database queries, but you can use them in inline with everything else.

The last line however I'm confused about unless $_GET['to'] is an array.

<?php

require_once('includes/session.php');
require_once('includes/functions.php');

$connection = new PDO('mysql:host=example.com;dbname=you_database_name', 'mysql_username', 'mysql_pass');

session_start();
confirm_logged_in();

$user_to_id = isset($_GET['to']) ? $_GET['to'] : null;

if (is_null($user_to_id)) {
    exit('No user specified.');
}

$user_id = $_GET['to'];

$insert = (function () use ($connection, $user_to_id) {
    $sql = "INSERT INTO ptb_favorites (user_id, favorite_id) VALUES (?, ?)";
    $statement = $connection->prepare($sql);

    $result = $statement->execute(array(
        $_SESSION['user_id'],
        $user_to_id
    ));

    return $result;
});

if ($insert() === true) {
    $delete = (function () use ($connection, $user_to_id) {
        $sql = "DELETE FROM ptb_favorites WHERE user_id = ? AND favorite_id = ?";
        $statement = $connection->prepare($sql);

        $result = $statement->execute(array(
            $_SESSION['user_id'],
            $user_to_id
        ));

        return $result;
    });

    $delete();
}

// Not sure about this line if $user_to_id is not an array
header("Location: profile.php?id=" . $user_to_id['user_id']);

thanks for your suggestion adam however i get 4 syntax errors on your code. — James Matthews, Dec 29 '12 at 07:13
@JamesMatthews sorry my bad, I was using `if (!is_null($user_to_id)`. This should actually be `if (is_null($user_to_id)` (code updated). You may also have to refactor some of the code if you had additional logic in includes/_config/connection.php that I might be missing — Adam Elsodaney, Dec 29 '12 at 16:31

score 0 · Answer 2 · edited May 23 '17 at 12:12

0

when building DELETE statement, there should be no VALUES keyword involved,

DELETE 
FROM ptb_favorites 
WHERE user_id = val1 AND
      favorite_id = val2

so in PHP

$delQuery = "    DELETE 
                 FROM ptb_favorites 
                 WHERE user_id = '" . $_SESSION['user_id'] . "' AND
                       favorite_id = '" . $user_to_id . "'"
$result = mysql_query($delQuery) or die(mysql_error());

As a sidenote, the query is vulnerable with SQL Injection. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

How to prevent SQL injection in PHP?

edited May 23 '17 at 12:12

Community

1
1

answered Dec 27 '12 at 03:04

John Woo

258,903
69
498
492

thank you i will take a look at adding in sql protection. with this statement do i need to put an if or else statement or just put it in under the original query? – James Matthews Dec 27 '12 at 03:15
also i am getting a syntax error with that code at the $result = mysql_query line – James Matthews Dec 27 '12 at 03:17

use one php file to process two mysql queries?

2 Answers2