0

Basically as my question stated, it works on phpmyadmin but not php itself. When I run the script, it returns true, and doesn't die. HELP!

here is the query:

DELETE FROM selections WHERE selectorID = '$userID' AND selectedID = '$ID'

Here is the php script:

<?php

include_once "connect_to_mysql.php";

$errorB = false;

$error = '';
$id = '';
$userID = '';
if (empty($_GET['ID']) || empty($_GET['userID'])) {
$errorB = true;

if (empty($_GET['ID'])) {
    $error = $error.'-No selected ID was sent';

}

if (empty($_GET['userID'])) {
    $error = $error.'-No selector ID was sent';

}


} else {
$id = $_GET['ID'];
$userID = $_GET['userID'];
echo $id.$userID;
$sqlInsert = mysql_query("DELETE FROM selections WHERE selectorID = '$userID' AND selectedID = '$ID'") or die (mysql_error());
echo 'shz';
}

if ($errorB) {
echo $error;

}



?>

My database looks like this:

 id|selectorID|selectedID
 3  1          4
 4  1          5
Michael King
  • 640
  • 1
  • 6
  • 18
  • If it works in phpmyadmin and not in php my guess is that your variables don't contain the values you expect them to. You also need to break this down to its simplest use case scenario for easier troubleshooting. – John Conde Feb 20 '13 at 15:09
  • 1
    You are aware that your code is very very unsafe in case of sql injections? You should validate all data you get from `$_GET` before passing them into your sql query. – oktopus Feb 20 '13 at 15:12

1 Answers1

2

Your first, but lesser trouble is the case sensitive nature of PHP variables:

Here

$sqlInsert = mysql_query("DELETE FROM selections WHERE selectorID = '$userID' AND selectedID = '$ID'") or die (mysql_error());

you refer to $ID, but have only $id:

$id = $_GET['ID'];

Correctly:

$sqlInsert = mysql_query("DELETE FROM selections WHERE selectorID = '$userID' AND selectedID = '$id'") or die (mysql_error());

IMPORTANT NOTE

While this will most likely work, but this is prone to SQL injection! Use PDO instead, or at the very least, escape your values!!!

ppeterka
  • 20,583
  • 6
  • 63
  • 78
  • Well spot. That's why you can't develop PHP code with full error reporting disabled. – Álvaro González Feb 20 '13 at 15:14
  • Thank you! I feel really stupid as I am a seasoned programmer. But I guess I still miss things. And as for the SQL injection I always build my scripts and get them to work and then go back and fix all the vulnerabilities. – Michael King Feb 20 '13 at 15:15
  • @ÁlvaroG.Vicario Yes... Such issues, and their returning memories make me frown when I have to deal with PHP... – ppeterka Feb 20 '13 at 15:16
  • @MichaelKing You're welcome. Happens to me all the time too :) But I heartily advise against the "going back to fix it" approach when dealing with security. For performance optimization that is the route to follow, but with security, you have a lot to lose.... – ppeterka Feb 20 '13 at 15:18
  • @MichaelKing - That's why I hate it when they call it "security"—it makes people think, "hey, I don't need that". If you're generating a PDF file, you need to ensure it's a valid PDF file. If you're generating SQL, you need to ensure it's valid SQL. – Álvaro González Feb 20 '13 at 15:33