MySQL delete query not working

Question

I am sending values to a PHP form using the GET method. when I go to the URL, the link looks as follows:

http://www.url.com/getstuff.php?rid=sG94Ok5JtHQ&searcht=music&r=0

I am using the following function to handle the variables:

if (isset($_GET['rid'])) {

  if($_GET['r'] == 0) {
      echo $_GET['searcht']; 
      echo $_GET['rid'];
      mysql_query('DELETE FROM flags WHERE searchText = "'.$_GET['searcht'].'" AND videoID = "'.$rid.'"');
  } else
  {
      mysql_query('INSERT INTO removed (videoID) VALUES ("'.$_GET['rid'].'")');
      mysql_query('DELETE FROM flags WHERE searchText = "'.$_GET['searcht'].'" AND videoID = "'.$rid.'"');
  }
}

For some reason, the INSERT statement works above, but the delete statements do not do anything. When I echo mysql_error(), I am not getting anything either. I am sure the columns and table names are correct. Any help would be appreciated to help me get the delete statements working! Thanks!

You're not setting the value of `$rid` anywhere. Also, be VERY wary of possible SQL Injection attacks. — , May 25 '14 at 21:21
Just a piece of advice, the `mysql` series of functions including query and connect have been deprecated. Instead use `mysqli` or `PDO`, as they are much more secure and in active development. — Sam Holmes, May 25 '14 at 21:25
I am not sure but you mix ' and ". You start qry by ' and then close by " which make qry string not correct as mysql does not accept " for strings. So switch thrm and start with " and use ' to be passed in the qry. Echo qry is good debug. Then copy and execute on mysql and see result — Yazan, May 25 '14 at 21:42
Your code is vulnerable to SQL injections. You should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). — Gumbo, May 25 '14 at 21:49

slugonamission · Accepted Answer · 2014-05-25T21:28:51.797

A DELETE query will succeed, even if nothing was deleted. In your code, you use the $rid variable, which is never set. There is a $_GET['rid'] variable, so the fix is probably to either assign $rid to $_GET['rid'], e.g.

{
      $rid = $_GET['rid'];
      mysql_query('INSERT INTO removed (videoID) VALUES ("'.$_GET['rid'].'")');
      mysql_query('DELETE FROM flags WHERE searchText = "'.$_GET['searcht'].'" AND videoID = "'.$rid.'"');
}

Or to change all instances of $rid to $_GET['rid'], e.g.

{
      mysql_query('INSERT INTO removed (videoID) VALUES ("'.$_GET['rid'].'")');
      mysql_query('DELETE FROM flags WHERE searchText = "'.$_GET['searcht'].'" AND videoID = "'.$_GET['rid'].'"');
}

Also, the mysql_ functions are deprecated, and you should use PDO/mysqli. Also, you don't sanitise your data anywhere (using intval or mysql_real_escape_string or similar), so you're quite open to SQL injection.

@user3630775 - whoops, I end up typing `$_POST[]` out of habit, since I rarely use `$_GET[]` variables. Yes, it should have been `$_GET['rid'];` — slugonamission, May 25 '14 at 21:29

score -2 · Answer 2 · edited May 25 '14 at 23:06

-2

Use $_GET['rid'] in place of $rid in delete stmt

AND videoID = "'.$rid.'"');

edited May 25 '14 at 23:06

Veedrac

58,273
15
112
169

answered May 25 '14 at 21:46

Suresh Babu Mamidala

13
1
5

This appears to have already been mentioned in a previous answer, and doesn't add additional information. – Jamal May 25 '14 at 21:59

MySQL delete query not working

2 Answers2