0

I'm trying to delete a row in my mysql database. Which row to be deleted is defined by a _GET tag. So if the page URL is deletePage.php?id=5 it wil delete the row with ID=5.

Here is my code so far:

<?php
 if (empty($_GET)) {echo "Error!";}
 else {
    include "../../includes/dke390d-ko.php";
    $pageID = $_GET['id'];;
    $conn = mysql_connect($dbhost, $dbuser, $dbpasswd);
if(! $conn )
{
  die('Could not connect: ' . mysql_error());
}
$sql = 'DELETE FROM page
        WHERE id="$pageID"';

mysql_select_db($dbname);
$retval = mysql_query( $sql, $conn );
if(! $retval )
{
  die('Could not delete data: ' . mysql_error());
}
echo "Deleted data successfully\n";
mysql_close($conn);
    header("Location: index.php");
    }
 ?>

My problem is that when i execute the code i am getting a error message saying: Could not delete data: Unknown column 'id' in 'where clause'

I should probably put the ID in a session. But that'll come later.

Best regards!

marwej
  • 71
  • 1
  • 6
  • 6
    So what's your question? Also, [please, don't use `mysql_*` functions in new code](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [red box](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). **You are also wide open to [SQL injections](http://stackoverflow.com/q/60174)** – John Conde Jun 27 '14 at 14:09
  • 1
    Is the column name `ID` or `id`? – jcaron Jun 27 '14 at 14:20
  • @jcaron I upvoted your comment (earlier), OP's column was actually [`pageID`](https://stackoverflow.com/questions/24453885/php-delete-specific-row-in-mysql#comment37842274_24453923) – Funk Forty Niner Jun 27 '14 at 14:37

2 Answers2

3

You have a variable in a string delimited by single quotes. As a result the variable is not interpolated. Swap your quotes to fix this:

$sql = "DELETE FROM page
        WHERE id='$pageID'";

Like I said in my comments above, your code is obsolete and insecure. You should make fixing that a high priority.

John Conde
  • 217,595
  • 99
  • 455
  • 496
  • 1
    [`Another "plug"`](https://stackoverflow.com/questions/24453885/php-delete-specific-row-in-mysql#comment37841875_24453936) ;-) – Funk Forty Niner Jun 27 '14 at 14:12
  • I chuckled when I clicked on the link and the page just reloaded. I wasn't expecting that. :) – John Conde Jun 27 '14 at 14:13
  • Don't you just love the unexpected? Kinda like a suprise party where all your ex-GF's show up naked. – Funk Forty Niner Jun 27 '14 at 14:14
  • At the age we all are now, that's party I would like to miss! lol – John Conde Jun 27 '14 at 14:14
  • Tried, but i'm still getting an error saying: Could not delete data: Unknown column 'id' in 'where clause'. – marwej Jun 27 '14 at 14:15
  • 2
    @Fred-ii- Well made, very nice and highly appropriate :-) – VMai Jun 27 '14 at 14:15
  • @user3420206 - show us your table - because if unknown id means the column id isn't even in the table – azngunit81 Jun 27 '14 at 14:16
  • @user3420206 Also, add error reporting to the top of your file(s) `error_reporting(E_ALL); ini_set('display_errors', 1);` see if it yields anything. – Funk Forty Niner Jun 27 '14 at 14:17
  • @JohnConde I guess I should probably delete the comment I left under the other answer. lol – Funk Forty Niner Jun 27 '14 at 14:21
  • Added the error reporting. Now it's saying:Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in C:\xampp\htdocs\cms\admin\executers\deletePage.php on line 7 Could not delete data: Unknown column 'id' in 'where clause' Link to image of table layout here [link](http://mariusweber.dk/sql.jpg) – marwej Jun 27 '14 at 14:21
  • There you go, you're using `id` where it should be `pageID` @user3420206 - `WHERE pageID='$pageID'";` also remove one of the `;` in `$pageID = $_GET['id'];;` – Funk Forty Niner Jun 27 '14 at 14:24
  • You're welcome. See? It pays to have error reporting on! ;-) Now, do accept John's answer, since the solution was found here. :) cheers @user3420206 – Funk Forty Niner Jun 27 '14 at 14:26
  • I'm so good (lol) so, about that party.... – Funk Forty Niner Jun 27 '14 at 14:31
1

The MySQL family of PHP is deprecated and support thereof will disappear, if it hasn't yet. Please look into PDO or MySQLi.

Now for the bigger issues, never trust user input. Your SQL is not safe against SQL injection, nor do you do any checks on the $_GET parameter. This is incredibly dangerous and reeks of disaster!

In PDO, there is a prepare statement that will sanitize input for you.

$sql = $dbh->prepare('DELETE FROM page  WHERE id=?');
$sql->execute(array($id));

The execute function takes an array and will replace any ? in your code with parameters safely.

As mentioned above, I would also do a check on that $_GET parameter; keep in mind that a user can supply anything he wants, even if your form wouldn't allow it (the same applies for $_POST).

I would suggest something like:

if(!isset($_GET['id']) || !is_scalar($_GET['id']) || !is_numeric($_GET['id']))
   die('Invalid id!');

Assuming you'd want your ID to be numeric for the check with is_numeric(). Checking for is_scalar() helps prevent warnings that appear when the user visits something like delete.php?id[]=t which is really easy to do.

ljacqu
  • 2,132
  • 1
  • 17
  • 21
  • 1
    This isn't an answer. [`This is an answer`](http://stackoverflow.com/a/24453923/) – Funk Forty Niner Jun 27 '14 at 14:11
  • @Fred-ii- Fixed, and fixed. I was a little eager to submit. – ljacqu Jun 27 '14 at 14:20
  • @ljacqu using GET requests to delete (or change) data reeks of disaster, OP should consider using POST requests. – VMai Jun 27 '14 at 14:21
  • I understand. It's usually best to include actual code to fix the OP's issue (*or hopefully fix*), instead of merely pointing out that the present method is open to SQL injection, noble as your suggestion was ;-) that wasn't my DV btw. – Funk Forty Niner Jun 27 '14 at 14:22
  • 1
    @VMai Sure, it's a little bit more difficult to send bogus `$_POST` data, but personally I would never consider `$_POST` any safer than `$_GET`. User input remains user input. – ljacqu Jun 27 '14 at 14:24
  • It's less a matter of security. GET requests should be cachable. – VMai Jun 27 '14 at 14:26
  • Sidenote: [`Solution is here`](https://stackoverflow.com/questions/24453885/php-delete-specific-row-in-mysql#comment37842402_24453923) (OP wasn't using error reporting also) cheers (*it pays to investigate*) ;-) – Funk Forty Niner Jun 27 '14 at 14:27