-4

i am trying to create a delete page when the user clicks cancel order, here are my codes.

$A = @mysql_query("DELETE * FROM customers      WHERE email=    '{$_REQUEST['email']}'");
$B = @mysql_query("DELETE * FROM order_detail   WHERE orderid=  '{$_REQUEST['orderid']}'");
$C = @mysql_query("DELETE * FROM orders         WHERE `serial`= '{$_REQUEST['serial']}'");

that is what i did for the cancel.php

and here is the link that would send parameters to the cancel page.

<a href='../../includes/cancel.php?orderid=".$row['orderid']."&serial=".$row['serial']."&email=".$_SESSION['email']."''>CANCEL ORDER</a>

I dont know why it wont work. please help. thank you

Vince Agno
  • 81
  • 2
  • 7
  • 7
    Remove the `*` in all your queries. – Funk Forty Niner Oct 07 '14 at 15:48
  • 7
    You don't check for errors, you suppress errors, you're using a deprecated API, and you're wide open to SQL injections. Not a good start. – John Conde Oct 07 '14 at 15:48
  • 3
    Please, [don't use `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php), They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://us1.php.net/pdo) or [MySQLi](http://us1.php.net/mysqli). [This article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you decide. – Jay Blanchard Oct 07 '14 at 15:49
  • 1
    As Jay Blanchard said, **please don't use MySQL functions**, use **MySQLi instead.** – AStopher Oct 07 '14 at 15:52
  • Read up on DELETE >>> http://dev.mysql.com/doc/refman/5.0/en/delete.html – Funk Forty Niner Oct 07 '14 at 15:52
  • Just a side note, apart from everything said: the `@` operator suppress any error related to the query, therefore you shouldn't use it if you're not sure if the query is working. Don't use mysql_* anyway, as already said above. – briosheje Oct 07 '14 at 15:53
  • This also seems like a weird delete function. Why would you delete the customer along with an order? Can a customer not have multiple orders? You shouild also consider deleting acfoss a join such that the delete succeeds/fails atomically. – Mike Brant Oct 07 '14 at 15:53
  • This looks [terrifyingly insecure](http://bobby-tables.com/). You must be absolutely **certain** your user parameters are [properly escaped](http://bobby-tables.com/php). If this is on the public internet you are at severe risk and this should be patched immediately. – tadman Oct 07 '14 at 15:59

2 Answers2

3

For Mysql the delete Command hast the syntax:

DELETE FROM <table> where ....
Denis Kohl
  • 739
  • 8
  • 13
0

In SQL using * symbol is major threat for your self and the app, Secondly I would recomed to implement a system that does not delete data off your DB but changes the state (ie: state: 0 'inactive', 1 'active', 2 'removed') and so on. You just never know when you might need this data that you remove.

Also you use @ in front of your mysql_query which basically skips all the errors and you just dont know wether the query worked or not and if not why.....

Lastly i would strongly suggest you stop using mysql, it is not suported any more massive thread, check mysqli or PDO at least...

Hope this info helps

Ziomek Ziomski
  • 63
  • 6
  • Using `*` is only a problem here because it's not how you use `DELETE`. – tadman Oct 07 '14 at 16:00
  • *"check mysql or PDO at least..."* - that should be `mysqli` - this is what you should be telling the OP instead: Your present code is open to [**SQL injection**](http://stackoverflow.com/q/60174/). Use [**`mysqli` with prepared statements**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php), or [**PDO with prepared statements**](http://php.net/pdo.prepared-statements). – Funk Forty Niner Oct 07 '14 at 16:02