0

I've made a delete button and I want that whenever is get pressed it deletes a 'reservation' in my database. This is my code:

require_once"database.php";
if(isset($_POST["verwijderen"])) {
    $email = ($_SESSION["userId"]);
    $delete = mysql_query("DELETE FROM reserveringen WHERE Email = $email ");
}

verwijderen is the name of my delete button. $email gives me the email of the person who's logged in and $delete is the query. reserveringen is my table name and email is the colomn's name. I've tried this but it isn't working. $email does give me the email of the logged in person (I've checked it with echo($email)).

Edit: full code:

<?php
session_start();

$loggedIn = "";
if (isset($_SESSION["loggedIn"])) {
    $loggedIn = $_SESSION["loggedIn"];
} else {
    header('Location:reserveringssysteeminloggen.php');
}
$email = ($_SESSION["userId"]);


require_once"database.php";
if(isset($_POST["verwijderen"])) {
    $email = ($_SESSION["userId"]);
    $result = $mysql_query("DELETE FROM reserveringen WHERE Email = '$email' ");}

?>
Max
  • 45
  • 3
  • 10
  • 1
    Make sure you started your session before you use it with: `session_start();` Also put quotes around `$email` like `'$email'` in your SQL Statement – Rizier123 Jan 24 '15 at 17:26
  • 3
    "It isn't working". What's happening? Does your server explode? Does it make weird noises? Does it crash the users browser? Do you get a log message? An error? A warning? A notice? Is anything inside of your logs? Does it convince you that people can help you without any information? Does it prevent your SQL injection? Whenever you have SQL query problems, always echo the query and check if it looks right. – h2ooooooo Jan 24 '15 at 17:27
  • **Warning**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). – Quentin Jan 24 '15 at 17:27
  • I've put session_start(); in front of it and I've also put quotes around $email. Still not working. – Max Jan 24 '15 at 17:28
  • @Max Please show us your entire code! And add error reporting at the top of your file! (``) And tell us the exact error messages – Rizier123 Jan 24 '15 at 17:29
  • @h2ooooooo by not working I mean that it's not deleting the row inside my database. I'm not getting any errors. – Max Jan 24 '15 at 17:41
  • @Rizier123 I've put the entire code in my post. I've also added the error reporting and the only error I got was this. Deprecated: mysql_query(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in – Max Jan 24 '15 at 17:45
  • @Max You get that error because the mysql extension is deprecated and will be removed in the future and you should in fact use mysqli or PDO instead. You'll figure out that `mysql_query` returns false, and you need to check `mysql_error`. – h2ooooooo Jan 24 '15 at 18:07
  • @h2ooooooo I've changed it to this: require_once"database.php"; if(isset($_POST["verwijderen"])) { $mysqli = new mysqli("localhost", "root", "", "reserveringssysteem"); $email = ($_SESSION["userId"]); $delete = $mysqli->query("DELETE FROM reserveringen WHERE Email = '$email')"); } It's still not deleting the row in my database though. – Max Jan 24 '15 at 18:22
  • @Max You still need to use prepared statements and bind your variables. `WHERE Email = '$email` is **wrong**. Use `WHERE Email = ?` and bind the variable. – h2ooooooo Jan 24 '15 at 18:24
  • @h2ooooooo sorry for being such a noob at PHP. I haven't been doing it for long. But do I actually have to write the questionmark? and what exactly do you mean by bind the variable? – Max Jan 24 '15 at 18:27
  • @Max No worries - we're just letting you know before you accidentally get a less nice person abusing your system. Look at the example in the [manual](http://php.net/manual/en/mysqli-stmt.bind-param.php). It should explain it. – h2ooooooo Jan 24 '15 at 18:29

3 Answers3

2

SQL uses single quotes (') to denote string literals, which you are currently missing:

$delete = mysql_query("DELETE FROM reserveringen WHERE Email = '$email'");

EDIT:
Obligatory warnings:

  1. mysql_query is deprecated, please consider either mysqli or PDO.
  2. This approach is vulnerable to SQL injection attacks. Consider using a prepared statement.
Mureinik
  • 297,002
  • 52
  • 306
  • 350
1

Add a quotes around $email like:

$delete = mysql_query("DELETE FROM reserveringen WHERE Email = '$email' ");

Note aside: Your query is vulnerable to SQL Injection. You may consider using prepared statement.

SMA
  • 36,381
  • 8
  • 49
  • 73
1

First of all, don't use mysql_query, it is deprecated. PDO::Mysql is the new standard to use, it is also much safer to use because of the prepare statement (and bindParam). This will safeguard you against SQL injections. It will also automatically place your string correctly into the sql-query.

$pdo = new PDO('mysql:host=localhost;dbname=DATABASENAME', "USERNAME", "PASSWORD");
if(isset($_POST["verwijderen"])){    
    $sql = "DELETE FROM reserveringen WHERE Email = :email";
    $stmt = $pdo->prepare($sql);
    $stmt->bindParam(':email', $email, PDO::PARAM_STR);   
    $stmt->execute();
}
Tom
  • 403
  • 3
  • 14