Wrong query in SQL when passing variables through $_GET

Question

Here is the query:

$table = $_GET['type'];
$q="DELETE FROM '$table' WHERE cont_id='".$_GET['where']."'";

I also tried removing the single/double quotes on the $_GET part, but didn't work. I'm printing the values of my variables before executing the query and they are right so I don't think that's the problem.

Any ideas?

Your code is very vulnerable to injection. You should switch to using [prepared statements](http://php.net/manual/en/pdo.prepared-statements.php). — Ben, Jan 14 '16 at 10:42

Pupil · Accepted Answer · 2016-01-19T11:04:54.687

2

Database table names should not be enclosed with single quotes.

Corrected SQL:

$q="DELETE FROM $table WHERE cont_id='".$_GET['where']."'";

Tables and field names can be enclosed with backticks (`) to avoid clashes with

MySQL reserved keywords.

In that case, corrected SQL should be:

$q="DELETE FROM `$table` WHERE `cont_id` = '".$_GET['where']."'";

Also, do not trust input from user.

This can cause security vulnerability.

use mysqli_real_escape_string() for $_GET['where']

edited Jan 19 '16 at 11:04

answered Jan 14 '16 at 10:41

Pupil

23,834
6
44
66

It's good practice to enclose variables with single quotes `'` and table names with backticks `\`` – Ben Jan 14 '16 at 10:43
That makes sense, thanks! I was confused with the backticks and single quotes. – user3484582 Jan 14 '16 at 13:12

score 2 · Answer 2 · answered Jan 14 '16 at 10:44

2

In you want quote table name you had to use symbol "`"

$table = $_GET['type'];
$q="DELETE FROM `$table` WHERE cont_id='".$_GET['where']."'";

answered Jan 14 '16 at 10:44

KLin

479
2
10

score 1 · Answer 3 · answered Jan 14 '16 at 10:43

1

$table = $_GET['type'];
$q="DELETE FROM $table WHERE cont_id='".$_GET['where']."'";

OR

$table = $_GET['type'];
$q="DELETE FROM `$table` WHERE cont_id='".$_GET['where']."'";

answered Jan 14 '16 at 10:43

Shailesh Katarmal

2,757
1
12
15

Wrong query in SQL when passing variables through $_GET

3 Answers3