PHP script failing to delete SQL record

Question

Currently I have an external php script trying to delete a row from the blog table, this should be done by the id variable pulled via the post method. Current code:

    <?php
include 'dbconnection.php';

$id = $_POST['id'];

$query = "DELETE FROM 'blog' WHERE id = $id";

if(mysqli_query($conn, $query)){
    header("location: adminDeleteComplete.php");
} else {
    header("location: adminDeleteFailed.php");
}


?>

HTML section:

<form method="post" action="adminDeleter.php">
    <input type="text" name="id" placeholder="ID" value="<?php echo $id ?>">
    <input type="text" name="title" placeholder="Title" value="<?php echo $title ?>">
    <input type="text" name="subtitle" placeholder="Subtitle" value="<?php echo $subtitle ?>" required>                
    <textarea type="text" name="message" required><?php echo $content ?></textarea>
    <button class="SUB">Delete Post!</button>
</form>

Can anyone explain what I'm doing wrong? I understood and completed the add and updates section of the blog website but for some strange reason it won't delete?

Joke mode on: It is a new feature in PHP: Automatic protection against SQL-injection. — KIKO Software, Feb 02 '18 at 14:02
the fundamental problem - where are you logging the error if you are redirecting on error — Ctznkane525, Feb 02 '18 at 14:03
Add `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` to the top of your script. This will force any `mysqli_` errors to generate an Exception that you can see on the browser and other errors will also be visible on your browser. — RiggsFolly, Feb 02 '18 at 14:04
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Feb 02 '18 at 14:05
Columns should be surrounded with backticks, not single quotes. — aynber, Feb 02 '18 at 14:06
@ErayBalkanli Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''blog' WHERE id = '4'' at line 1 in website(12): mysqli_query(Object(mysqli), 'DELETE FROM 'bl...') #1 {main} thrown in website on line 12 — EvilChewwie, Feb 02 '18 at 14:12
^ Yep, answered by one of the dupes and at least one of the comments. — Jay Blanchard, Feb 02 '18 at 14:13

Ibrahim Hafiji · Answer 1 · 2018-02-02T14:17:14.143

-1

Try using prepared statements as it prevents attacks against SQL injection.

I have added the variables for the connection at the top of the page. You can add these into your dbconnection.php file and include it in the top just like your original post.

 <?php

 //add your own details
 $servername = "";
 $username = "";
 $password = "";
 $dbname = "";


$id = $_POST['id'];

try {

$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

// prepare sql and bind parameters
$stmt = $conn->prepare("DELETE

                        FROM

                        blog 

                        WHERE 

                        id = :id

                       ");

//binding the :id with your $id variable from the POST
$stmt->execute(array(':id' => $id ) );

//if successfull
header("location: adminDeleteComplete.php");

} catch(PDOException $e) {

//error handling
header("location: adminDeleteFailed.php");

echo "Error: " . $e->getMessage();

}

$conn = null;

?>

edited Feb 02 '18 at 14:17

answered Feb 02 '18 at 14:05

Ibrahim Hafiji

150
10

newMedicine.php? Something here smells sockpuppety to me. – Jay Blanchard Feb 02 '18 at 14:11
@JayBlanchard accidentally added that. Updated code. – Ibrahim Hafiji Feb 02 '18 at 14:12
1

All you did was rewrite it with another api and removed something from the query. What the OP and everyone else needs to know is "why"? There is a reason as to why their code failed you know. – Funk Forty Niner Feb 02 '18 at 14:12
Can you edit this code to be more tidy? Can you actually explain to the OP why they should use this? What the changes are and why you made them? – Jay Blanchard Feb 02 '18 at 14:12
@FunkFortyNiner actually, I did not copy it from anywhere else. It was from a personal project I was working on. The OP question was Like for like something I had written. If you want proof, I can show you my project :) – Ibrahim Hafiji Feb 02 '18 at 14:14
1

I never accused you of copying anything; there is a reason why their code failed and it should be outlined in the answer. @IbrahimHafiji – Funk Forty Niner Feb 02 '18 at 14:14
1

No proof needed, just an explanation of what you did and why you did it. A ***good answer*** will always have an explanation of what was done and why it was done in such a manner, not only for the OP but for future visitors to SO. – Jay Blanchard Feb 02 '18 at 14:14
1

btw; you're outputting before header, did you know that? so that is failing here. – Funk Forty Niner Feb 02 '18 at 14:15

PHP script failing to delete SQL record

1 Answers1