0

I've got a problem...Im currently working on a php website and i want to make it possible, that a user can delete stuff from my table just by giving the name of a "Team"(its about e sports) It does not give me any errors but it wont delete anything. So when the user types in lets say "a" and klicks on "Löschen" it should delete it.

here ist my code 

if(isset($_POST['del'])){
  $name = $_POST['name'];
  $spiel = $_POST['spiel'];
  $sql = "delete from thorstenschluet_ESports.AmateurTeam where '$name' = AmateurTeam.Name";
  $db_erg = mysqli_query($conn, $sql);
}

and my table looks like this:

Name Spiel

Thorte
  • 31
  • 5
  • Have you tried running the same command from within MySQL? Also have you printed / debugged to see if your variables $name and $spiel have values coming in? (Make sure they are not empty). – CP3O Feb 13 '18 at 18:51
  • 1
    `where '$name'` that for one thing is a sign of a bad design. – Funk Forty Niner Feb 13 '18 at 18:54
  • Yes I tried it in SQL and it works – Thorte Feb 13 '18 at 19:02
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Feb 13 '18 at 19:26
  • **DO NOT** accept column names as user input and use them in queries without strictly white-listing acceptable values. Never use the user value directly in the query, only a matching value from a white-listed table. Consider the user data permanently tainted. – tadman Feb 13 '18 at 19:26

0 Answers0