MySQL DELETE statement not recognizing an empid number from PHP $id variable

Question

I am trying to allow DELETE-ion of employees in a database. I have stored the query string being passed into a variable named $id. When I run my SQL DELETE statement, it echo's out but is not echo-ing or recognizing the $id variable I instantiated. Any ideas?

PHP

//QUERY STRING
"<td><a href='delete.php?id=" . $row['empid']  . "'>Delete</a></td>" .

//ID VARIABLE
 $id = (isset($REQUEST['id']) ? $_REQUEST['id'] : '');

SQL

//SQL STATEMENT
$sql = "DELETE FROM employees WHERE empid= '" . $id . "';";

//WHAT ECHOS OUT IS BELOW
echo($sql);

//RUN SQL Command
mysqli_query($connect,$sql) or die(mysql_error());
print("User " . $id . " deleted from the database.");
print("Return to <a href='index.php'>Return To Main Page</a>");

DELETE FROM employees WHERE empid= '';

When I click delete from the index.php the employee I tried to delete is still there.

I don't see where and how you executed the query and which api is used. All you did was echo the query. — Funk Forty Niner, Aug 12 '18 at 17:48
now you edited; that error function won't work with the mysqli_ api. I think the array is empty. — Funk Forty Niner, Aug 12 '18 at 17:49
Oh I see now; it's an undefined index issue here. Error reporting would have told you about it. — Funk Forty Niner, Aug 12 '18 at 17:50
I am new to MySQL, how do I ensure I have error reporting 'on'? — CodeConnoisseur, Aug 12 '18 at 17:51
just add these lines in php code " error_reporting(E_ALL); ini_set('display_errors', '1');" — Parikshit Sharma, Aug 12 '18 at 17:52
Also this before you connect to the database: `mysqli_report(MYSQLI_REPORT_ALL);` See http://php.net/manual/en/mysqli-driver.report-mode.php — Bill Karwin, Aug 12 '18 at 17:53
You should delete data only in a POST request, not in a GET request. Keep in mind search engines will follow links to GET requests. Get ready for all your data to be deleted by Google as it indexes your site! — Bill Karwin, Aug 12 '18 at 17:54
You also have an SQL injection vulnerability in your code (like most new programmers). See https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — Bill Karwin, Aug 12 '18 at 17:56
@Bill Karwin, this is really good to know, I will change to POST! I appreciate you imparting extra knowledge, I will definitely remember this. — CodeConnoisseur, Aug 12 '18 at 17:56
I inserted the Error checking code mentioned to me above and now I am receiving a ton of errors when I run the code: Uncaught exception 'mysqli_sql_exception' with message 'No index used in query/prepared statement............ I am looking into this now...Rabbit Hole for new programmers lol — CodeConnoisseur, Aug 12 '18 at 18:04

score 3 · Accepted Answer · answered Aug 12 '18 at 17:48

3

You need to change this line

$id = (isset($REQUEST['id']) ? $_REQUEST['id'] : '');

to

$id = (isset($_REQUEST['id']) ? $_REQUEST['id'] : '');

answered Aug 12 '18 at 17:48

Simon R

3,732
4
31
39

Yep that was it. Thanks Simon! – CodeConnoisseur Aug 12 '18 at 17:50

MySQL DELETE statement not recognizing an empid number from PHP $id variable

1 Answers1