0

I made an application for taxi service with PHP and MySQL. And I use PDO for connecting. I setup an admin panel and I wrote a delete query for delete unwanted price records according to its priceid. But nowadays I lost all price data(Table become empty) sometimes without any action from Admin. Please check my delete query page code below. Thank you for your time.

ob_start();
include 'inc/database.php';
include 'inc/header.php';

if (isset($_GET['getid'])) {
    $getId = $user -> cleaninput($_GET['getid']);
}
else {
    header("Location:prices.php");
}

if (!empty($getId) && is_numeric($getId)) {
    $adData = $DB_con->prepare("DELETE FROM price_data WHERE price_ID=".$getId." LIMIT 1");
    $adData -> execute();
    header("Location:prices.php");
}
else {
    header("Location:prices.php");
}
Kavi
  • 1
  • 1
  • I wouldn't depend on `cleaninput` to make your data safe. Use a prepared statement properly and pass the $getId as a parameter. Your code in its current form, if `price_ID` as the `getid` value can pass though `cleaninput` you will have all your data deleted. Parameterized prepared statements will prevent this. – danblack Feb 19 '20 at 04:27
  • 1
    Thank you. So do you mean $adData->bindparam(":getid",$getId); ? – Kavi Feb 19 '20 at 04:32
  • Yep, and include `:getid` in your prepared query obvious. It doesn't totally explain your scenario, but its one way to prevent it. And I missed the `is_numeric` check, but even so, putting the prepared statement protection against SQL injection is easier than engineering checks for every query. – danblack Feb 19 '20 at 04:40

0 Answers0