HTTP Delete Request to MYSQL with user ID variable

Question

Hi I am trying to delete a record from a table within MYSQL database with a where clause. this is what I have so far but its not working, and im not sure how to go about it. Is there a way to make this work? I have included my delete method and php file code.

my URL -

 deleteCompletedGoal=("http://10.0.2.2/deleteCompletedGoalAddress.php?user_goal_id="+completed_goalID);

my code -

 private void deleteNonActiveGoal(){
        try {
            URL url = new URL(deleteCompletedGoal);
            HttpURLConnection http = (HttpURLConnection) url.openConnection();
            http.setRequestMethod("POST");
            http.setRequestProperty("X-HTTP-Method-Override", "DELETE");
            http.setDoInput(true);
            http.setDoOutput(true);

            OutputStream ops = http.getOutputStream();
            BufferedWriter writer = new BufferedWriter(new OutputStreamWriter(ops, "UTF-8"));
            String data = URLEncoder.encode("user_goal_id", "UTF-8") + "=" + URLEncoder.encode(completed_goalID, "UTF-8") + "&&";

            writer.write(data);
            writer.flush();
            writer.close();
            ops.close();

            InputStream ips = http.getInputStream();
            BufferedReader reader = new BufferedReader(new InputStreamReader(ips, "ISO-8859-1"));

            String line;
            while ((line = reader.readLine()) != null) {
                result += line;
            }
            reader.close();
            ips.close();
            http.disconnect();

        }
        catch (MalformedURLException e) {
            result = e.getMessage();
        } catch (IOException e) {
            result = e.getMessage();
        }

    }

PHP file:

<?php
require "connection.php";

$completed_goalID=$_POST["user_goal_id"];


$mysql_qry = "DELETE from user_goals WHERE user_goal_id ='$completed_goalID'";

if($conn->query($mysql_qry) === TRUE) {
echo "delete successful";
}
else{
echo "delete failed";
}
$conn->close();
?>

[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Mar 04 '20 at 13:32
Pretty sure this is a case for "undefined index". You're using a GET method for URL retrieval but POST the index. — Funk Forty Niner, Mar 04 '20 at 13:33
@JayBlanchard Too bad I couldn't ship you another via the *"Beam me up Scotty"* mosheen ;-)) — Funk Forty Niner, Mar 04 '20 at 13:35
@Kasia you need to get in the habit of [accepting answers](http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work) which help you to solve your issues. You'll earn points and others will be encouraged to help you. — Jay Blanchard, Mar 04 '20 at 13:40
I have changed the http Request method to Get and same in the php file but still no luck — Kasia Kaplińska, Mar 04 '20 at 13:44

score 0 · Accepted Answer · answered Mar 04 '20 at 13:34

0

Since you are sending the variable in the query string you would use GET instead of POST. Change:

 $completed_goalID=$_POST["user_goal_id"];

to

$completed_goalID=$_GET["user_goal_id"];

WARNING

Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe!

answered Mar 04 '20 at 13:34

Jay Blanchard

34,243
16
77
119

@KasiaKaplińska are you getting any errors in your error logs? – Jay Blanchard Mar 04 '20 at 14:33

score 0 · Answer 2 · answered Mar 04 '20 at 13:43

Use $_GET for catch variable from url like:

$completed_goalID=$_GET["user_goal_id"];

Change query for prevent sql attack (Reference) like:

 <?php
    require "connection.php";

    $completed_goalID=$_POST["user_goal_id"];


    $mysql_qry = $conn->prepare("DELETE from user_goals WHERE user_goal_id=?");
    $mysql_qry->bind_param('i',$completed_goalID);
    if($mysql_qry->execute() === TRUE){

    echo "delete successful";
    }
    else{
    echo "delete failed";
    }
   $mysql_qry->close();
    $conn->close();
    ?>

HTTP Delete Request to MYSQL with user ID variable

2 Answers2