Code Comments
Programming Forum and web based access to our favorite programming groups.
Delete row from mysql only deletes the contents?mysql_query("DELETE FROM cart WHERE ItemId=$ItemId");
There is the code but the result in my databse is that the ID number changes
from, lets say, 77 to 78 with 78's contents being empty. Therefore when I
look at the results - the deleted ID77 is gone but now I have ID78 with no
content!
Does anyone know why and how do I make it stop?
MIchael
Post Follow-up to this message
Re: Delete row from mysql only deletes the contents?de Beers wrote:
> mysql_query("DELETE FROM cart WHERE ItemId=$ItemId");
>
> There is the code but the result in my databse is that the ID number chang
es
> from, lets say, 77 to 78 with 78's contents being empty. Therefore when I
> look at the results - the deleted ID77 is gone but now I have ID78 with no
> content!
>
> Does anyone know why and how do I make it stop?
Your SQL query don't create a new empty row, you may have a bad if-statement
that makes your INSERT query to be run while you are deleting.
//Aho
Post Follow-up to this message Re: Delete row from mysql only deletes the contents?"de Beers" <fdgdf@yahoo.ca> wrote in message
news:T4aWc.7150$_H5.94122@news20.bellglobal.com...
> mysql_query("DELETE FROM cart WHERE ItemId=$ItemId");
Gah!!!
Always use the mysql connection id, and ALWAYS test database (and all other
IO) operations for errors!
$result = mysql_query("DELETE FROM cart WHERE ItemId='$ItemId'" , $conn);
if(! $result || mysql_error())
{
echo "Something went wrong with deleting this record: " .
mysql_error($conn);
exit;
}
ALWAYS delimit items in a SQL system using '. Otherwise you may be
vulnerable to SQL injection
removefromcart.php?PHPSESS=474984743&id=78;DROP%20cart;
> There is the code but the result in my databse is that the ID number
changes
> from, lets say, 77 to 78 with 78's contents being empty. Therefore when I
> look at the results - the deleted ID77 is gone but now I have ID78 with no
> content!
See Aho's comments
Post Follow-up to this message Re: Delete row from mysql only deletes the contents?Hi CJ; I am pretty new to php and mysql. "CJ Llewellyn" <satest@tmslifeline.com> wrote in message news:cgc900$cb$1@slavica.ukpost.com... > ALWAYS delimit items in a SQL system using '. Otherwise you may be > vulnerable to SQL injection > > removefromcart.php?PHPSESS=474984743&id=78;DROP%20cart; Could you explain this in a little more detail please? TIA. Charles... --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.742 / Virus Database: 495 - Release Date: 8/19/04
Post Follow-up to this message Re: Delete row from mysql only deletes the contents?"Charles Crume" <cc@charlescrumesoftware.com> wrote in message news:FaIWc.225438$fv.173522@fe2.columbus.rr.com... > Hi CJ; > > I am pretty new to php and mysql. > > "CJ Llewellyn" <satest@tmslifeline.com> wrote in message > news:cgc900$cb$1@slavica.ukpost.com... > > > Could you explain this in a little more detail please? You are passing raw data from the browser to your SQL statements. Supposing I was a maladjusted twat, intent on make other people's lives miserable, I could add SQL commands onto the end of a variable and effectively run my own sql statements, such as a command to delete your cart database.
Post Follow-up to this message Re: Delete row from mysql only deletes the contents?CJ Llewellyn <satest@tmslifeline.com> wrote or quoted: > ALWAYS delimit items in a SQL system using '. Otherwise you may be > vulnerable to SQL injection > > removefromcart.php?PHPSESS=474984743&id=78;DROP%20cart; Also, make sure the string you are inserting does not itself contain your delimiter ;-) -- __________ |im |yler http://timtyler.org/ tim@tt1lock.org Remove lock to reply.
Post Follow-up to this message Re: Delete row from mysql only deletes the contents?"Tim Tyler" <tim@tt1lock.org> wrote in message news:I2zwKA.5vt@bath.ac.uk... > CJ Llewellyn <satest@tmslifeline.com> wrote or quoted: > > > Also, make sure the string you are inserting does not itself contain > your delimiter ;-) that's what magic quotes are for shirley? ;-)
Post Follow-up to this message Re: Delete row from mysql only deletes the contents?CJ Llewellyn <satest@tmslifeline.com> wrote: > that's what magic quotes are for shirley? ;-) You're being a little presumptuous. The guy only showed you one line of code and you're drilling him on the lines you assume are _not_ surrounding that one line. Maybe he gets the ID from his own code and doesn't need the delim for security. Maybe he already does error checking or doesn't care if the statement fails. And besides, maybe he doesn't like magic quotes (like me) because he doesn't like things to go on without explicitly telling them to. I know you're being helpful, but I guess the main thing that bothers me is the "Gah!!!" and the several capitalized "ALWAYS"s. -- eth'nT
Post Follow-up to this message Re: Delete row from mysql only deletes the contents?"CJ Llewellyn" <satest@tmslifeline.com> wrote in message news:cgfq32$6kk$1@slavica.ukpost.com... > "Charles Crume" <cc@charlescrumesoftware.com> wrote in message > news:FaIWc.225438$fv.173522@fe2.columbus.rr.com... > > You are passing raw data from the browser to your SQL statements. Supposing > I was a maladjusted twat, intent on make other people's lives miserable, I > could add SQL commands onto the end of a variable and effectively run my own > sql statements, such as a command to delete your cart database. I gathered this much. What I was looking for was a little detail/explanation in how one would "add SQL commands" and how to prevent them from doing it. And... just what are "magic quotes"? Charles... --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.742 / Virus Database: 495 - Release Date: 8/19/04
Post Follow-up to this message Re: Delete row from mysql only deletes the contents?"Charles Crume" <cc@charlescrumesoftware.com> wrote in message
news:GR1Xc.227853$fv.21132@fe2.columbus.rr.com...
>
> "CJ Llewellyn" <satest@tmslifeline.com> wrote in message
> news:cgfq32$6kk$1@slavica.ukpost.com...
> Supposing
I
> own
>
> I gathered this much. What I was looking for was a little
detail/explanation
> in how one would "add SQL commands" and how to prevent them from doing it.
You sql statement using the get variable id as the record identifier. As
your sql statement doesn't delimit the variable id, if you add extra SQL
syntax (statements) to the id variable on the url. This will then be
processed along with your DELETE statement.
Assumung that your id is in fact a numeric value, then
$id = (int)$id;
works wonders.
You should also write sql statements with delimiters like
INSERT INTO foo (field1 , field2, field2) VALUES ('$field1' , '$field2',
'$field3')
DELETE FROM foo WHERE id = '$id'
> And... just what are "magic quotes"?
magic quotes is a php feature that 'Escapes' places a \ before certain
characters in browser (user) supplied variables. i.e. \ and '
Most seasoned programmers like them turned off, as the programmer likes to
manually prepare any data heading towards the database, and you don't need
to strip the extra slashes from the data to process it.
You should check whether it is turned on at the start of any script
http://uk.php.net/manual/en/functio...-quotes-gpc.php
And ensure your program can deal with the variables quoted or unquoted.
Post Follow-up to this message
Sponsored Links
Powered by vBulletin
Copyright 2000-2006 Jelsoft Enterprises Limited.
