Simple DELETE query not working

Question

This is something I should be able to do but I have been trying for the last hour to see the issue here but I can't. It is a simple delete function to delete an entry through the use of a ID tag. It is getting passed through the delete_category.php. If it helps my sql table is called blog_categories.

Its not throwing a error. Tried using echo mysql_error() on it but nothing. It simply acts like a dead link and refreshes the page.

Any help will be appreciated.

Blog.php:

 function delete($table, $id) {
        $table = mysql_real_escape_string($table);
        $id = (int) $id;

        mysql_query("DELETE FROM {$table} WHERE id = {$id}");
    }

Linking delete function by:

<a href="delete_category.php?id=<?php echo $category['id']; ?>">Delete</a>

Delete_category.php

<?php
include("../script/dbconnect.php");
include("../script/blog.php");

if ( ! isset($_GET['id']) ) {
header('location: cms.php');
die();
}

delete('blog_categories', $_GET['id']);

header('location:category_list.php');
die();
?>

Answer 1

So, this isn't a complete answer, but the comment fields are way, way too short to point you in the right troubleshooting direction.

Your code is broken, but not in the way you might expect.

1. GET requests have to be be idempotent. That is, they can't have side effects other than serving content. By having your delete functionality tied to a GET request, you are causing a side effect. This has some pretty severe consequences. Some browsers and caching mechanisms can pre-fetch links, for example. Also think about what a search spider would end up doing if it crawled that page.

   Turn that GET into a POST. Perhaps use a form and a button instead?

2. It's awesome that you're using mysql_real_escape_string, but your use of it here is incorrect. mres is designed to encode character data as part of a string. You are using it on an identifier -- a table name. Identifiers do not share the same escaping semantics as strings, especially when used outside of quotes.

   As long as the first argument to the delete function never comes through users, you can skip mres here.

3. You aren't checking the result from mysql_query. Sayeth the manual:

   For other type of SQL statements, INSERT, UPDATE, DELETE, DROP, etc, mysql_query() returns TRUE on success or FALSE on error.

   You're throwing away the result. You should check that it isn't false and then call mysql_affected_rows to make sure that one and only one row was removed. If mysql_query was false, then you can check mysql_error.

After making these changes, you then need to alter your delete_category.php script to assist in troubleshooting:

1. Add the following two lines to the very top:

     error_reporting(-1);
     ini_set('display_errors', true);
   

2. Change all of the headers to echos. An immediate redirect is going to mask any errors.
3. Use exit instead of die. While they do the same thing, the use of die is frequently used exclusively in the context of "something went so wrong that I have to exit now," vs exit, which is just, well, uh... exit.

Anything that's actually going wrong should then be pretty darn obvious.

If you still aren't seeing anything incorrect happen, and the rows still aren't being deleted, try adding a SELECT COUNT(*) FROM ... before and after the delete, using the same table name and WHERE clause. That will help us troubleshoot further.

Long term, you really want to begin switching from mysql_ PDO or mysqli. The next major release of PHP, version 5.5, is deprecating the mysql_ family of functions.