CODEWITHSUNDEEP
php
USer
USer

Reputation: 13

PHP - $GET and delete from MySQL

I have an a href which looks like that: <a href="delete-news.php?deleteID=11">Delete</a>

And file delete-news.php is as follow:

<?php 

if(isset($_GET["?deleteID='.$id."])) 
{

    $result = mysql_query("DELETE FROM 'news' WHERE id='$id'");
    echo mysql_error();
    if($result)
        echo "succces";
}
else { echo "GET NOT SET"; }

?>

But it is returning GET NOT SET. What I'm doing wrong?

Upvotes: 0

Views: 6820

Answers (7)

tsbelanger
tsbelanger

Reputation: 1

You obtain GET NO SET, because the $_GET associative array does not contain ?deleteID='.$id.

In order for you to obtain the id, you need to so something like this:

$id = $_GET['deleteID'];

Also

$result = mysql_query("DELETE FROM 'news' WHERE id='$id'");

That is very unsafe as it allows SQL injections. Instead, do:

$query = sprintf("DELETE * FROM news WHERE id=%d",
         mysql_real_escape_string($id),
$result = mysql_query($query);

I hope this helped.

Upvotes: 0

genesis
genesis

Reputation: 50982

<?php 

if(isset($_GET["deleteID"])) 
{
    $id = ($_GET['deleteID']);
    $result = mysql_query("DELETE FROM news WHERE id='".mysql_real_escape_string($id)."'");
    echo mysql_error();
    if($result)
        echo "succces";
}
else { echo "GET NOT SET"; }

?>

is correct one

Upvotes: 0

karllindmark
karllindmark

Reputation: 6071

Try this instead:

<?php 
    if(isset($_GET['deleteID'])) 
    {
        $id = intval($_GET['deleteID']);
        $result = mysql_query("DELETE FROM `news` WHERE id='$id'");
        echo mysql_error();
        if($result) echo "succces";

    } else { 

        echo "GET NOT SET";

     }
?>

Note that I'm making the given deleteID into an int, meaning that values other than some form of number will become 0.

Also, you can't wrap a table- and/or column name with ' - backticks are the way to go!

Upvotes: 0

Dunhamzzz
Dunhamzzz

Reputation: 14808

Use this, and for god's sake escape your inputs.

if(isset($_GET['deleteID'])) {
    $result = mysql_query("DELETE FROM `news` WHERE id='".mysql_real_escape_string($_GET['deleteID']). "'");
    echo mysql_error();
    if($result)
        echo "succces";

} else {
    echo 'GET NOT SET';
}

Upvotes: 5

Alex Howansky
Alex Howansky

Reputation: 53626

Please also note that changes to the system should only happen via POST, and never GET. Otherwise (for example), you might get a spidering bot that deletes your whole site. See this post for more references:

https://stackoverflow.com/questions/679013/get-vs-post-best-practices

Upvotes: 1

Michael Berkowski
Michael Berkowski

Reputation: 270727

You need to check $_GET for just deleteID. Later, reference it as $_GET['deleteID']. Also, call mysql_real_escape_string() on $_GET['deleteID'] to retrieve your query parameter $id.

if(isset($_GET["deleteID"])) 
{
    $id = mysql_real_escape_string($_GET['deleteID']);
    $result = mysql_query("DELETE FROM `news` WHERE id='$id'");
    echo mysql_error();
    if($result)
        echo "succces";
}
else { echo "GET NOT SET"; }

Upvotes: 0

Brad Christie
Brad Christie

Reputation: 101614

$_GET will have each element of the GET variables already broken down, so no need to include the URL data. So, in your example, the link ?deleteID=123 would produce $_GET['deleteID'].

Try using that, but also remember to sanitize the values you receive in from URLs. If it's going to be a numeric value, I suggest casting it:

$deleteID = (int)$_GET['deleteID'];

Upvotes: 1

Related Questions