Why doesnt this delete work to delete the whole record:
$query = 'DELETE FROM tblEvents WHERE index = $_GET["id"]';
$result = mysql_query($query, $db) or die(mysql_error($db));
Where index is variable of type int, auto_incremented in MySQL?
views:
250answers:
4
+4
A:
Your question php is related, not mysql.
print $query; and see.
then refer to php strings syntax, http://php.net/types.string for the proper syntax.
Also, a variable that goes to the query, must be properly prepared, escaped, or, in case of integer value, manually cast to this type,
$id=intval($_GET["id"]);
or, to make it single line,
$query = 'DELETE FROM tblEvents WHERE `index` = '.intval($_GET["id"]);
also, index is reserved word that can cause problems too, you can escape it with backticks,
`index`
but it will be much better if you rename it to just id
Col. Shrapnel
2010-03-15 13:41:36
better to cast to (int) rather than intvat() - faster and the input should be trusted anyway, no need to extract whatever integers might be in an alphanum string
Andy
2010-03-15 13:48:31
There is no word "faster" in such a trifle things. both operators are equal and I prefer most familiar one.
Col. Shrapnel
2010-03-15 13:51:35
Great thanks it was the reserved word index.
Chris_45
2010-03-15 14:15:58
@Shrapnel general good practice, language constructs actually *are* faster by definition http://mahmudahsan.wordpress.com/2008/07/02/php-take-advantage-of-language-constructs/
Andy
2010-03-15 14:50:35
oh no, don't talk of speed of syntax issues. that's ridiculous. this article is rubbish
Col. Shrapnel
2010-03-15 15:01:02
I shall talk of speed no more :)
Andy
2010-03-15 15:46:41
A:
Col. Shrapnel is right, you can't use variables directly in a string in single quotes. If you use double quotes around your query, it will work.
EDIT: As Col. Shrapnel said in his comment, in this case you'll also have to change the double quotes in the array offset to single quotes.
Lex
2010-03-15 13:44:54
Actually in this very case it wouldn't :)Associative arrays have it special syntax with double quoted strings.
Col. Shrapnel
2010-03-15 13:46:25
No, singles won't work too. Either `$_GET[id]` or `{$_GET['id']}` would. that's why I said syntax is "special"
Col. Shrapnel
2010-03-15 14:20:37
A:
You should test for delete success with a separate query
$query = 'DELETE FROM tblEvents WHERE index = $_GET["id"]';
mysql_query($query, $db);
if( mysql_affected_rows < 1 ) die();
Andy
2010-03-15 13:46:25
A:
Hopefully you already know this, but you need to secure that $_GET['id'] so people can't do SQL Injection. Try using the following instead:
$query = sprintf('DELETE FROM tblEvents WHERE index = %d',mysql_real_escape_string($_GET['id']));This also solves your problem of using a variable in single quotes instead of double quotes.
if you wanted you could also do:
$id = mysql_real_escape_string($_GET['id']);
$query = "DELETE FROM tblEvents WHERE index = {$id}";
This works too.
ocdcoder
2010-03-15 13:47:04
According to mysql's site it does: http://php.net/manual/en/function.mysql-real-escape-string.php
ocdcoder
2010-03-15 13:56:21
Read it carefully. It is not a magic word that makes everything "safe". It's part of syntax. You failed to follow all it rules.
Col. Shrapnel
2010-03-15 14:01:57
I agree its not the magic wand, but explaining all of that here i thought would be a little too much, especially since i didn't know if he already knew or not. Maybe i should have link for more info the article. Anyway, I literally just mimicked php's example 1. So please tell me what i'm missing, besides like stripslashes or something.
ocdcoder
2010-03-15 14:08:51
quotes around value is the thing that missed. it works only together with escaping. most people do quote but forget to escape, but you do opposite :)
Col. Shrapnel
2010-03-15 14:15:10