tags:

views:

40

answers:

2
+1  Q: 

Deleting a database row with mysql - getting an error!?

Here's the code:

mysql_query("DELETE " . $_GET['id'] . " FROM forum_favorites WHERE thread_id='" . $_GET['id'] . "' AND user='" . $userinfo['username'] . "'") or die(mysql_error());

And the error message:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '77 FROM forum_favorites WHERE thread_id='77' AND user='nike1'' at line 1

Anyone knows what's up here? I've been stuck here for hours now and i just can't figure out what the heck's wrong? The database name and the column names are correct.

Thanks. -Nike

+4  A: 

Remove " . $_GET['id'] . " between DELETE and FROM:

DELETE FROM forum_favorites etc...

See the documentation for DELETE for more information.

Note that your code may also be vulnerable to SQL injection attacks. I'd suggest reading this question and the answers there.

Mark Byers  2010-04-19 11:57:49
I am like 100% sure i tried removing it before, but it didn't work. Heh, well thanks. And yea i've fixed that now!
Nike  2010-04-19 12:02:13
+1  A:  
$thread_id=intval($_GET['id']);
$username=mysql_real_escpe_string($userinfo['username']);

$sql="DELETE FROM forum_favorites WHERE thread_id=$thread_id AND user='$username'";
mysql_query($sql) or trigger_error(mysql_error());
Col. Shrapnel  2010-04-19 12:11:08
The username is already validated and don't have to be validated twice. This would work for the id aswell, right? $thread_id = htmlentities($_GET['id'], ENT_QUOTES); But to be honest, your "fix" looks simpler.
Nike  2010-04-19 17:15:57
@Nike hehe you messed everything up :) mysql_real_escpe_string does no validation at all. Nor htmlentities does. Escaping is just a part of SQL syntax. No validation can replace it. To be placed into SQL query, every string must be enclosed in quotes and, therefore, escaped. No exceptions. For the thread_id htmlentities will help you nothing. Especially if you don't enclose it in quotes. Actually, **html** entities function has nothing to do with **sql** query. Go figure ;)
Col. Shrapnel  2010-04-19 17:33:31
Well, that's pretty much what i meant when i said validation. Sorry xD Yeah i know it doesn't have anything to do with sql, but it does escape quotes, somehow! No matter what i enter now, it just ignores it and shoots it up to the database, just like it's suppose to.
Nike  2010-04-19 17:41:27
Notice that i added ", ENT_QUOTES" to the htmlentities tag. I believe that affects it somehow. I'm still learning, so i might be wrong, but my teacher in school actually taught me that that was, well, ONE of many CORRECT ways of escaping (not validating, heh) a string. Still, sorry if i'm wrong.
Nike  2010-04-19 17:47:18
@Nick I am sorry but your teacher knows nothing. As e result, you know nothing as well. One cannot "validate" a string preliminarily. It can be done right before placing into query only. And the only SQL preparation can be escaping and nothing else. You also spoil your data, making " from quote.
Col. Shrapnel  2010-04-19 18:14:31
Heyy, i'm not completely useless. I just didn't know how to do this. Actually, that's one of like 2-3 things my teacher has learned me about php/mysql. I've worked mostly with it at home. But, if i do use your method to escape the string, what happens if a user enters somehting like <?php harmful_script_here(); ?> ? Since your method doesn't spoil the data with etc, it just shoots the string right up to the database without changing anything. So, what can i do to avoid the string from the database to be executed when printed out?
Nike  2010-04-19 18:34:01
@Nick such kind of string will never be executed. The only executable code in the string can be Javascript. To prevent it from the execution htmlspecialchars() function must be used, yes. But it shouldn't be messed with SQL escaping. It's totally different matters. sql escaping cannot be replaced with HTML one. Sql escaping doesn't change the data, but html one does. So, it would be bad idea to escape html anywhere beside right before output.
Col. Shrapnel  2010-04-19 19:00:46
Okey, so why will "that kind" of code never be executed? I don't see the difference... i mean, both php and javascript contains such characters. Okey, so if i got you right now, your telling me that i should just escape the string when writing to the database, and when printing the text out, use htmlspecialchars() to change quotes etc. to html text? Sounds pretty good to me. :)
Nike  2010-04-19 19:51:40

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL