• 0

MYSQL query doesnt work HELP NEEDED

Asked by GeekInside,

 Share

Question

Neowinian

GeekInside

Posted
Posted (edited)

In the following code I try delete a record from my database but it doesnt work... I dont know why

Thank you in advance

  

<?php
	ob_start();
	session_start();
	require_once 'dbconnect.php';

	// it will never let you open index(login) page if session is set
	if ( !isset($_SESSION['user']) ) {
		header("Location: home.php");
		exit;
	}

	$error = false;

	if( isset($_POST['submit']) ) {

		if(empty($_POST['ID'])){
			$error = true;
			$emailError = "Please enter an ID ";
		}

		// prevent sql injections clear user invalid inputs
		$ID = trim($_POST['ID']);
		$ID = strip_tags($ID);
		$ID = htmlspecialchars($ID);

				if (!$error) {

			$result=mysqli_query($conn,"SELECT  userName, userEmail , userPass FROM users WHERE userName='$ID'");
			$row=mysqli_fetch_array($result);
      $Count=  mysqli_num_rows($result);
			if($Count ==1) {
				$result=mysqli_query($conn,"DELETE * FROM users WHERE userName='$ID'");
				$row=mysqli_fetch_array($result);
	      $errMSG="User Deleted!";
			} else {
				$errMSG = "User doesnt exist";
			}

		}

	}
?>

 

Edited by GeekInside
Link to comment
Share on other sites

2 answers to this question

Recommended Posts

  • 0
Veteran

ZakO

Posted
Posted (edited)

Your syntax is invalid, you shouldn't be specifying fields in a delete query, change:

  

$result=mysqli_query($conn,"DELETE * FROM users WHERE userName='$ID'");

to:

  

$result=mysqli_query($conn,"DELETE FROM users WHERE userName='$ID'");

 

As a side note... you're still vulnerable to SQL injection, please look up parameterized queries or at the very least use mysqli_real_escape_string, htmlspecialchars isn't protecting you.

Link to comment
Share on other sites
  • 0
Neowinian

GeekInside

Posted
  • Author
Posted
1 hour ago, ZakO said:

Your syntax is invalid, you shouldn't be specifying fields in a delete query, change:

  


$result=mysqli_query($conn,"DELETE * FROM users WHERE userName='$ID'");

to:

  


$result=mysqli_query($conn,"DELETE FROM users WHERE userName='$ID'");

 

As a side note... you're still vulnerable to SQL injection, please look up parameterized queries or at the very least use mysqli_real_escape_string, htmlspecialchars isn't protecting you.

Thank you I managed to do it... and yes Im working now on the prepared statements. Thank you so much :)

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.