• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0
Sign in to follow this  

MYSQL query doesnt work HELP NEEDED

Question

GeekInside    1

In the following code I try delete a record from my database but it doesnt work... I dont know why

Thank you in advance

 

<?php
	ob_start();
	session_start();
	require_once 'dbconnect.php';

	// it will never let you open index(login) page if session is set
	if ( !isset($_SESSION['user']) ) {
		header("Location: home.php");
		exit;
	}

	$error = false;

	if( isset($_POST['submit']) ) {

		if(empty($_POST['ID'])){
			$error = true;
			$emailError = "Please enter an ID ";
		}

		// prevent sql injections clear user invalid inputs
		$ID = trim($_POST['ID']);
		$ID = strip_tags($ID);
		$ID = htmlspecialchars($ID);

				if (!$error) {

			$result=mysqli_query($conn,"SELECT  userName, userEmail , userPass FROM users WHERE userName='$ID'");
			$row=mysqli_fetch_array($result);
      $Count=  mysqli_num_rows($result);
			if($Count ==1) {
				$result=mysqli_query($conn,"DELETE * FROM users WHERE userName='$ID'");
				$row=mysqli_fetch_array($result);
	      $errMSG="User Deleted!";
			} else {
				$errMSG = "User doesnt exist";
			}

		}

	}
?>

 

Edited by GeekInside

Share this post


Link to post
Share on other sites

2 answers to this question

Recommended Posts

  • 0
ZakO    493

Your syntax is invalid, you shouldn't be specifying fields in a delete query, change:

 

$result=mysqli_query($conn,"DELETE * FROM users WHERE userName='$ID'");

to:

 

$result=mysqli_query($conn,"DELETE FROM users WHERE userName='$ID'");

 

As a side note... you're still vulnerable to SQL injection, please look up parameterized queries or at the very least use mysqli_real_escape_string, htmlspecialchars isn't protecting you.

  • Like 5

Share this post


Link to post
Share on other sites
  • 0
GeekInside    1
1 hour ago, ZakO said:

Your syntax is invalid, you shouldn't be specifying fields in a delete query, change:

 


$result=mysqli_query($conn,"DELETE * FROM users WHERE userName='$ID'");

to:

 


$result=mysqli_query($conn,"DELETE FROM users WHERE userName='$ID'");

 

As a side note... you're still vulnerable to SQL injection, please look up parameterized queries or at the very least use mysqli_real_escape_string, htmlspecialchars isn't protecting you.

Thank you I managed to do it... and yes Im working now on the prepared statements. Thank you so much :)

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.