[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Record Not Deleting

Posted on 2015-01-27
7
Medium Priority
?
32 Views
Last Modified: 2015-04-11
My PHP isn't deleting a record.

The link...
http://www.mediascrubber.com/records.php

The PHP
<?
include("7conn.php");
$recsno=$_GET["recsno"];
$data=trim($recsno);
$ex=explode(" ",$data);
$size=sizeof($ex);
for($i=0;$i<$size;$i++) {
	$id=trim($ex[$i]);
	$sql="delete from records where recordId='$id'";
	$result=mysql_query($sql,$connection) or die(mysql_error());
	
}
header("location: records.php");
?>

Open in new window


The HTML
<td align="center"><a href="<? echo "7delete.php?recordId=".$row['recordId']; ?>">Delete</a></td>

Open in new window

0
Comment
Question by:DS928
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 40574463
$id=trim($ex[$i]);   are  you sure you have id here? Just print & check it
0
 

Author Comment

by:DS928
ID: 40574468
I think the code is setup to loop through for a multiple delete.  I just need to delete a single record based on the recordId.

<?
include("7conn.php");
$recordId=recordId;
$recsno=$_GET["recsno"];
$data=trim($recsno);
$ex=explode(" ",$data);
$size=sizeof($ex);
for($i=0;$i<$size;$i++) {
	$id=trim($ex[$i]);
	$sql="delete from records where recordId='$id'";
	$result=mysql_query($sql,$connection) or die(mysql_error());
	
}
header("location: records.php");
?>

Open in new window

0
 

Author Comment

by:DS928
ID: 40574482
This worked.
<?php
$recordId =$_REQUEST['recordId'];

$con = mysql_connect("777","888","999");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("2222", $con);

// sending query
mysql_query("DELETE FROM records WHERE recordId = '$recordId'")
or die(mysql_error());      
header("location: records.php");
?>

Open in new window

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 40574506
yes, you need to check why these codes are put here,

$recsno=$_GET["recsno"];
$data=trim($recsno);
$ex=explode(" ",$data);
$size=sizeof($ex);
0
 
LVL 7

Accepted Solution

by:
Vimal DM earned 2000 total points
ID: 40574929
Hi,
Points to be looked into,

1) Since your deleting record with reference to integer number, need not to be in single quote [recordId=$id]

2) Make sure your getting the connection string ($connection)

3) Apply if condition before executing the SQL Query (i.e to check "$id" value is available or not)
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 40575000
You have a security risk here.  Let me try to explain.

Before you go much further with this process, please take a step back to learn about the way HTTP requests work.  
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html

In the world of PHP applications, we usually see two kinds of requests -- GET and POST.  GET requests use URL parameters to tell the server what to do, they can be bookmarked, etc.  A Google search is an example of a GET request.  GET requests must never modify the data on the server.  A GET request must always be considered idempotent.  If you want to modify the server data model (including delete a record) you do this via a POST request.

The PHP variable $_REQUEST is a dangerous thing.  The reason it's considered harmful is because it combines the request data from several sources.  As a result your script could find data that was expected for a POST request, but was actually presented via a GET request.  This is a giant security hole, and one that can be used to steal or destroy your data.

Consider this hypothetical web page that uses the script posted above..
<a href="http://path/to/badScript.php?recordId=1">1</a>
<a href="http://path/to/badScript.php?recordId=2">2</a>
<a href="http://path/to/badScript.php?recordId=3">3</a>
 ... etc ...
<a href="http://path/to/badScript.php?recordId=999">999</a>

Open in new window

Let's say I'm a "bad guy" and I put that script up on my server.  Then I feed that link to Google, Yahoo, or any other search engine.  The search engines will crawl that page, following every link, and each time they follow a link, your web site will delete one of the records from your database.

So, "safety first."  Please learn about PHP security before you expose your scripts on the internet!
0
 

Author Comment

by:DS928
ID: 40581651
Working on it.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question