?
Solved

Record Not Deleting

Posted on 2015-01-27
7
Medium Priority
?
34 Views
Last Modified: 2015-04-11
My PHP isn't deleting a record.

The link...
http://www.mediascrubber.com/records.php

The PHP
<?
include("7conn.php");
$recsno=$_GET["recsno"];
$data=trim($recsno);
$ex=explode(" ",$data);
$size=sizeof($ex);
for($i=0;$i<$size;$i++) {
	$id=trim($ex[$i]);
	$sql="delete from records where recordId='$id'";
	$result=mysql_query($sql,$connection) or die(mysql_error());
	
}
header("location: records.php");
?>

Open in new window


The HTML
<td align="center"><a href="<? echo "7delete.php?recordId=".$row['recordId']; ?>">Delete</a></td>

Open in new window

0
Comment
Question by:DS928
7 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 40574463
$id=trim($ex[$i]);   are  you sure you have id here? Just print & check it
0
 

Author Comment

by:DS928
ID: 40574468
I think the code is setup to loop through for a multiple delete.  I just need to delete a single record based on the recordId.

<?
include("7conn.php");
$recordId=recordId;
$recsno=$_GET["recsno"];
$data=trim($recsno);
$ex=explode(" ",$data);
$size=sizeof($ex);
for($i=0;$i<$size;$i++) {
	$id=trim($ex[$i]);
	$sql="delete from records where recordId='$id'";
	$result=mysql_query($sql,$connection) or die(mysql_error());
	
}
header("location: records.php");
?>

Open in new window

0
 

Author Comment

by:DS928
ID: 40574482
This worked.
<?php
$recordId =$_REQUEST['recordId'];

$con = mysql_connect("777","888","999");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("2222", $con);

// sending query
mysql_query("DELETE FROM records WHERE recordId = '$recordId'")
or die(mysql_error());      
header("location: records.php");
?>

Open in new window

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 40574506
yes, you need to check why these codes are put here,

$recsno=$_GET["recsno"];
$data=trim($recsno);
$ex=explode(" ",$data);
$size=sizeof($ex);
0
 
LVL 7

Accepted Solution

by:
Vimal DM earned 2000 total points
ID: 40574929
Hi,
Points to be looked into,

1) Since your deleting record with reference to integer number, need not to be in single quote [recordId=$id]

2) Make sure your getting the connection string ($connection)

3) Apply if condition before executing the SQL Query (i.e to check "$id" value is available or not)
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 40575000
You have a security risk here.  Let me try to explain.

Before you go much further with this process, please take a step back to learn about the way HTTP requests work.  
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html

In the world of PHP applications, we usually see two kinds of requests -- GET and POST.  GET requests use URL parameters to tell the server what to do, they can be bookmarked, etc.  A Google search is an example of a GET request.  GET requests must never modify the data on the server.  A GET request must always be considered idempotent.  If you want to modify the server data model (including delete a record) you do this via a POST request.

The PHP variable $_REQUEST is a dangerous thing.  The reason it's considered harmful is because it combines the request data from several sources.  As a result your script could find data that was expected for a POST request, but was actually presented via a GET request.  This is a giant security hole, and one that can be used to steal or destroy your data.

Consider this hypothetical web page that uses the script posted above..
<a href="http://path/to/badScript.php?recordId=1">1</a>
<a href="http://path/to/badScript.php?recordId=2">2</a>
<a href="http://path/to/badScript.php?recordId=3">3</a>
 ... etc ...
<a href="http://path/to/badScript.php?recordId=999">999</a>

Open in new window

Let's say I'm a "bad guy" and I put that script up on my server.  Then I feed that link to Google, Yahoo, or any other search engine.  The search engines will crawl that page, following every link, and each time they follow a link, your web site will delete one of the records from your database.

So, "safety first."  Please learn about PHP security before you expose your scripts on the internet!
0
 

Author Comment

by:DS928
ID: 40581651
Working on it.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This article discusses how to implement server side field validation and display customized error messages to the client.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question