Solved

Record Not Deleting

Posted on 2015-01-27
7
29 Views
Last Modified: 2015-04-11
My PHP isn't deleting a record.

The link...
http://www.mediascrubber.com/records.php

The PHP
<?
include("7conn.php");
$recsno=$_GET["recsno"];
$data=trim($recsno);
$ex=explode(" ",$data);
$size=sizeof($ex);
for($i=0;$i<$size;$i++) {
	$id=trim($ex[$i]);
	$sql="delete from records where recordId='$id'";
	$result=mysql_query($sql,$connection) or die(mysql_error());
	
}
header("location: records.php");
?>

Open in new window


The HTML
<td align="center"><a href="<? echo "7delete.php?recordId=".$row['recordId']; ?>">Delete</a></td>

Open in new window

0
Comment
Question by:DS928
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 40574463
$id=trim($ex[$i]);   are  you sure you have id here? Just print & check it
0
 

Author Comment

by:DS928
ID: 40574468
I think the code is setup to loop through for a multiple delete.  I just need to delete a single record based on the recordId.

<?
include("7conn.php");
$recordId=recordId;
$recsno=$_GET["recsno"];
$data=trim($recsno);
$ex=explode(" ",$data);
$size=sizeof($ex);
for($i=0;$i<$size;$i++) {
	$id=trim($ex[$i]);
	$sql="delete from records where recordId='$id'";
	$result=mysql_query($sql,$connection) or die(mysql_error());
	
}
header("location: records.php");
?>

Open in new window

0
 

Author Comment

by:DS928
ID: 40574482
This worked.
<?php
$recordId =$_REQUEST['recordId'];

$con = mysql_connect("777","888","999");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("2222", $con);

// sending query
mysql_query("DELETE FROM records WHERE recordId = '$recordId'")
or die(mysql_error());      
header("location: records.php");
?>

Open in new window

0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 40574506
yes, you need to check why these codes are put here,

$recsno=$_GET["recsno"];
$data=trim($recsno);
$ex=explode(" ",$data);
$size=sizeof($ex);
0
 
LVL 7

Accepted Solution

by:
Vimal DM earned 500 total points
ID: 40574929
Hi,
Points to be looked into,

1) Since your deleting record with reference to integer number, need not to be in single quote [recordId=$id]

2) Make sure your getting the connection string ($connection)

3) Apply if condition before executing the SQL Query (i.e to check "$id" value is available or not)
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 40575000
You have a security risk here.  Let me try to explain.

Before you go much further with this process, please take a step back to learn about the way HTTP requests work.  
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html

In the world of PHP applications, we usually see two kinds of requests -- GET and POST.  GET requests use URL parameters to tell the server what to do, they can be bookmarked, etc.  A Google search is an example of a GET request.  GET requests must never modify the data on the server.  A GET request must always be considered idempotent.  If you want to modify the server data model (including delete a record) you do this via a POST request.

The PHP variable $_REQUEST is a dangerous thing.  The reason it's considered harmful is because it combines the request data from several sources.  As a result your script could find data that was expected for a POST request, but was actually presented via a GET request.  This is a giant security hole, and one that can be used to steal or destroy your data.

Consider this hypothetical web page that uses the script posted above..
<a href="http://path/to/badScript.php?recordId=1">1</a>
<a href="http://path/to/badScript.php?recordId=2">2</a>
<a href="http://path/to/badScript.php?recordId=3">3</a>
 ... etc ...
<a href="http://path/to/badScript.php?recordId=999">999</a>

Open in new window

Let's say I'm a "bad guy" and I put that script up on my server.  Then I feed that link to Google, Yahoo, or any other search engine.  The search engines will crawl that page, following every link, and each time they follow a link, your web site will delete one of the records from your database.

So, "safety first."  Please learn about PHP security before you expose your scripts on the internet!
0
 

Author Comment

by:DS928
ID: 40581651
Working on it.
0

Featured Post

Enroll in June's Course of the Month

June's Course of the Month is now available! Every 10 seconds, a consumer gets hit with ransomware. Refresh your knowledge of ransomware best practices by enrolling in this month's complimentary course for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days socially coordinated efforts have turned into a critical requirement for enterprises.
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question