Solved

Record Not Deleting

Posted on 2015-01-27
7
23 Views
Last Modified: 2015-04-11
My PHP isn't deleting a record.

The link...
http://www.mediascrubber.com/records.php

The PHP
<?
include("7conn.php");
$recsno=$_GET["recsno"];
$data=trim($recsno);
$ex=explode(" ",$data);
$size=sizeof($ex);
for($i=0;$i<$size;$i++) {
	$id=trim($ex[$i]);
	$sql="delete from records where recordId='$id'";
	$result=mysql_query($sql,$connection) or die(mysql_error());
	
}
header("location: records.php");
?>

Open in new window


The HTML
<td align="center"><a href="<? echo "7delete.php?recordId=".$row['recordId']; ?>">Delete</a></td>

Open in new window

0
Comment
Question by:DS928
7 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
Comment Utility
$id=trim($ex[$i]);   are  you sure you have id here? Just print & check it
0
 

Author Comment

by:DS928
Comment Utility
I think the code is setup to loop through for a multiple delete.  I just need to delete a single record based on the recordId.

<?
include("7conn.php");
$recordId=recordId;
$recsno=$_GET["recsno"];
$data=trim($recsno);
$ex=explode(" ",$data);
$size=sizeof($ex);
for($i=0;$i<$size;$i++) {
	$id=trim($ex[$i]);
	$sql="delete from records where recordId='$id'";
	$result=mysql_query($sql,$connection) or die(mysql_error());
	
}
header("location: records.php");
?>

Open in new window

0
 

Author Comment

by:DS928
Comment Utility
This worked.
<?php
$recordId =$_REQUEST['recordId'];

$con = mysql_connect("777","888","999");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("2222", $con);

// sending query
mysql_query("DELETE FROM records WHERE recordId = '$recordId'")
or die(mysql_error());      
header("location: records.php");
?>

Open in new window

0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 36

Expert Comment

by:Loganathan Natarajan
Comment Utility
yes, you need to check why these codes are put here,

$recsno=$_GET["recsno"];
$data=trim($recsno);
$ex=explode(" ",$data);
$size=sizeof($ex);
0
 
LVL 7

Accepted Solution

by:
Vimal DM earned 500 total points
Comment Utility
Hi,
Points to be looked into,

1) Since your deleting record with reference to integer number, need not to be in single quote [recordId=$id]

2) Make sure your getting the connection string ($connection)

3) Apply if condition before executing the SQL Query (i.e to check "$id" value is available or not)
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
You have a security risk here.  Let me try to explain.

Before you go much further with this process, please take a step back to learn about the way HTTP requests work.  
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html

In the world of PHP applications, we usually see two kinds of requests -- GET and POST.  GET requests use URL parameters to tell the server what to do, they can be bookmarked, etc.  A Google search is an example of a GET request.  GET requests must never modify the data on the server.  A GET request must always be considered idempotent.  If you want to modify the server data model (including delete a record) you do this via a POST request.

The PHP variable $_REQUEST is a dangerous thing.  The reason it's considered harmful is because it combines the request data from several sources.  As a result your script could find data that was expected for a POST request, but was actually presented via a GET request.  This is a giant security hole, and one that can be used to steal or destroy your data.

Consider this hypothetical web page that uses the script posted above..
<a href="http://path/to/badScript.php?recordId=1">1</a>
<a href="http://path/to/badScript.php?recordId=2">2</a>
<a href="http://path/to/badScript.php?recordId=3">3</a>
 ... etc ...
<a href="http://path/to/badScript.php?recordId=999">999</a>

Open in new window

Let's say I'm a "bad guy" and I put that script up on my server.  Then I feed that link to Google, Yahoo, or any other search engine.  The search engines will crawl that page, following every link, and each time they follow a link, your web site will delete one of the records from your database.

So, "safety first."  Please learn about PHP security before you expose your scripts on the internet!
0
 

Author Comment

by:DS928
Comment Utility
Working on it.
0

Featured Post

Easy Project Management (No User Manual Required)

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now