|
|
Posted by shimmyshack on 02/14/07 23:38
On 14 Feb, 23:11, "edward_sanders" <edward_sand...@bellsouth.net>
wrote:
> I meant to add that I am using PHP 5.2.x and
> mysql 5
> Thanks,
> Bruce
>
> "edward_sanders" <edward_sand...@bellsouth.net> wrote in message news:...
> > Hi,
> > This is a newbie question. I am using a text for learning php/mysql.
> > The example is that of a mysql
> > database of jokes. Before we get to joins there is a
> > simple table with 3 fields, ID field (primary key, integer),
> > JokeText, and JokeDate. In the program for some
> > reason the code is not retrieving the ID for each
> > row from the db. It gets the JokeText field just fine.
> > Let me include the snippets below.
>
> > This is where each row (each joke) is to be displayed.
> > Note that the ID is used to give the option of deleting a
> > joke from the db. The link tag is supposed to get that
> > ID passed to the link but that isn't happening. Please help.
>
> > // Display the text of each joke in the paragraph
> > while ( $row = mysql_fetch_array($result)) {
> > $jokeid = $row["ID"];
> > echo ($row["ID"]);
> > $deletejoke=$jokeid;
> > $joketext = $row["JokeText"];
> > $thispage = $_SERVER["PHP_SELF"];
> > echo("<p>$joketext " .
> > "<A HREF='$thispage?deletejoke=$jokeid'>" .
> > "Delete this Joke</a></p>");
> > }
>
> > Then the code to delete the joke ( the row from the
> > db) is as follows:
> > // If a joke has been deleted,
> > // remove it from the database
> > if (isset($_GET['deletejoke'])) {
> > $deletejoke=$_GET['deletejoke'];
> > echo("<p>The joke to delete is number $deletejoke");
> > $sql = "DELETE FROM jokes " .
> > "WHERE ID=$deletejoke";
> > if (mysql_query($sql)) {
> > echo("<p>The joke has been deleted.</p>");
> > } else {
> > echo("<p>Error deleting joke: " .
> > mysql_error() . "</p>");
> > }
> > }
>
> > Thanks in advance for any help,
> > Bruce
you havent quite included the SELECT statement you are using, so we
cant help, but basically to get all the columns in the table the
syntax is
SELECT * FROM table .......
that will get you all 3.
As for the rest of your code. you NEED to be looking at the php
manual
mysql_real_escape_string()
and the MySQL manual for
LIMIT
else someone could write the following URL
http://server.com/script.php?deletejoke=2;drop%20tablename
bye bye all jokes. *unless the user this app is running under is not
allowed to do this, however theres nothing to stop it deleting them
all, and leaving a blank table.
if ( isset($_POST['deletejoke']) &&
ereg( "[0-9]{1-3}",$_POST['deletejoke']) )
{
//this means that the var is set, and is a number between 0-999
//$deletejoke = (int)$_POST['deletejoke'];
}
else
{
//tell user "choose a single joke to delete using the interface
provided";
}
either before the delete query or during it, use the escape function
"DELETE from tablename WHERE `id` = " .
mysql_real_escape_string($deletejoke) .
" LIMIT 1;"
makes more sense.
You should be using POST since the user is changing the application,
the last thing you want is for someone's browser to prefetch all those
delete links.
Navigation:
[Reply to this message]
|