Posted by shimmyshack on 02/14/07 23:38

On 14 Feb, 23:11, "edward_sanders" <edward_sand...@bellsouth.net>
wrote:
> I meant to add that I am using PHP 5.2.x and
> mysql 5
> Thanks,
> Bruce
>
> "edward_sanders" <edward_sand...@bellsouth.net> wrote in message news:...
> > Hi,
> > This is a newbie question. I am using a text for learning php/mysql.
> > The example is that of a mysql
> > database of jokes. Before we get to joins there is a
> > simple table with 3 fields, ID field (primary key, integer),
> > JokeText, and JokeDate. In the program for some
> > reason the code is not retrieving the ID for each
> > row from the db. It gets the JokeText field just fine.
> > Let me include the snippets below.
>
> > This is where each row (each joke) is to be displayed.
> > Note that the ID is used to give the option of deleting a
> > joke from the db. The link tag is supposed to get that
> > ID passed to the link but that isn't happening. Please help.
>
> > // Display the text of each joke in the paragraph
> > while ( $row = mysql_fetch_array($result)) {
> > $jokeid = $row["ID"];
> > echo ($row["ID"]);
> > $deletejoke=$jokeid;
> > $joketext = $row["JokeText"];
> > $thispage = $_SERVER["PHP_SELF"];
> > echo("<p>$joketext " .
> > "<A HREF='$thispage?deletejoke=$jokeid'>" .
> > "Delete this Joke</a></p>");
> > }
>
> > Then the code to delete the joke ( the row from the
> > db) is as follows:
> > // If a joke has been deleted,
> > // remove it from the database
> > if (isset($_GET['deletejoke'])) {
> > $deletejoke=$_GET['deletejoke'];
> > echo("<p>The joke to delete is number $deletejoke");
> > $sql = "DELETE FROM jokes " .
> > "WHERE ID=$deletejoke";
> > if (mysql_query($sql)) {
> > echo("<p>The joke has been deleted.</p>");
> > } else {
> > echo("<p>Error deleting joke: " .
> > mysql_error() . "</p>");
> > }
> > }
>
> > Thanks in advance for any help,
> > Bruce

you havent quite included the SELECT statement you are using, so we
cant help, but basically to get all the columns in the table the
syntax is
SELECT * FROM table .......
that will get you all 3.

As for the rest of your code. you NEED to be looking at the php
manual
mysql_real_escape_string()

and the MySQL manual for
LIMIT

else someone could write the following URL

http://server.com/script.php?deletejoke=2;drop%20tablename

bye bye all jokes. *unless the user this app is running under is not
allowed to do this, however theres nothing to stop it deleting them
all, and leaving a blank table.

if ( isset($_POST['deletejoke']) &&
ereg( "[0-9]{1-3}",$_POST['deletejoke']) )
{
//this means that the var is set, and is a number between 0-999
//$deletejoke = (int)$_POST['deletejoke'];
}
else
{
//tell user "choose a single joke to delete using the interface
provided";
}

either before the delete query or during it, use the escape function

"DELETE from tablename WHERE `id` = " .
mysql_real_escape_string($deletejoke) .
" LIMIT 1;"

makes more sense.


You should be using POST since the user is changing the application,
the last thing you want is for someone's browser to prefetch all those
delete links.

[Back to original message]