Posted by Lars Eighner on 10/23/07 16:39

In our last episode, <xn0fcsm06378v50002@news.individual.net>, the lovely
and talented Jeff Gaines broadcast on comp.lang.php:

> I have down-loaded several php scripts and am working my way through them
> as part of my learning process. I have noticed situations like this:

> mysql_query("DELETE FROM $table WHERE id=$id",$db);

> where scripts have been called from another script/page with a parameter -
> i.e. 'id' is a parameter that is not defined in the script before the
> above line is called.

> They don't work as they are but I can get the parameters by using
> $_GET['id'] or sometimes $_POST['id'].

> Is this a result of different versions of php (I am using v5) where
> behaviour has changed or is it something else that is going completely
> over my head because I am so new to this?

It is not entirely clear by "They don't work" whether your problem is how
the parameters are (should be) passed or with executing a mysql query. So
it is rather to the point how they fail to work. Could you clarify that a
little?

There is no necessary connection between $_POST['id'] (or $_GET['id'])
and $id. If $id doesn't get a value somewhere, perhaps passed as a
parameter, it will have an empty value. This is not really nonsense as
you might well want to delete rows with an empty id field, but if this kind
of clean-up is wanted, it should be done in a more straightforward way with
a instruction as potentially dangerous as DELETE. (And of course, setting
up a table in which a field called 'id' could ever acquire and empty value
would be fairly perverse.

So for this query to be likely, somewhere $id would have to be assigned.

This might be:

$id = <something>;

or

$foo = some_function(<something>);

where some_function is defined:

some_function($id){
....
return $bar;
}

or

some_function(){
$id = func_get_arg(0);
....
return $bar;
}

On the other hand, if "They don't work" has to do with the query failing, I
suppose I should mention that mysql_query() will not work without a database
connection. If it isn't given a connection, it will try to use a previous
connection, and failing that it will try to establish one with mysql_connect
without parameters, a last ditch effort almost certain to fail in real-world
situations.

--
Lars Eighner <http://larseighner.com/> <http://myspace.com/larseighner>
Countdown: 454 days to go.
What do you do when you're debranded?

[Back to original message]