Need help with PHP and SQL

Forums › IT Pro and developers › Need help with PHP and SQL

Anibor

25 posts

Geek

#68690 26-Sep-2010 14:47

I want to print a message via php only if my mysql statement performs

if ( $_POST['Delete'])
{
    $Customer_Code_form = $_POST['Customer_Code'];
    mysql_query("DELETE FROM customer WHERE Customer_Code = '$Customer_Code_form'") or die(mysql_error());

    Echo ">>>$Customer_Code_form has been deleted<<<";

}

right now this code will output whatever number was sent to it where or not something was deleted... and im too hung over atm to figure out how to solve this myself

LennonNZ

2459 posts

Uber Geek

ID Verified

Trusted

#384549 26-Sep-2010 15:18

Do you really trust $_POST putting it into a mysql query without quoting it?

try a little $Customer_Code_form = mysql_quote($_POST['Customer_Code']);

If you are echoing html then...

echo "<center>>>> $Customer_Code_form has been deleted <<<</center>"; is what you need to do.

With the result thingy..

what you need to look at is:

http://php.net/manual/en/function.mysql-query.php

so something like

if ($mysql_query (......)) {
       echo "......"; # OK Result
       } else {
      echo "......."; # ERROR Result
}

freitasm

BDFL - Memuneh
79295 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#384556 26-Sep-2010 15:29

As said.... Don't trust ANY input. Ever. By using the input directly in your code you are opening it up for SQL Injections.

Anibor

25 posts

Geek

#384566 26-Sep-2010 15:56

Cheers guys and dont worry this isnt going to be the final code, im passing it over to another coder to put in the catches and testing so its not unsafe :D

k1wi

484 posts

Ultimate Geek

#384567 26-Sep-2010 16:06

just so long as they atleast put in a few mysql_real_escape_string()'s.

It's a really good habit to put make your code as safe as possible as early as possible. Relying on someone else to run through your code and do all the securing is running a real risk that they'll miss something, the risk increases exponentially as your code grows too.

Anibor

25 posts

Geek

#384570 26-Sep-2010 16:17

Yeah this still aint working

    $delete = ("DELETE FROM customer WHERE Customer_Code = '$Customer_Code_form'");
    if ( mysql_query($delete))
    {
        Echo "<center>>>>$Customer_Code_form has been deleted<<<</center>";
    }
    else { echo "fail";}

k1wi

484 posts

Ultimate Geek

#384579 26-Sep-2010 16:59

You could add some conditioning/checking by creating a couple of Mysql queries for the customer ID before and after deleting....

I.E. check to see whether the customer ID exists, if it exists, delete the variable, then check again after the delete whether the variable exists or not, and build the logic around that.

Or you could probably use mysql result...

LennonNZ

2459 posts

Uber Geek

ID Verified

Trusted

#384612 26-Sep-2010 18:41

ah..

http://php.net/manual/en/function.mysql-affected-rows.php

if (mysql_affected_rows() > 0) {
echo "something got deleted";
} else {
echo "nothing got deleted";
}