PHP/MySQL and deleting

cykrider · February 21, 2003, 3:18am

I’m tearing my hair out trying to figure out why this wont work. I get a variable (the name of a table) via the querystring and I want to delete the name from a user table. For example, without the querystring variables it would look like:

mysql_query("DELETE FROM cykrider WHERE testname=‘mytest’ ");
echo mysql_error();
(This works)

However, when I put mytest as a
variable (testnam), I get an error:

mysql_query("DELETE FROM $usersname WHERE testname=’$testnam’ ");
echo mysql_error();

I’ve tried changing it to:
WHERE testname = ‘$testnam’ ");

but that didn’t seem to work either. Any ideas? Thanks.

Q.E.D · February 21, 2003, 3:22am

Lose the single quotes. IIRC, MySQL treats everything in single quotes as a literal.

Hilow · February 21, 2003, 3:30am

Try “Delete From " + $usersname + " where testname=’” + $testnam + “’” inside of the mysql_query parenthesis

Note that ‘’’ is actually a single quote followed by a double quote and “’” is actualy a single quote inside of two double quotes.

This also assumes you concatenate strings in PHP using the plus sign. If not replace the + with the appropriate symbol.

Q.E.D · February 21, 2003, 4:06am

Try this:

mysql_query("DELETE FROM ‘$usersname’ WHERE testname=’$testnam’ ");

$username is the name of the table? I’m not sure why it needs to be a variable. Does each $username have its own table?

I looked over my old PHP hacks I did for tForum a while back, and the single quotes are needed around string variables.

Trigonal_Planar · February 21, 2003, 4:12am

Yes, QED is correct. Anything within quotes is taken literal.

cykrider · February 21, 2003, 4:54am

Sadly these haven’t worked either. Maybe if I show you the whole code it will make more sense.
<?
session_start(); //this has $username registered
$HTTP_GET_VARS[‘testnam’];
[connect and selete db here]
##this will actually delete the test and send them back to the menu.
##drop the table testname and delete the testname from the user.
?>
<html>
<body>
<?
##mysql_query(“drop table $testnam”);
##echo mysql_error(); //this worked and i took it out for debuging
mysql_query(“DELETE FROM $usersname WHERE testname=$testnam”);
echo mysql_error();

print<<<E
<script language=“javascript”>
<!–

java stuff here

–>
</script>

E;
?>
</body>
</html>

’ “.$testnam.” ’ seemed to give me the desired result of ‘test’ yet I still get the error: You have an error in your SQL syntax near 'WHERE testname=‘yourmom’ ’ at line 1

Tom_P · February 21, 2003, 9:03am

The following code works for me:



mysql_query("DELETE FROM $username WHERE testname='$testnam'") or die(mysql_error());

In other words, put the field value within single quotes but not the table name. Depending on your version of PHP, you might also want to try this:



mysql_query("DELETE FROM $username WHERE testname='".$testnam."'") or die(mysql_error());

Tom_P · February 21, 2003, 9:08am

Sorry for the double-post, but I also see that you first have a line reading:



session_start(); //this has **$username** registered

Then later



mysql_query("DELETE FROM **$usersname** WHERE testname=$testnam");

Is this just a typo in your post (or comment), or do you have the same names in your code?

cykrider · February 21, 2003, 3:25pm

Not really sure, b/c I swore I tried this 6 or 7 times, but this:
mysql_query(“DELETE FROM $username WHERE testname=’”.$testnam."’ ");
echo mysql_error();

managed to get it working. Thanks for all your help.

bryanmcc · February 21, 2003, 4:56pm

you could probably also use ‘{$testname}’ (i.e., put the variable name inside curly braces inside the single quotes). PHP uses the curly braces to resolve confusing quotation mark situations, if I recall correctly.

-b

K3v1n · February 22, 2003, 5:45am

If REGISTER_GLOBALS is off, which it probably is you’ll have to do this…

$testnam = $HTTP_GET_VARS[‘testnam’];

somewhere before:

mysql_query(“DELETE FROM $usersname WHERE testname=$testnam”);

orrrr

Change it to:

mysql_query(“DELETE FROM $usersname WHERE testname=” . $HTTP_GET_VARS[‘testnam’]);

NotMrKnowItAll · February 22, 2003, 2:58pm

Does MySQL in PHP not support bind variables?

builds a string for the database to parse and execute. What If I as a user figures out how to set $testname to (play close attention to the single quotes):



$testname="anything' or 'a'='a"

so that the quoted mysql_query(…) above resolves to(assuming $username=‘Evil_User’):



DELETE FROM Evil_User WHERE testname='anything' or '1'='1'

That would delete all records from the table named Evil_User.

Oracle for one, caches SQL statements and doesn’t waste time reparsing exact ones, using bind varibles (except that $username bit), actually speeds things up in future runs.