PHP/MySQL and deleting

I’m tearing my hair out trying to figure out why this wont work. I get a variable (the name of a table) via the querystring and I want to delete the name from a user table. For example, without the querystring variables it would look like:

mysql_query("DELETE FROM cykrider WHERE testname=‘mytest’ ");
echo mysql_error();
(This works)

However, when I put mytest as a
variable (testnam), I get an error:

mysql_query("DELETE FROM $usersname WHERE testname=’$testnam’ ");
echo mysql_error();

I’ve tried changing it to:
WHERE testname = ‘$testnam’ ");

but that didn’t seem to work either. Any ideas? Thanks.

Lose the single quotes. IIRC, MySQL treats everything in single quotes as a literal.

Try “Delete From " + $usersname + " where testname=’” + $testnam + “’” inside of the mysql_query parenthesis

Note that ‘’’ is actually a single quote followed by a double quote and “’” is actualy a single quote inside of two double quotes.

This also assumes you concatenate strings in PHP using the plus sign. If not replace the + with the appropriate symbol.

Try this:

mysql_query("DELETE FROM ‘$usersname’ WHERE testname=’$testnam’ ");

$username is the name of the table? I’m not sure why it needs to be a variable. Does each $username have its own table?

I looked over my old PHP hacks I did for tForum a while back, and the single quotes are needed around string variables.

Yes, QED is correct. Anything within quotes is taken literal.

Sadly these haven’t worked either. Maybe if I show you the whole code it will make more sense.
session_start(); //this has $username registered
[connect and selete db here]
##this will actually delete the test and send them back to the menu.
##drop the table testname and delete the testname from the user.
##mysql_query(“drop table $testnam”);
##echo mysql_error(); //this worked and i took it out for debuging
mysql_query(“DELETE FROM $usersname WHERE testname=$testnam”);
echo mysql_error();

<script language=“javascript”>

java stuff here



’ “.$testnam.” ’ seemed to give me the desired result of ‘test’ yet I still get the error: You have an error in your SQL syntax near 'WHERE testname=‘yourmom’ ’ at line 1

The following code works for me:

mysql_query("DELETE FROM $username WHERE testname='$testnam'") or die(mysql_error());

In other words, put the field value within single quotes but not the table name. Depending on your version of PHP, you might also want to try this:

mysql_query("DELETE FROM $username WHERE testname='".$testnam."'") or die(mysql_error());

Sorry for the double-post, but I also see that you first have a line reading:

session_start(); //this has **$username** registered

Then later

mysql_query("DELETE FROM **$usersname** WHERE testname=$testnam");

Is this just a typo in your post (or comment), or do you have the same names in your code?

Not really sure, b/c I swore I tried this 6 or 7 times, but this:
mysql_query(“DELETE FROM $username WHERE testname=’”.$testnam."’ ");
echo mysql_error();

managed to get it working. Thanks for all your help.

you could probably also use ‘{$testname}’ (i.e., put the variable name inside curly braces inside the single quotes). PHP uses the curly braces to resolve confusing quotation mark situations, if I recall correctly.


If REGISTER_GLOBALS is off, which it probably is you’ll have to do this…

$testnam = $HTTP_GET_VARS[‘testnam’];

somewhere before:

mysql_query(“DELETE FROM $usersname WHERE testname=$testnam”);


Change it to:

mysql_query(“DELETE FROM $usersname WHERE testname=” . $HTTP_GET_VARS[‘testnam’]);

Does MySQL in PHP not support bind variables?

builds a string for the database to parse and execute. What If I as a user figures out how to set $testname to (play close attention to the single quotes):

$testname="anything' or 'a'='a"

so that the quoted mysql_query(…) above resolves to(assuming $username=‘Evil_User’):

DELETE FROM Evil_User WHERE testname='anything' or '1'='1'

That would delete all records from the table named Evil_User.

Oracle for one, caches SQL statements and doesn’t waste time reparsing exact ones, using bind varibles (except that $username bit), actually speeds things up in future runs.