DELETE FROM help...

paroa

Im having problem writing my cms. The part thats not working is the delete part...

<?php
session_start();
include 'config.php';
include 'opendb.php';
$SESSION['modifyform'] = $POST;
$modifycat = $POST['modifycat'];
if(isset($GET['del']))
{
$query = "DELETE FROM {$SESSION['modifyform']['modifycat']} WHERE id = '{$GET['del']}'";
mysql_query($query) or die('Error : ' . mysql_error());

exit;
}
?>

Ive searched everywhere but no solution

the error i come up with is

Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = '3'' at line 1

If i put a table name where "{$_SESSION['modifyform']['modifycat']}" , it works fine.

I use the same variable in a "SELECT FROM" query, and it works fine, if i echo "{$_SESSION['modifyform']['modifycat']}" it comes up with the correct value

this is the link which calls the query
<a href="javascript:delArticle('<?php echo $id;?>', '<?php echo $item_name;?>');">delete</a>

and heres the javascript

Can anyone point me in the right direction?

bradgrafelman

Try echo'ing out $query right after the error and paste it here for us to examine.

paroa

This is the error i get
Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = '3'' at line 1

if i change {$_SESSION['modifyform']['modifycat']} to an actual table name, it functions properly. its only when i put in the variable it displays this error...i dont understand because i use the exact same variable here:

$query = "SELECT id, item_name, description, code, price, postage FROM {$_SESSION['modifyform']['modifycat']}";

and that works fine, its only the "delete from where" that doesnt work?

Its driving me nuts

Thanks

bradgrafelman

As I said above, please echo out $query and paste the output so we can see what's actually being sent.

paroa

I feel stupid, i echoed $query, but nothing came up...

paroa

i echoed it again, and it came up with Error: query empty...

bradgrafelman

Er... how exactly did you try to echo it? I just meant something simple, e.g.:

$query = "DELETE FROM {$_SESSION['modifyform']['modifycat']} WHERE id = '{$_GET['del']}'";
mysql_query($query) or die('Query sent: ' . $query . '<br><br>Error : ' . mysql_error());

paroa

Query sent: DELETE FROM WHERE id = '3'

Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = '3'' at line 1

Thats the error, but i dont understand? theres no table name? yet wen i echo the variable it displays the correct name?

bradgrafelman

Okay.. add this right after that mysql_query() line:

var_dump($_SESSION['modifyform']);

and paste the output (removing any sensitive information, if applicable).

paroa

I placed that piece of code just after

mysql_query($query) or die('Query sent: ' . $query . '<br><br>Error : ' . mysql_error());

which didnt output anything, so i placed that code just before it, and this is what it output

array(0) { } Query sent: DELETE FROM WHERE id = '3'

Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = '3'' at line 1

I appreciate your help.

leatherback

Hi Paroa,

Two things:
- You use $GET and $POST next to eachother in the same script. The $GET variable is being found. Are you sure you are also POSTing the other variables? You could for now simplify and use the $POST['modifycat'] directly. Use print_r($POST); to see whether anything was submitted and if so how.
- You are using the posted variables directly in your script;this opens your site to hackers. You should NEVER trust input from the website; always parse user input through [man]mysql_real_escape_string[man]. The second part o fthe second comment is that it is very unwise to use the table names directly in your script. Just don't do it. Send an identifier or something. But not the actual table and field names. Again: It opens a whole can of worms, especially if you have little leaks in your scripts.