Hi all
I have a little script im building for online wars (Gaming)
Anyway from the php pages you can add to the DB and retrieve info from it, but wnat you cant do is delete it?...... if spent 2 days now trying to figuire this out ,and i now fear for the saftey of my comupter and of the window it may be flying out off

Code:

<?php require('../config.php');
$db = "$db_name";
$cid = mysql_connect($db_host,$db_username,$db_password);
if (!$cid) { echo("ERROR: " . mysql_error() . "\n"); }

 if ($task=="del") {
  $SQL = " DELETE FROM ca_war ";
  $SQL = $SQL . " WHERE id = $id ";
  mysql_db_query($db, $SQL, $cid);
 }
?>
<html>
<body bgcolor="000000">
</body>
<head>
 
</center>
 
<?
 $SQL = " SELECT * FROM ca_war ";
 $retid = mysql_db_query($db, $SQL, $cid);
 if (!$retid) { echo( mysql_error()); }
 else {
  echo ("<P><TABLE CELLPADDING=4>\n");
  while ($row = mysql_fetch_array($retid)) {
   $clan = $row["clan"];
   $id = $row["id"];
   echo ("<TR>");
   echo ("<TD><font color=ffffff>$clan</TD>\n");
   
   echo ("<TD><A HREF=\"remove.php?id=$id&task=del\">Delete</A></TD>");
   echo ("</TR>");
  }
  echo ("</TABLE>");
 }
?>
 
 
</HTML>

As i say i really cant see why its not working, its re loading itself and the browser then reads correct
Example http://www.limaservices.com/nochex/a...?id=3&task=del so it should have deleted it.....


Im prob looking to hard now so il throw it to you guys if i may

Thanks
Mark

Why not change from this

PHP Code:

 if ($task=="del") {
  $SQL = " DELETE FROM ca_war ";
  $SQL = $SQL . " WHERE id = $id ";
  mysql_db_query($db, $SQL, $cid);
 } 


to this

PHP Code:

 if ($task=="del") {
  $SQL = "DELETE FROM ca_war WHERE id =". $id ;
  mysql_db_query($db, $SQL, $cid);
 } 


$id probably isn't set. If register_globals is off then you will have to set $id this way:
$id = $_GET['id'];

Btw, you might want to do some authorization checking on this script, cause anyone could use that link to delete everything from this db table

Oh, same with task:
$task = $_GET['task'];

Thanks to you both.

It seems like jason_alan you were spot on and i thank you.

As for your security advice, i aggree but am unsure of who to add authorization

Thanks

Mark

For validating your input, you could use a regular expression:

PHP Code:

if($task=="del")
{ 

     if(ereg("^([0-9]+)$", $id)) //id is an integer of at least 1 digit
     {
          $SQL = "DELETE FROM ca_war WHERE id =" . $id; 
          mysql_db_query($db, $SQL, $cid);
     }
} 


Quote:

Btw, you might want to do some authorization checking on this script, cause anyone could use that link to delete everything from this db table

What I meant by that was that you don't want just anyone to be able to use this link:
remove.php?task=del&id=1
remove.php?task=del&id=2
remove.php?task=del&id=3
remove.php?task=del&id=4 ... etc

to wipe out all your records in that table. You should at least have a login form that will store user authorization in the $_SESSION, then check for this at the start of your script. There's many ways to do this, but that's just 1 example

also make sure you use the suggestion from Zycron, otherwise SQL injection could be used to do literally ANYTHING with your database!

make sure you secure your login as well if you're utilizing a database. addslashes is your friend here, use it!