0

I am coming across a problem when deleting data from my SQL data. I have tried various versions of my statement but to no avail. Below is the error I am presented with and the statement I am using.

$sql = "DELETE FROM `saved_holidays` WHERE (subscriberID= $user AND title= $check_value)";

//connect to database then execute the SQL statement.
$db->exec($sql);

and the error message is:

SQLSTATE[42000]: Syntax error or access violation: 1064 You have an
error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '@xml119.com AND
title= Luxurious Jamaican holidays | 40% Discount On Accommodati' at
line 1

I can see that the correct data is being passed but the syntax is wrong. Can anyone help?

Improve this question
1
  • 1
    Just a guess as I don't know much about PHP. Do you need to enclose $user and $check_value in single quotes? Commented Apr 26, 2012 at 13:53

3 Answers 3

Reset to default
2

$check_value is a string, so you have to enclose it in ' in your query like this:

title = '$check_value'

For security purposes, you should also use mysql_real_escape_string on all string parameters you have. Or even better, use prepared statements: http://php.net/manual/en/pdo.prepared-statements.php

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You need to put quotations around your variables. It doesn't like spaces.

Depending on the server you are using (MySQL or MSSQL) you have to use backticks, single quotes, or double quotes:

DELETE FROM saved_holidays WHERE (subscriberID="$user" AND title="$check_value")

Also, if you are using PDOs, you should consider using prepared statements:

$statment = $conn->prepare("DELETE FORM saved_holidays WHERE (subscriberID=? AND title=?)"); //$conn has to be your connection ceated by doing new PDO(...connection string...)
$statment->execute(array($user, $check_value));
Improve this answer

3 Comments

The PDOs take care of that. If you use the prepared statments, the sql server doesn't process the arguments as a query. As long as the query that you have prepared doesn't contain any variables, there isn't a danger of injection. Now, someone could do XSS or something and it won't prevent that, but at least with the prepared statement you don't have to worry about someone dropping your database when you aren't looking.
I think you added to your answer between when I copied my comment after your answer and now (quickly enough for the edit not to register as a separate edit). What you've got now, discussing prepared statements, is fine; it is still good to mention the mysql_real_escape_string() function (though prepared statements are indubitably better).
The PDOs were in my original answer I believe. Either way, both ways of doing it work but I agree that PDOs are better.
0

Amit is correct your statement should look like this;

$sql = "DELETE FROM `saved_holidays` WHERE (subscriberID= '$user' AND title= '$check_value')";

the variable is a string so must be enclosed in single quotes. This should then work for you.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.