Why does this PHP code (mysql_query to delete a row where user name is $phpVar) do nothing?
mysql_query("DELETE FROM xraydeath WHERE user = $user");
8 Answers
Probably because you forgot to quote the $user parameter also, please escape variables goes into sql query strings. If that parameter is connected directly to user input someone might submit ' or 1=1 -- and your whole table gone. This idea know as sql injection.
note: the old mysql_* functions are now deprecated, you should avoid using them, see the alternatives.
Comments
You need to put quotes around strings like this:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
Comments
you forgot the quotes around the user:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
8 Comments
huysentruitw
and how do you see that the
user column is a string type? :)
juergen d
I can't see it, but I feel it :)
Bhuvan Rikka
@WouterH If
$user isn't a string,then the query should work fine,right!
pankar
@juergen d Your feelings might hurt you sometime ;)
huysentruitw
@BhuvanRikka: what about the mysql server that is down? a bad connection string? a missing table? a missing column? forgot to put it between
<?php ?> tags? or no mysql_connect at all? |
What are you expecting? How it fails? Mysql_query is not suppose to do anything in the form that you are using it, except sending the query to the server.
$result = mysql_query (...);
// use the result if any.
if (!$result) {
die('Invalid query: ' . mysql_error());
}
// check the error that you might have
Comments
you need to put $user into quotes
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."';");
also DELETE will succeed if even no rows where deleted, so to get how many rows where actually deleted use mysql_affected_rows()
$x = mysql_query("..");
echo "There were ".mysql_affected_rows()." rows affected";
**Try not to use mysql_* switch to PDO instead.
Comments
Assuming xraydeath.user is a character type, the value needs to be enclosed in quotes. If $user does not already contain the quotes, try:
mysql_query("DELETE FROM xraydeath WHERE user = '$user'");
And for kicks, try setting $user = "' OR '1'='1";! (Read up on SQL injection attacks and you should really switch to mysqli!)
It's also possible the table does not have a matching row, and therefore nothing will be deleted. Without knowing what you have assigned to $user and your data there is no way to know.
Comments
try this one:
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."'");
or
mysql_query("DELETE FROM xraydeath WHERE user = '".$user."';");
every php variables that used in mysql, put them into '".$variable."'
Comments
First : mysql is deprecated. you should use mysqli. Second : What kind of type is user? if is int : (object oriented style)
mysqli::query("DELETE (what you want) FROM xraydeath WHERE `user` = '".$user."'");
if is varchar (string) :
mysqli::query("DELETE (what you want) FROM xraydeath WHERE `user` LIKE '".$user."'");
or (procedurel syle)
mysqli_query((your mysqli link), "DELETE (what you want) FROM xraydeath WHERE `user` LIKE/= '".$user."'");
Hope it helps
5 Comments
huysentruitw
You are demonstrating the use of
mysqli without prepared statements! IMHO this is a bad example of using mysqli, sorry.
Genic
the $user should be verified before executing the statement, mysqli_real_escape_string or something to prevent mysqliInjection.
huysentruitw
No you don't need
mysqli_real_escape_string, you must use prepared statements and parameter binding. With prepared statements you never have to care about injections and escaping strings ever again. How cool is that? :)Genic
Interesting. But still, he asked a solution for executing the query :D
huysentruitw
Everyone is trying to tell the OP to use mysqli, and you are giving a very bad example. Either remove the answer or adopt it and use a prepared statement and bind the $user parameter.
$userset to and what is the data in the table?