0

Is there a way i can use the same php file 'favorite.php' to carry out two separate mysql queries each time it's accessed.

Basically i have a link on a users profile page called add to favorites, which links to favorite.php and runs the query to add users to the session users favorites list. I want to add another query to the file to run on a separate occasion, so on the next time that links clicked to say if the favorite id exists in the table to delete it removing that user from the session users favorites list?

here i have my insert into query, and now i just need to find a way of saying delete favorite id if exists for the second time the link is clicked?

<?php

require_once('includes/session.php');
require_once('includes/functions.php');
require('includes/_config/connection.php');


session_start();


    confirm_logged_in();




    if (isset ($_GET['to'])) {
    $user_to_id = $_GET['to'];


}


if (!isset($_GET['to']))
    exit('No user specified.');

$user_id = $_GET['to'];

$result = mysql_query("INSERT INTO ptb_favorites (user_id, favorite_id) VALUES (".$_SESSION['user_id'].", ".$user_to_id.")") 
or die(mysql_error()); 

if($result = mysql_query($query))

$result = mysql_query("DELETE FROM ptb_favorites (user_id, favorite_id) VALUES (".$_SESSION['user_id'].", ".$user_to_id.")") 
or die(mysql_error()); 

header("Location: profile.php?id=" . $user_to_id['user_id']);


?>

Hope that makes sense thanks.

Improve this question
5
  • then just run mysql_query() again? Commented Dec 27, 2012 at 2:45
  • surely that would cause the previous sql to cause an error? i'll try it Commented Dec 27, 2012 at 2:47
  • 3
    Note that mysql_query() is deprecated Commented Dec 27, 2012 at 2:47
  • 1
    Your code is vulnerable to SQL injection, please use PDO prepared statements instead Commented Dec 27, 2012 at 2:50
  • 1
    You have exactly the same errors like on your other question stackoverflow.com/questions/14048367/…. The same mysql injections are possible etc. And you have not accepted an answer on that question too while I see here that you fixed some of the code. These are not good manners. Commented Dec 27, 2012 at 2:53

2 Answers 2

Reset to default
1

Here's how I'd write your script to avoid SQL injection, assuming you have PHP 5.3 or greater. I tend to use closures / anonymous functions for database queries, but you can use them in inline with everything else.

The last line however I'm confused about unless $_GET['to'] is an array.

<?php

require_once('includes/session.php');
require_once('includes/functions.php');

$connection = new PDO('mysql:host=example.com;dbname=you_database_name', 'mysql_username', 'mysql_pass');

session_start();
confirm_logged_in();

$user_to_id = isset($_GET['to']) ? $_GET['to'] : null;

if (is_null($user_to_id)) {
    exit('No user specified.');
}

$user_id = $_GET['to'];

$insert = (function () use ($connection, $user_to_id) {
    $sql = "INSERT INTO ptb_favorites (user_id, favorite_id) VALUES (?, ?)";
    $statement = $connection->prepare($sql);

    $result = $statement->execute(array(
        $_SESSION['user_id'],
        $user_to_id
    ));

    return $result;
});

if ($insert() === true) {
    $delete = (function () use ($connection, $user_to_id) {
        $sql = "DELETE FROM ptb_favorites WHERE user_id = ? AND favorite_id = ?";
        $statement = $connection->prepare($sql);

        $result = $statement->execute(array(
            $_SESSION['user_id'],
            $user_to_id
        ));

        return $result;
    });

    $delete();
}

// Not sure about this line if $user_to_id is not an array
header("Location: profile.php?id=" . $user_to_id['user_id']);
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

thanks for your suggestion adam however i get 4 syntax errors on your code.
@JamesMatthews sorry my bad, I was using if (!is_null($user_to_id). This should actually be if (is_null($user_to_id) (code updated). You may also have to refactor some of the code if you had additional logic in includes/_config/connection.php that I might be missing
0

when building DELETE statement, there should be no VALUES keyword involved,

DELETE 
FROM ptb_favorites 
WHERE user_id = val1 AND
      favorite_id = val2

so in PHP

$delQuery = "    DELETE 
                 FROM ptb_favorites 
                 WHERE user_id = '" . $_SESSION['user_id'] . "' AND
                       favorite_id = '" . $user_to_id . "'"
$result = mysql_query($delQuery) or die(mysql_error());

As a sidenote, the query is vulnerable with SQL Injection. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.

Improve this answer

2 Comments

thank you i will take a look at adding in sql protection. with this statement do i need to put an if or else statement or just put it in under the original query?
also i am getting a syntax error with that code at the $result = mysql_query line

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.