2

While trying to create a website on which users can buy and sell stocks, I encountered the following error while trying to implement the "sell" option. Users can type in the symbol of some stock they have, and then the website ought to delete all stocks with that symbol (by means of a POST method). I use the following sql statements in sell.php (the controller): 

query("DELETE FROM userstocks WHERE id = ".$_SESSION["id"]." 
                                     AND symbol = ". $_POST["symbol"] ) ;  
query("UPDATE users SET cash = cash + 200 WHERE id = " . $_SESSION["id"]) ;   
render("sellconfirmation.php", ["cash" => $cash]);

There is sometheing wrong with the DELETE FROM query, though. I get the following error:

Fatal error: Unknown column 'fb' in 'where clause' in /home/jharvard/vhosts/pset7/includes/functions.php on line 139

I think this is strange, because when I manually type in the actual 'fb' stock (as in: AND symbol = 'symbol' ) it all works perfectly well. I want the website to delete the stock based on what the user typed in though.

Question: What's wrong with the DELETE FROM query?

Improve this question
2
  • 1
    What happens if I POST the following "symbol"? lolhax' or '1 Commented Feb 6, 2014 at 12:10
  • 1
    before anyone else spams you with it: stackoverflow.com/questions/60174/… Commented Feb 6, 2014 at 12:28

2 Answers 2

Reset to default
2

Add quote to symbol

query("DELETE FROM userstocks WHERE id = " . $_SESSION["id"] . " 
                   AND symbol = '". $_POST["symbol"]."'" ) ;

EDIT:

Also use mysqli_real_escape_string or PDO::quote to secure your string.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

And fix the injection hole.
Thanks! (... more characters)
2

You missed out to close the quote in the delete query. Try this

query("DELETE FROM userstocks WHERE id = " . $_SESSION["id"] . " 
                          AND symbol = '". $_POST["symbol"]."'" ) ;
Improve this answer

1 Comment

Thank you! (more characters)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.