Caution Newbieediting and deleting from mysqldatabase

**C. (http://symcbean.blogspot.com/)** · Oct 20 '08, 01:15 PM

Re: ********Caution Newbie********e diting and deleting from mysqldatabase

On 20 Oct, 12:33, Baldaris <baldari...@yah oo.comwrote:

Show.php--This is for showing movie names available in database

<snip>

<a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
">[DELETE]</a>

<snip>

Now this is the script which i am struggling with delete and update.
Now as far as i can understand i have to pass Movie_id to the
delete.php page and then use this variable to delete it..
But with this script when i execute it my entire list get's deleted.
>
<?php
include "auth.php";
>
if($_REQUEST['action']==delete)
{
$query="DELETE FROM moviesite where movie_id=' $movie_id ' LIMIT 1";
$sql=mysql_quer y($query) or die("Can not delete" .mysql_error()) ;
>
}

<snip>

let me know what i am doing wrong ...and what exact querey will be
like..Atleast the concept.
Thank's and advance.
Baldaris

you're posting to usenet twice for starters. And included lots of
irrelevant information. And omitted relevant information.

What you have posted here doesn't match the problem you're describing
- this line:

$query="DELETE FROM moviesite where movie_id=' $movie_id ' LIMIT 1";

Is invalid PHP syntax (you've omitted the concatenation operators
around $movie_id) so will never execute.

The next problem is that your code assumes that register_global s is
enabled - which it shouldn't.

Also - that white space around movie_id is not really helping.

But none of these explain why every row in the table is being deleted,
unless you have the same movie_id for every row in the table (meaning
this is a question about relational databases not PHP). But you
haven't provided the database schema nor any of the data you are
actually using.

C.

**Captain Paralytic** · Oct 20 '08, 03:25 PM

Re: ********Caution Newbie********e diting and deleting from mysqldatabase

On 20 Oct, 14:05, "C. (http://symcbean.blogsp ot.com/)"
<colin.mckin... @gmail.comwrote :

On 20 Oct, 12:33, Baldaris <baldari...@yah oo.comwrote:
>

Show.php--This is for showing movie names available in database

>
<snip>
>
>
>
>
>

<a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
">[DELETE]</a>

<snip>

Now this is the script which i am struggling with delete and update.
Now as far as i can understand i have to pass Movie_id to the
delete.php page and then use this variable to delete it..
But with this script when i execute it my entire list get's deleted.

>

<?php
include "auth.php";

>

if($_REQUEST['action']==delete)
{
$query="DELETE FROM moviesite where movie_id=' $movie_id ' LIMIT 1";
$sql=mysql_quer y($query) or die("Can not delete" .mysql_error()) ;

>

}

<snip>

let me know what i am doing wrong ...and what exact querey will be
like..Atleast the concept.
Thank's and advance.
Baldaris

>
you're posting to usenet twice for starters. And included lots of
irrelevant information. And omitted relevant information.
>
What you have posted here doesn't match the problem you're describing
- this line:
>
$query="DELETE FROM moviesite where movie_id=' $movie_id ' LIMIT 1";
>
Is invalid PHP syntax (you've omitted the concatenation operators
around $movie_id) so will never execute.

This is valid PHP syntax! If $movie_id = 5 then $query would contain:

DELETE FROM moviesite where movie_id=' 5 ' LIMIT 1

**FutureShock** · Oct 20 '08, 10:55 PM

Re: ********Caution Newbie********e diting and deleting from mysqldatabase

Baldaris wrote:

Show.php--This is for showing movie names available in database
>
<?php
include "auth.php";
$query="SELECT movie_id,movie_ name FROM moviesite";
$result=mysql_q uery($query,$li nk) or die("Can't execute
query" .mysql_error()) ;
while($row=mysq l_fetch_array($ result))
{
$movie_id=$row['movie_id'];
$movie_name=$ro w['movie_name'];
echo $movie_id;
echo $movie_name;
?>
<a href="update.ph p?action=edit&i d=<?php echo $movie_id; ?>
">[UPDATE]</a ---I am not sure... What can i do to update and
delete record's from database -- User chooses which record to update
and delete
<a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
">[DELETE]</a>
<?php
echo " <br/" ;
}
>
?>
<a href="add.php">[ADD]</a>
>
>
Add.php ---This is for adding movie names
<?php
include "auth.php";
>
$id=$_POST['movie_id'];
$movie_name=$_P OST['movie_name'];
>
>
$query="INSERT INTO moviesite (movie_id , movie_name) VALUES (' $id
' , ' $movie_name' ) " ;
$sql=mysql_quer y($query);
if (!$sql)
{
die("Can not execute querey" .mysql_error()) ;
}
>
echo "Added to the database";
mysql_close($li nk);
?>
<a href="show.php" >Index</a>
>
Now this is the script which i am struggling with delete and update.
Now as far as i can understand i have to pass Movie_id to the
delete.php page and then use this variable to delete it..
But with this script when i execute it my entire list get's deleted.
>
<?php
include "auth.php";
>
if($_REQUEST['action']==delete)
{
$query="DELETE FROM moviesite where movie_id=' $movie_id ' LIMIT 1";
$sql=mysql_quer y($query) or die("Can not delete" .mysql_error()) ;
}
>
>
?>
<a href="show.php" >Movie</a>
>
let me know what i am doing wrong ...and what exact querey will be
like..Atleast the concept.
Thank's and advance.
Baldaris
>
>
>
>
>

First of all validate the data in your Database. Ensure that 'movie_id'
is in fact a unique value.

Secondly where are you getting the $movie_id value from for your query?

From the link it looks like you are setting the 'movie_id' into 'id':

<a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?">[DELETE]</a>

What you need to do then is retrieve that id from the $_GET variable set
by the link:

$movie_id = $_GET['id'];

Of better way would be:
if(isset($_GET['id'])) {
if($_GET['id'] != '') {
$movie_id = $_GET['id'];
} else {
echo "No value for movie_id.";
exit; //Or better laid out error checking scheme
}
}

Good luck
Scotty

**C. (http://symcbean.blogspot.com/)** · Oct 21 '08, 10:05 AM

Re: ********Caution Newbie********e diting and deleting from mysqldatabase

On 20 Oct, 16:19, Captain Paralytic <paul_laut...@y ahoo.comwrote:

On 20 Oct, 14:05, "C. (http://symcbean.blogsp ot.com/)"
>
<colin.mckin... @gmail.comwrote :

On 20 Oct, 12:33, Baldaris <baldari...@yah oo.comwrote:

>

Show.php--This is for showing movie names available in database

>

<snip>

>

<a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
">[DELETE]</a>

<snip>

Now this is the script which i am struggling with delete and update.
Now as far as i can understand i have to pass Movie_id to the
delete.php page and then use this variable to delete it..
But with this script when i execute it my entire list get's deleted.

>

<?php
include "auth.php";

>

if($_REQUEST['action']==delete)
{
$query="DELETE FROM moviesite where movie_id=' $movie_id ' LIMIT 1";
$sql=mysql_quer y($query) or die("Can not delete" .mysql_error()) ;

>

}

<snip>

let me know what i am doing wrong ...and what exact querey will be
like..Atleast the concept.
Thank's and advance.
Baldaris

>

you're posting to usenet twice for starters. And included lots of
irrelevant information. And omitted relevant information.

>

What you have posted here doesn't match the problem you're describing
- this line:

>

$query="DELETE FROM moviesite where movie_id=' $movie_id ' LIMIT 1";

>

Is invalid PHP syntax (you've omitted the concatenation operators
around $movie_id) so will never execute.

>
This is valid PHP syntax! If $movie_id = 5 then $query would contain:
>
DELETE FROM moviesite where movie_id=' 5 ' LIMIT 1

Yes - my bad.

C.

**Erwin Moller** · Oct 21 '08, 04:25 PM

Re: ********Caution Newbie********e diting and deleting from mysqldatabase

FutureShock schreef:

Baldaris wrote:

>Show.php--This is for showing movie names available in database
>>
><?php
>include "auth.php";
>$query="SELE CT movie_id,movie_ name FROM moviesite";
>$result=mysql_ query($query,$l ink) or die("Can't execute
>query" .mysql_error()) ;
>while($row=mys ql_fetch_array( $result))
> {
>$movie_id=$r ow['movie_id'];
>$movie_name=$r ow['movie_name'];
>echo $movie_id;
>echo $movie_name;
>?>
><a href="update.ph p?action=edit&i d=<?php echo $movie_id; ?>
>">[UPDATE]</a ---I am not sure... What can i do to update and
>delete record's from database -- User chooses which record to update
>and delete
><a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
>">[DELETE]</a>
><?php
>echo " <br/" ;
>}
>>
>?>
><a href="add.php">[ADD]</a>
>>
>>
>Add.php ---This is for adding movie names
><?php
>include "auth.php";
>>
>$id=$_POST['movie_id'];
>$movie_name=$_ POST['movie_name'];
>>
>>
>$query="INSE RT INTO moviesite (movie_id , movie_name) VALUES (' $id
>' , ' $movie_name' ) " ;
>$sql=mysql_que ry($query);
>if (!$sql)
>{
> die("Can not execute querey" .mysql_error()) ;
>}
>>
>echo "Added to the database";
>mysql_close($l ink);
>?>
><a href="show.php" >Index</a>
>>
>Now this is the script which i am struggling with delete and update.
>Now as far as i can understand i have to pass Movie_id to the
>delete.php page and then use this variable to delete it..
>But with this script when i execute it my entire list get's deleted.
>>
><?php
>include "auth.php";
>>
>if($_REQUEST['action']==delete)
>{
>$query="DELE TE FROM moviesite where movie_id=' $movie_id ' LIMIT 1";
>$sql=mysql_que ry($query) or die("Can not delete" .mysql_error()) ;
>}
>>
>>
>?>
><a href="show.php" >Movie</a>
>>
>let me know what i am doing wrong ...and what exact querey will be
>like..Atleas t the concept.
>Thank's and advance.
>Baldaris
>>
>>
>>
>>
>>

>
First of all validate the data in your Database. Ensure that 'movie_id'
is in fact a unique value.
>
Secondly where are you getting the $movie_id value from for your query?
>
>
From the link it looks like you are setting the 'movie_id' into 'id':
>
<a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
">[DELETE]</a>
>
What you need to do then is retrieve that id from the $_GET variable set
by the link:
>
$movie_id = $_GET['id'];
>
Of better way would be:

Better would be:
$movie_id = 0;

if (isset($_GET["id"])){
$movie_id = (int)$_GET["id"];
} else {
echo "no id.";
exit;
}

That way you are sure $movie_id is actually an integer and no funny
SQL-injection string.

I prefer this because it is shorter:
$movie_id = (isset($_GET["id"]) ? (int)$_GET["id"] : -1);
And assume -1 means 'invalid'.

Regards,
Erwin Moller

if(isset($_GET['id'])) {
if($_GET['id'] != '') {
$movie_id = $_GET['id'];
} else {
echo "No value for movie_id.";
exit; //Or better laid out error checking scheme
}
}
>
Good luck
Scotty
>

--
"There are two ways of constructing a software design: One way is to
make it so simple that there are obviously no deficiencies, and the
other way is to make it so complicated that there are no obvious
deficiencies. The first method is far more difficult."
-- C.A.R. Hoare

**FutureShock** · Oct 22 '08, 01:05 AM

Re: ********Caution Newbie********e diting and deleting from mysqldatabase

Erwin Moller wrote:

FutureShock schreef:

>Baldaris wrote:

>>Show.php--This is for showing movie names available in database
>>>
>><?php
>>include "auth.php";
>>$query="SELEC T movie_id,movie_ name FROM moviesite";
>>$result=mysql _query($query,$ link) or die("Can't execute
>>query" .mysql_error()) ;
>>while($row=my sql_fetch_array ($result))
>> {
>>$movie_id=$ro w['movie_id'];
>>$movie_name=$ row['movie_name'];
>>echo $movie_id;
>>echo $movie_name;
>>?>
>><a href="update.ph p?action=edit&i d=<?php echo $movie_id; ?>
>>">[UPDATE]</a ---I am not sure... What can i do to update and
>>delete record's from database -- User chooses which record to update
>>and delete
>><a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
>>">[DELETE]</a>
>><?php
>>echo " <br/" ;
>>}
>>>
>>?>
>><a href="add.php">[ADD]</a>
>>>
>>>
>>Add.php ---This is for adding movie names
>><?php
>>include "auth.php";
>>>
>>$id=$_POST['movie_id'];
>>$movie_name=$ _POST['movie_name'];
>>>
>>>
>>$query="INSER T INTO moviesite (movie_id , movie_name) VALUES (' $id
>>' , ' $movie_name' ) " ;
>>$sql=mysql_qu ery($query);
>>if (!$sql)
>>{
>> die("Can not execute querey" .mysql_error()) ;
>>}
>>>
>>echo "Added to the database";
>>mysql_close($ link);
>>?>
>><a href="show.php" >Index</a>
>>>
>>Now this is the script which i am struggling with delete and update.
>>Now as far as i can understand i have to pass Movie_id to the
>>delete.php page and then use this variable to delete it..
>>But with this script when i execute it my entire list get's deleted.
>>>
>><?php
>>include "auth.php";
>>>
>>if($_REQUES T['action']==delete)
>>{
>>$query="DELET E FROM moviesite where movie_id=' $movie_id ' LIMIT 1";
>>$sql=mysql_qu ery($query) or die("Can not delete" .mysql_error()) ;
>>}
>>>
>>>
>>?>
>><a href="show.php" >Movie</a>
>>>
>>let me know what i am doing wrong ...and what exact querey will be
>>like..Atlea st the concept.
>>Thank's and advance.
>>Baldaris
>>>
>>>
>>>
>>>
>>>

>>
>First of all validate the data in your Database. Ensure that
>'movie_id' is in fact a unique value.
>>
>Secondly where are you getting the $movie_id value from for your query?
>>
>>
> From the link it looks like you are setting the 'movie_id' into 'id':
>>
><a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
>">[DELETE]</a>
>>
>What you need to do then is retrieve that id from the $_GET variable
>set by the link:
>>
>$movie_id = $_GET['id'];
>>
>Of better way would be:

>
Better would be:
$movie_id = 0;
>
if (isset($_GET["id"])){
$movie_id = (int)$_GET["id"];
} else {
echo "no id.";
exit;
}
>
That way you are sure $movie_id is actually an integer and no funny
SQL-injection string.
>
I prefer this because it is shorter:
$movie_id = (isset($_GET["id"]) ? (int)$_GET["id"] : -1);
And assume -1 means 'invalid'.
>
Regards,
Erwin Moller
>

>if(isset($_G ET['id'])) {
> if($_GET['id'] != '') {
> $movie_id = $_GET['id'];
> } else {
> echo "No value for movie_id.";
> exit; //Or better laid out error checking scheme
> }
>}
>>
>Good luck
>Scotty
>>

>
>

Yes that would help help protect it from sql injection but only if the
'id' used is an integer.
I am not going to assume what the ID is. But with your forward thinking
of protecting it from that, maybe run it through the
mysql_real_esca pe_string or another form of cleaning.

Scotty

**Jerry Stuckle** · Oct 22 '08, 03:15 AM

Re: ********Caution Newbie********e diting and deleting from mysqldatabase

FutureShock wrote:

Erwin Moller wrote:

>FutureShock schreef:

>>Baldaris wrote:
>>>Show.php--This is for showing movie names available in database
>>>>
>>><?php
>>>include "auth.php";
>>>$query="SELE CT movie_id,movie_ name FROM moviesite";
>>>$result=mysq l_query($query, $link) or die("Can't execute
>>>query" .mysql_error()) ;
>>>while($row=m ysql_fetch_arra y($result))
>>> {
>>>$movie_id=$r ow['movie_id'];
>>>$movie_name= $row['movie_name'];
>>>echo $movie_id;
>>>echo $movie_name;
>>>?>
>>><a href="update.ph p?action=edit&i d=<?php echo $movie_id; ?>
>>>">[UPDATE]</a ---I am not sure... What can i do to update and
>>>delete record's from database -- User chooses which record to update
>>>and delete
>>><a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
>>>">[DELETE]</a>
>>><?php
>>>echo " <br/" ;
>>>}
>>>>
>>>?>
>>><a href="add.php">[ADD]</a>
>>>>
>>>>
>>>Add.php ---This is for adding movie names
>>><?php
>>>include "auth.php";
>>>>
>>>$id=$_POST['movie_id'];
>>>$movie_name= $_POST['movie_name'];
>>>>
>>>>
>>>$query="INSE RT INTO moviesite (movie_id , movie_name) VALUES (' $id
>>>' , ' $movie_name' ) " ;
>>>$sql=mysql_q uery($query);
>>>if (!$sql)
>>>{
>>> die("Can not execute querey" .mysql_error()) ;
>>>}
>>>>
>>>echo "Added to the database";
>>>mysql_close( $link);
>>>?>
>>><a href="show.php" >Index</a>
>>>>
>>>Now this is the script which i am struggling with delete and update.
>>>Now as far as i can understand i have to pass Movie_id to the
>>>delete.php page and then use this variable to delete it..
>>>But with this script when i execute it my entire list get's deleted.
>>>>
>>><?php
>>>include "auth.php";
>>>>
>>>if($_REQUE ST['action']==delete)
>>>{
>>>$query="DELE TE FROM moviesite where movie_id=' $movie_id ' LIMIT 1";
>>>$sql=mysql_q uery($query) or die("Can not delete" .mysql_error()) ;
>>>}
>>>>
>>>>
>>>?>
>>><a href="show.php" >Movie</a>
>>>>
>>>let me know what i am doing wrong ...and what exact querey will be
>>>like..Atleas t the concept.
>>>Thank's and advance.
>>>Baldaris
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>First of all validate the data in your Database. Ensure that
>>'movie_id' is in fact a unique value.
>>>
>>Secondly where are you getting the $movie_id value from for your query?
>>>
>>>
>> From the link it looks like you are setting the 'movie_id' into 'id':
>>>
>><a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
>>">[DELETE]</a>
>>>
>>What you need to do then is retrieve that id from the $_GET variable
>>set by the link:
>>>
>>$movie_id = $_GET['id'];
>>>
>>Of better way would be:

>>
>Better would be:
>$movie_id = 0;
>>
>if (isset($_GET["id"])){
> $movie_id = (int)$_GET["id"];
>} else {
> echo "no id.";
> exit;
>}
>>
>That way you are sure $movie_id is actually an integer and no funny
>SQL-injection string.
>>
>I prefer this because it is shorter:
>$movie_id = (isset($_GET["id"]) ? (int)$_GET["id"] : -1);
>And assume -1 means 'invalid'.
>>
>Regards,
>Erwin Moller
>>

>>if(isset($_GE T['id'])) {
>> if($_GET['id'] != '') {
>> $movie_id = $_GET['id'];
>> } else {
>> echo "No value for movie_id.";
>> exit; //Or better laid out error checking scheme
>> }
>>}
>>>
>>Good luck
>>Scotty
>>>

>>
>>

Yes that would help help protect it from sql injection but only if the
'id' used is an integer.
I am not going to assume what the ID is. But with your forward thinking
of protecting it from that, maybe run it through the
mysql_real_esca pe_string or another form of cleaning.
>
Scotty
>

You should only run strings through mysql_real_esca pe_string().
Integers should use (int), as Erwin said.

You should ALWAYS know the types of columns you're dealing with - and
adjust your code accordingly.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**FutureShock** · Oct 22 '08, 03:45 AM

Re: ********Caution Newbie********e diting and deleting from mysqldatabase

Jerry Stuckle wrote:

FutureShock wrote:

>Erwin Moller wrote:

>>FutureShock schreef:
>>>Baldaris wrote:
>>>>Show.php--This is for showing movie names available in database
>>>>>
>>>><?php
>>>>include "auth.php";
>>>>$query="SEL ECT movie_id,movie_ name FROM moviesite";
>>>>$result=mys ql_query($query ,$link) or die("Can't execute
>>>>query" .mysql_error()) ;
>>>>while($row= mysql_fetch_arr ay($result))
>>>> {
>>>>$movie_id=$ row['movie_id'];
>>>>$movie_name =$row['movie_name'];
>>>>echo $movie_id;
>>>>echo $movie_name;
>>>>?>
>>>><a href="update.ph p?action=edit&i d=<?php echo $movie_id; ?>
>>>>">[UPDATE]</a ---I am not sure... What can i do to update and
>>>>delete record's from database -- User chooses which record to update
>>>>and delete
>>>><a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
>>>>">[DELETE]</a>
>>>><?php
>>>>echo " <br/" ;
>>>>}
>>>>>
>>>>?>
>>>><a href="add.php">[ADD]</a>
>>>>>
>>>>>
>>>>Add.php ---This is for adding movie names
>>>><?php
>>>>include "auth.php";
>>>>>
>>>>$id=$_POS T['movie_id'];
>>>>$movie_name =$_POST['movie_name'];
>>>>>
>>>>>
>>>>$query="INS ERT INTO moviesite (movie_id , movie_name) VALUES (' $id
>>>>' , ' $movie_name' ) " ;
>>>>$sql=mysql_ query($query);
>>>>if (!$sql)
>>>>{
>>>> die("Can not execute querey" .mysql_error()) ;
>>>>}
>>>>>
>>>>echo "Added to the database";
>>>>mysql_close ($link);
>>>>?>
>>>><a href="show.php" >Index</a>
>>>>>
>>>>Now this is the script which i am struggling with delete and update.
>>>>Now as far as i can understand i have to pass Movie_id to the
>>>>delete.ph p page and then use this variable to delete it..
>>>>But with this script when i execute it my entire list get's deleted.
>>>>>
>>>><?php
>>>>include "auth.php";
>>>>>
>>>>if($_REQUES T['action']==delete)
>>>>{
>>>>$query="DEL ETE FROM moviesite where movie_id=' $movie_id ' LIMIT 1";
>>>>$sql=mysql_ query($query) or die("Can not delete" .mysql_error()) ;
>>>>}
>>>>>
>>>>>
>>>>?>
>>>><a href="show.php" >Movie</a>
>>>>>
>>>>let me know what i am doing wrong ...and what exact querey will be
>>>>like..Atlea st the concept.
>>>>Thank's and advance.
>>>>Baldaris
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>First of all validate the data in your Database. Ensure that
>>>'movie_id' is in fact a unique value.
>>>>
>>>Secondly where are you getting the $movie_id value from for your query?
>>>>
>>>>
>>> From the link it looks like you are setting the 'movie_id' into 'id':
>>>>
>>><a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
>>>">[DELETE]</a>
>>>>
>>>What you need to do then is retrieve that id from the $_GET variable
>>>set by the link:
>>>>
>>>$movie_id = $_GET['id'];
>>>>
>>>Of better way would be:
>>>
>>Better would be:
>>$movie_id = 0;
>>>
>>if (isset($_GET["id"])){
>> $movie_id = (int)$_GET["id"];
>>} else {
>> echo "no id.";
>> exit;
>>}
>>>
>>That way you are sure $movie_id is actually an integer and no funny
>>SQL-injection string.
>>>
>>I prefer this because it is shorter:
>>$movie_id = (isset($_GET["id"]) ? (int)$_GET["id"] : -1);
>>And assume -1 means 'invalid'.
>>>
>>Regards,
>>Erwin Moller
>>>
>>>if(isset($_G ET['id'])) {
>>> if($_GET['id'] != '') {
>>> $movie_id = $_GET['id'];
>>> } else {
>>> echo "No value for movie_id.";
>>> exit; //Or better laid out error checking scheme
>>> }
>>>}
>>>>
>>>Good luck
>>>Scotty
>>>>
>>>
>>>

>Yes that would help help protect it from sql injection but only if the
>'id' used is an integer.
>I am not going to assume what the ID is. But with your forward
>thinking of protecting it from that, maybe run it through the
>mysql_real_esc ape_string or another form of cleaning.
>>
>Scotty
>>

>
You should only run strings through mysql_real_esca pe_string(). Integers
should use (int), as Erwin said.
>
You should ALWAYS know the types of columns you're dealing with - and
adjust your code accordingly.
>

Yes Jerry, I agree the coder should know what they are dealing with, but
since I was not the coder and was going off the code sent I stated that
the int function would only work if the id 'was' an int. I suppose to
satisfy your critical eye I should of said "If your id is a string, send
it through mysql_real_esca pe_string".

So if you did run an int through the mysql_real... function, what would
be the output? Would it try to convert it to a string before checking
it, or pass it through?

Scotty

**Jerry Stuckle** · Oct 22 '08, 01:05 PM

Re: ********Caution Newbie********e diting and deleting from mysqldatabase

FutureShock wrote:

Jerry Stuckle wrote:

>FutureShock wrote:

>>Erwin Moller wrote:
>>>FutureShoc k schreef:
>>>>Baldaris wrote:
>>>>>Show.php--This is for showing movie names available in database
>>>>>>
>>>>><?php
>>>>>include "auth.php";
>>>>>$query="SE LECT movie_id,movie_ name FROM moviesite";
>>>>>$result=my sql_query($quer y,$link) or die("Can't execute
>>>>>query" .mysql_error()) ;
>>>>>while($row =mysql_fetch_ar ray($result))
>>>>> {
>>>>>$movie_id= $row['movie_id'];
>>>>>$movie_nam e=$row['movie_name'];
>>>>>echo $movie_id;
>>>>>echo $movie_name;
>>>>>?>
>>>>><a href="update.ph p?action=edit&i d=<?php echo $movie_id; ?>
>>>>>">[UPDATE]</a ---I am not sure... What can i do to update and
>>>>>delete record's from database -- User chooses which record to update
>>>>>and delete
>>>>><a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
>>>>>">[DELETE]</a>
>>>>><?php
>>>>>echo " <br/" ;
>>>>>}
>>>>>>
>>>>>?>
>>>>><a href="add.php">[ADD]</a>
>>>>>>
>>>>>>
>>>>>Add.php ---This is for adding movie names
>>>>><?php
>>>>>include "auth.php";
>>>>>>
>>>>>$id=$_PO ST['movie_id'];
>>>>>$movie_nam e=$_POST['movie_name'];
>>>>>>
>>>>>>
>>>>>$query="IN SERT INTO moviesite (movie_id , movie_name) VALUES (' $id
>>>>>' , ' $movie_name' ) " ;
>>>>>$sql=mysql _query($query);
>>>>>if (!$sql)
>>>>>{
>>>>> die("Can not execute querey" .mysql_error()) ;
>>>>>}
>>>>>>
>>>>>echo "Added to the database";
>>>>>mysql_clos e($link);
>>>>>?>
>>>>><a href="show.php" >Index</a>
>>>>>>
>>>>>Now this is the script which i am struggling with delete and update.
>>>>>Now as far as i can understand i have to pass Movie_id to the
>>>>>delete.p hp page and then use this variable to delete it..
>>>>>But with this script when i execute it my entire list get's deleted.
>>>>>>
>>>>><?php
>>>>>include "auth.php";
>>>>>>
>>>>>if($_REQUE ST['action']==delete)
>>>>>{
>>>>>$query="DE LETE FROM moviesite where movie_id=' $movie_id ' LIMIT 1";
>>>>>$sql=mysql _query($query) or die("Can not delete" .mysql_error()) ;
>>>>>}
>>>>>>
>>>>>>
>>>>>?>
>>>>><a href="show.php" >Movie</a>
>>>>>>
>>>>>let me know what i am doing wrong ...and what exact querey will be
>>>>>like..Atle ast the concept.
>>>>>Thank's and advance.
>>>>>Baldaris
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>First of all validate the data in your Database. Ensure that
>>>>'movie_id ' is in fact a unique value.
>>>>>
>>>>Secondly where are you getting the $movie_id value from for your
>>>>query?
>>>>>
>>>>>
>>>> From the link it looks like you are setting the 'movie_id' into 'id':
>>>>>
>>>><a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
>>>>">[DELETE]</a>
>>>>>
>>>>What you need to do then is retrieve that id from the $_GET
>>>>variable set by the link:
>>>>>
>>>>$movie_id = $_GET['id'];
>>>>>
>>>>Of better way would be:
>>>>
>>>Better would be:
>>>$movie_id = 0;
>>>>
>>>if (isset($_GET["id"])){
>>> $movie_id = (int)$_GET["id"];
>>>} else {
>>> echo "no id.";
>>> exit;
>>>}
>>>>
>>>That way you are sure $movie_id is actually an integer and no funny
>>>SQL-injection string.
>>>>
>>>I prefer this because it is shorter:
>>>$movie_id = (isset($_GET["id"]) ? (int)$_GET["id"] : -1);
>>>And assume -1 means 'invalid'.
>>>>
>>>Regards,
>>>Erwin Moller
>>>>
>>>>if(isset($_ GET['id'])) {
>>>> if($_GET['id'] != '') {
>>>> $movie_id = $_GET['id'];
>>>> } else {
>>>> echo "No value for movie_id.";
>>>> exit; //Or better laid out error checking scheme
>>>> }
>>>>}
>>>>>
>>>>Good luck
>>>>Scotty
>>>>>
>>>>
>>>>
>>Yes that would help help protect it from sql injection but only if
>>the 'id' used is an integer.
>>I am not going to assume what the ID is. But with your forward
>>thinking of protecting it from that, maybe run it through the
>>mysql_real_es cape_string or another form of cleaning.
>>>
>>Scotty
>>>

>>
>You should only run strings through mysql_real_esca pe_string().
>Integers should use (int), as Erwin said.
>>
>You should ALWAYS know the types of columns you're dealing with - and
>adjust your code accordingly.
>>

Yes Jerry, I agree the coder should know what they are dealing with, but
since I was not the coder and was going off the code sent I stated that
the int function would only work if the id 'was' an int. I suppose to
satisfy your critical eye I should of said "If your id is a string, send
it through mysql_real_esca pe_string".
>
So if you did run an int through the mysql_real... function, what would
be the output? Would it try to convert it to a string before checking
it, or pass it through?
>
Scotty
>

Scotty,

OK, just wanted to clarify that for those who do not know.

As for passing an int through mysql_real_esca pe_string() - since PHP is
effectively typeless in things like this, you'll just get the int itself
back. It shouldn't hurt anything, other than the extra overhead, but it
won't do anything to help, either.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Curtis** · Oct 23 '08, 07:15 AM

Re: ********Caution Newbie********e diting and deleting from mysqldatabase

Jerry Stuckle wrote:

FutureShock wrote:

>Jerry Stuckle wrote:

>>FutureShock wrote:
>>>Erwin Moller wrote:
>>>>FutureSho ck schreef:
>>>>>Baldaris wrote:
>>>>>>Show.ph p--This is for showing movie names available in database
>>>>>>>
>>>>>><?php
>>>>>>include "auth.php";
>>>>>>$query="S ELECT movie_id,movie_ name FROM moviesite";
>>>>>>$result=m ysql_query($que ry,$link) or die("Can't execute
>>>>>>query" .mysql_error()) ;
>>>>>>while($ro w=mysql_fetch_a rray($result))
>>>>>> {
>>>>>>$movie_id =$row['movie_id'];
>>>>>>$movie_na me=$row['movie_name'];
>>>>>>echo $movie_id;
>>>>>>echo $movie_name;
>>>>>>?>
>>>>>><a href="update.ph p?action=edit&i d=<?php echo $movie_id; ?>
>>>>>>">[UPDATE]</a ---I am not sure... What can i do to update and
>>>>>>delete record's from database -- User chooses which record to update
>>>>>>and delete
>>>>>><a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
>>>>>>">[DELETE]</a>
>>>>>><?php
>>>>>>echo " <br/" ;
>>>>>>}
>>>>>>>
>>>>>>?>
>>>>>><a href="add.php">[ADD]</a>
>>>>>>>
>>>>>>>
>>>>>>Add.php ---This is for adding movie names
>>>>>><?php
>>>>>>include "auth.php";
>>>>>>>
>>>>>>$id=$_POS T['movie_id'];
>>>>>>$movie_na me=$_POST['movie_name'];
>>>>>>>
>>>>>>>
>>>>>>$query="I NSERT INTO moviesite (movie_id , movie_name) VALUES (' $id
>>>>>>' , ' $movie_name' ) " ;
>>>>>>$sql=mysq l_query($query) ;
>>>>>>if (!$sql)
>>>>>>{
>>>>>> die("Can not execute querey" .mysql_error()) ;
>>>>>>}
>>>>>>>
>>>>>>echo "Added to the database";
>>>>>>mysql_clo se($link);
>>>>>>?>
>>>>>><a href="show.php" >Index</a>
>>>>>>>
>>>>>>Now this is the script which i am struggling with delete and update.
>>>>>>Now as far as i can understand i have to pass Movie_id to the
>>>>>>delete.ph p page and then use this variable to delete it..
>>>>>>But with this script when i execute it my entire list get's deleted.
>>>>>>>
>>>>>><?php
>>>>>>include "auth.php";
>>>>>>>
>>>>>>if($_REQU EST['action']==delete)
>>>>>>{
>>>>>>$query="D ELETE FROM moviesite where movie_id=' $movie_id ' LIMIT 1";
>>>>>>$sql=mysq l_query($query) or die("Can not delete" .mysql_error()) ;
>>>>>>}
>>>>>>>
>>>>>>>
>>>>>>?>
>>>>>><a href="show.php" >Movie</a>
>>>>>>>
>>>>>>let me know what i am doing wrong ...and what exact querey will be
>>>>>>like..Atl east the concept.
>>>>>>Thank's and advance.
>>>>>>Baldari s
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>First of all validate the data in your Database. Ensure that
>>>>>'movie_i d' is in fact a unique value.
>>>>>>
>>>>>Secondly where are you getting the $movie_id value from for your
>>>>>query?
>>>>>>
>>>>>>
>>>>> From the link it looks like you are setting the 'movie_id' into
>>>>>'id':
>>>>>>
>>>>><a href="delete.ph p?action=delete &id=<?php echo $movie_id; ?>
>>>>>">[DELETE]</a>
>>>>>>
>>>>>What you need to do then is retrieve that id from the $_GET
>>>>>variable set by the link:
>>>>>>
>>>>>$movie_i d = $_GET['id'];
>>>>>>
>>>>>Of better way would be:
>>>>>
>>>>Better would be:
>>>>$movie_id = 0;
>>>>>
>>>>if (isset($_GET["id"])){
>>>> $movie_id = (int)$_GET["id"];
>>>>} else {
>>>> echo "no id.";
>>>> exit;
>>>>}
>>>>>
>>>>That way you are sure $movie_id is actually an integer and no funny
>>>>SQL-injection string.
>>>>>
>>>>I prefer this because it is shorter:
>>>>$movie_id = (isset($_GET["id"]) ? (int)$_GET["id"] : -1);
>>>>And assume -1 means 'invalid'.
>>>>>
>>>>Regards,
>>>>Erwin Moller
>>>>>
>>>>>if(isset($ _GET['id'])) {
>>>>> if($_GET['id'] != '') {
>>>>> $movie_id = $_GET['id'];
>>>>> } else {
>>>>> echo "No value for movie_id.";
>>>>> exit; //Or better laid out error checking scheme
>>>>> }
>>>>>}
>>>>>>
>>>>>Good luck
>>>>>Scotty
>>>>>>
>>>>>
>>>>>
>>>Yes that would help help protect it from sql injection but only if
>>>the 'id' used is an integer.
>>>I am not going to assume what the ID is. But with your forward
>>>thinking of protecting it from that, maybe run it through the
>>>mysql_real_e scape_string or another form of cleaning.
>>>>
>>>Scotty
>>>>
>>>
>>You should only run strings through mysql_real_esca pe_string().
>>Integers should use (int), as Erwin said.
>>>
>>You should ALWAYS know the types of columns you're dealing with - and
>>adjust your code accordingly.
>>>

>Yes Jerry, I agree the coder should know what they are dealing with,
>but since I was not the coder and was going off the code sent I stated
>that the int function would only work if the id 'was' an int. I
>suppose to satisfy your critical eye I should of said "If your id is a
>string, send it through mysql_real_esca pe_string".
>>
>So if you did run an int through the mysql_real... function, what
>would be the output? Would it try to convert it to a string before
>checking it, or pass it through?
>>
>Scotty
>>

>
Scotty,
>
OK, just wanted to clarify that for those who do not know.
>
As for passing an int through mysql_real_esca pe_string() - since PHP is
effectively typeless in things like this, you'll just get the int itself
back. It shouldn't hurt anything, other than the extra overhead, but it
won't do anything to help, either.
>
>

PHP will return the int with a type of string, when calling
mysql_real_esca pe_string()/mysql_escape_st ring(). The difference in
type here isn't usually important for PHP, but it can be an issue for
how the actual query is executed.

The problem is that mysql_real_esca pe_string() doesn't provide any
additional security when the query doesn't encapsulate the int/float
in quotes. It's still possible for a malicious user to inject SQL.
Thus, intval(), floatval(), etc., is necessary.

I like to use sprintf if prepared statements aren't available (mysql
extension). The string specifiers would correspond to arguments which
have been escaped with mysql_real_esca pe_string().

--
Curtis

**Peter H. Coffin** · Oct 25 '08, 07:05 PM

Re: ********Caution Newbie********e diting and deleting from mysql database

On Mon, 20 Oct 2008 04:33:06 -0700 (PDT), Baldaris wrote:

let me know what i am doing wrong ...and what exact querey will be
like..Atleast the concept.
Thank's and advance.
Baldaris

NOw that a lot of the usual arguing has died down, I *think* your actual
problem is that you're trying to fuss with the ids with a mix of leading
and trailing spaces in ways that inconsistantly have those leading and
trailing spaces matter. That is,

$sql = "INSERT ... VALUES(' $movie_id ', ...";

will create different records than

$sql = "INSERT ... VALUES('$movie_ id', ...";

and you probably want to use the latter consistantly and clean up your
data. Especially when you later use movie_id to create a URL that
becomes "...?movie_id=% 20FOO%20", gets fed into

$movie_id = $_GET['movie_id'];
$sql = "UPDATE ... WHERE movie_id = ' $movie_id '";

because now that query's looking for a movie_id ' FOO ', when what's in
the table is ' FOO '.

--
"Doesn't everybody?" is a question that never expects an answer of "No."

**Geoff Berrow** · Oct 25 '08, 08:35 PM

Re: ********Caution Newbie********e diting and deleting from mysql database

Message-ID: <slrngg6pbj.s2v .hellsop@abyss. ninehells.comfr om Peter H.
Coffin contained the following:

>NOw that a lot of the usual arguing has died down, I *think* your actual
>problem is that you're trying to fuss with the ids with a mix of leading
>and trailing spaces in ways that inconsistantly have those leading and
>trailing spaces matter.

Nope, his real problem is that his database stands a good chance of
being deleted if he passes ids by URL.
--
Geoff Berrow 011000100110110 0010000000110
001101101011011 001000110111101 100111001011
100110001101101 111001011100111 010101101011
http://slipperyhill.co.uk - http://4theweb.co.uk

**FutureShock** · Oct 26 '08, 12:45 AM

Re: ********Caution Newbie********e diting and deleting from mysqldatabase

Peter H. Coffin wrote:

On Mon, 20 Oct 2008 04:33:06 -0700 (PDT), Baldaris wrote:

>let me know what i am doing wrong ...and what exact querey will be
>like..Atleas t the concept.
>Thank's and advance.
>Baldaris

>
NOw that a lot of the usual arguing has died down, I *think* your actual
problem is that you're trying to fuss with the ids with a mix of leading
and trailing spaces in ways that inconsistantly have those leading and
trailing spaces matter. That is,
>
$sql = "INSERT ... VALUES(' $movie_id ', ...";
>
will create different records than
>
$sql = "INSERT ... VALUES('$movie_ id', ...";
>
and you probably want to use the latter consistantly and clean up your
data. Especially when you later use movie_id to create a URL that
becomes "...?movie_id=% 20FOO%20", gets fed into
>
$movie_id = $_GET['movie_id'];
$sql = "UPDATE ... WHERE movie_id = ' $movie_id '";
>
because now that query's looking for a movie_id ' FOO ', when what's in
the table is ' FOO '.
>

Actually the thread itself died due to lack of interaction with the OP.

And we NEVER 'argue' here in this NG...... hehe

Scotty

Caution Newbieediting and deleting from mysqldatabase