PHP/MySQL Code Help

[neex1233]

Here is my code:

<?php $allow = array ('5');include ("/home/thenicow/public_html/m/protect.php"); ?>
<title>Delete User</title>
<?php
$con = mysql_connect("localhost","username","password");
mysql_select_db("database", $con);
$username = $_POST["username"];
if (isset($_POST['delete'])) { //if you hit delete then do the fallowing
$sql = mysql_query("DELETE FROM users SET username = '{$_POST['username']}'");
mysql_query($sql)
or die (mysql_error());
}  
?>

It is supposed to delete an entry from the table users, but it doesn't work. Here is the error I get:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1.

And it seems weird, because there is no '1' in my script! Have you any idea what's wrong, because I don't! Thanks!

 

[rowsdower]

$sql = mysql_query("DELETE FROM users WHERE username='$username'");

PHP does substitution before it sends the query to the MySQL library. Maybe $username contains 1? I don't know why that would be a syntax error anyway, but it's a place to start.

By the way, your query is very dangerous. What happens if someone enters this as the username:

myuser' OR 1=1

Then the entire query becomes:

DELETE FROM users WHERE username='myuser' OR 1=1

which deletes everything from your users table. This is called an SQL injection attack. Here is a quick tutorial about that.

 

[neex1233]

I'm doing the mysql escape thing right now on all of my scripts...

Thanks for telling me! I'm kind of new at PHP.

 

[Coomkeen]

Shouldn't it be 'WHERE' not 'SET'?