PHP/MySQL Code Help

Discussion in 'Web Design and Development' started by neex1233, Jun 3, 2009.

  1. neex1233 macrumors newbie

    Jun 3, 2009
    Here is my code:

    <?php $allow = array ('5');include ("/home/thenicow/public_html/m/protect.php"); ?>
    <title>Delete User</title>
    $username $_POST["username"];
    if (isset(
    $_POST['delete'])) { //if you hit delete then do the fallowing
    $sql mysql_query("DELETE FROM users SET username = '{$_POST['username']}'");
    or die (

    It is supposed to delete an entry from the table users, but it doesn't work. Here is the error I get:

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1.

    And it seems weird, because there is no '1' in my script! Have you any idea what's wrong, because I don't! :confused: :confused: :confused: Thanks! ;)
  2. rowsdower macrumors 6502

    Jun 2, 2009
    $sql mysql_query("DELETE FROM users WHERE username='$username'");
    PHP does substitution before it sends the query to the MySQL library. Maybe $username contains 1? I don't know why that would be a syntax error anyway, but it's a place to start.

    By the way, your query is very dangerous. What happens if someone enters this as the username:

    myuser' OR 1=1
    Then the entire query becomes:

    DELETE FROM users WHERE username='myuser' OR 1=1
    which deletes everything from your users table. This is called an SQL injection attack. Here is a quick tutorial about that.
  3. neex1233 thread starter macrumors newbie

    Jun 3, 2009
    I'm doing the mysql escape thing right now on all of my scripts...

    Thanks for telling me! I'm kind of new at PHP.
  4. Coomkeen macrumors newbie

    Apr 21, 2008

Share This Page