Go Back   Novahq.net Forum > Computers > Web design and Programming

Web design and Programming Discuss website creation and other programming topics.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 11-04-2010, 10:10 AM
.Simon. is offline .Simon.

Join Date: Nov 2003
Location: Wales
Posts: 4,801

SQL Query causing blank page

I've just got a basic query to delete the fields for a certain user, determined by a dropdown form on a previous page. I've tested the $_POST['Username'] with an echo and that is working fine, but as soon as I add the query it all goes blank, no error message or anything. Here the source:

PHP Code:
<?php 
// MySQL Connection Info
$server "localhost";                  // Server Name
$username "#";         // MySQL Username
$password "#";                        // MySQL Password
$dbname "w#";           // Database Name
 
 
// MySQL Connect String
$con mysql_connect("$server","$username","$password");

if (!
$con)
  {
  die(
'Could not connect: ' mysql_error());
  }
 
// Select the database
mysql_select_db("$dbname");

if (!
mysql_select_db)
  {
  die(
'Could not select database: ' mysql_error());
  }
  
$deleteuser $_POST['Username'];

echo 
'Hello ' $deleteuser;

$eraseuser mysql_query("DELETE FROM users WHERE Username = '" $deleteuser "'");
    if (!
$eraseuser) {
        die ( 
'Delete unsuccessful: ' mysql_error())
        };

?>

PS: If you spot any bad coding I can rectify please let me know, just starting to learn this stuff ;P
__________________

Quote:
Originally Posted by Steve View Post
next person to post half naked gets banned
Reply With Quote
  #2  
Old 11-04-2010, 02:04 PM
.Simon. is offline .Simon.

Join Date: Nov 2003
Location: Wales
Posts: 4,801

Never mind xD Just realised there is a semi colon after the curly bracket in the final error statement.

Epic Fail on me..
__________________

Quote:
Originally Posted by Steve View Post
next person to post half naked gets banned
Reply With Quote
  #3  
Old 11-04-2010, 05:41 PM
Scott is offline Scott
Scott's Avatar
AKA. Panther

Join Date: Sep 2001
Location: Minneapolis, MN
Posts: 10,919

You haven't really sanitized your $deleteuser before you run it against the database.. This could allow for an SQL injection attack. You should always sanitize data before you run it in a query.. In your scenario, an attacker could inject % into $_POST['Username']; and delete every user in that database. You should also consider using "LIMIT 1" at the end of your delete statement if you are not deleting using a primary key (like UserID).

An example would be:
PHP Code:
$eraseuser mysql_query("DELETE FROM users WHERE Username = '" mysql_real_escape_string($deleteuser) . "' LIMIT 1"); 
Also, it would be wise to build a database that works off a primary key that does not include things like usernames, unless there can be no special characters. The reason for that is if you ever decide to switch charsets you will run into many problems as not all charsets encode special characters in the same way.

Also, checkout my mysql class:
http://phphq.net/codebits.php
__________________

04' Dodge SRT-4, Mopar Stage 3, 406whp/436wtq
Reply With Quote
  #4  
Old 11-05-2010, 05:20 AM
.Simon. is offline .Simon.

Join Date: Nov 2003
Location: Wales
Posts: 4,801

Yeah I saw something about sanitising the code, so i'll look into that. Thanks for the limit, i'll take a look at your page when I get some time later
__________________

Quote:
Originally Posted by Steve View Post
next person to post half naked gets banned
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Book recommendation for ASP.NET 2.0 and SQL Server DevilDog#1 Web design and Programming 0 01-05-2007 07:12 PM
Query strings... BeBop Web design and Programming 0 02-01-2006 08:59 PM
Query Stoint Sigs and Graphics 7 06-13-2005 07:52 PM
Sql atholon Web design and Programming 50 06-04-2005 11:03 PM
<Previous page 1 2 3 4 5 6 next page> script big n00b at php phphq.Net Forums 4 03-11-2005 12:35 PM


All times are GMT -5. The time now is 12:22 PM.




Powered by vBulletin®