Jump to content


Photo

Is This Right $Act==Del?


  • Please log in to reply
9 replies to this topic

#1 lovephp

lovephp

    Advanced Member

  • Members
  • PipPipPip
  • 234 posts

Posted 17 November 2012 - 10:36 AM

guys im trying to add up a action to delete all table if needed else delete row according to id.


i added

if($act==del){
mysql_query("DROP TABLE survey") or die(mysql_error());
}

this should execute only if i make the url like del.php?act=del else only the DELETE FROM survey WHERE id = '$id' should work. tell me if its the right way


<?php
$id =$_REQUEST['id'];    
$user = $login->username;
if($user =='administrator'){
    // sending query
    mysql_query("DELETE FROM survey WHERE id = '$id'")
    or die(mysql_error());    
    header("Location: status.php");
}else{
	    header("Location: logout.php");
}
if($act==del){
mysql_query("DROP TABLE survey") or die(mysql_error());    
}

?>


#2 AyKay47

AyKay47

    Sick!

  • Members
  • PipPipPip
  • 3,287 posts
  • LocationEast Coast, U.S.
  • Age:24

Posted 17 November 2012 - 10:52 AM

1. Check that $_REQUEST['id'] is set and is an integer before using it, right now your code is open to SQL injection.

2. Where is $act coming from?

3. del is assumed to be a constant value without the value wrapped in quotes.
Hola!
I'm not going to hold your hand and write the code for you - ain't nobody got time for that!

#3 Pikachu2000

Pikachu2000

    I hate everything.

  • Staff Alumni
  • 11,378 posts
  • LocationFuture Independent Republic of Texas
  • Age:106

Posted 17 November 2012 - 10:54 AM

Why do you need to dynamically drop a table?
"Java" is to "Javascript" about the same as "fun" is to "funeral".

Why $_SERVER['PHP_SELF'] is bad. || Why ORDER BY RAND() is bad || Every problem can be solved with rm -rf *

Random Quote: "

#4 PFMaBiSmAd

PFMaBiSmAd

    Advanced Member

  • Staff Alumni
  • 16,767 posts
  • LocationColorado, U.S.A.

Posted 17 November 2012 - 10:59 AM

^^^ Especially since your user level check code lets the rest of the code on your page run and anyone could drop the table.
Signature: (not a comment about anything you posted unless specifically indicated)
Debugging step #1: To get past the garbage-out equals garbage-in stage in your code, you must check that the inputs to your code are what you expect.

Programming is just problem solving, but it is done in another language. You must learn enough of the programming language you are using to be able to read and write code.

#5 lovephp

lovephp

    Advanced Member

  • Members
  • PipPipPip
  • 234 posts

Posted 17 November 2012 - 11:03 AM

im tryin to make it available for me to drop all table if needed without deing the user=administrator but it does not seem to work :P and the $act=del i want to manually add it on url

#6 Pikachu2000

Pikachu2000

    I hate everything.

  • Staff Alumni
  • 11,378 posts
  • LocationFuture Independent Republic of Texas
  • Age:106

Posted 17 November 2012 - 11:07 AM

If you need to drop tables dynamically, chances are your database structure is wrong. Even so, trying to allow it without being logged in as administrator is dangerous.
"Java" is to "Javascript" about the same as "fun" is to "funeral".

Why $_SERVER['PHP_SELF'] is bad. || Why ORDER BY RAND() is bad || Every problem can be solved with rm -rf *

Random Quote: "

#7 lovephp

lovephp

    Advanced Member

  • Members
  • PipPipPip
  • 234 posts

Posted 17 November 2012 - 11:17 AM

yes you are right i better drp this idea, thanks all

#8 PFMaBiSmAd

PFMaBiSmAd

    Advanced Member

  • Staff Alumni
  • 16,767 posts
  • LocationColorado, U.S.A.

Posted 17 November 2012 - 11:31 AM

lol, drop this idea, very punny. :geek:
Signature: (not a comment about anything you posted unless specifically indicated)
Debugging step #1: To get past the garbage-out equals garbage-in stage in your code, you must check that the inputs to your code are what you expect.

Programming is just problem solving, but it is done in another language. You must learn enough of the programming language you are using to be able to read and write code.

#9 AyKay47

AyKay47

    Sick!

  • Members
  • PipPipPip
  • 3,287 posts
  • LocationEast Coast, U.S.
  • Age:24

Posted 17 November 2012 - 02:42 PM

Please mark this as solved.
Hola!
I'm not going to hold your hand and write the code for you - ain't nobody got time for that!

#10 lovephp

lovephp

    Advanced Member

  • Members
  • PipPipPip
  • 234 posts

Posted 17 November 2012 - 02:57 PM

done.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com