RRT

I am looking for help trying to select multiple checkboxes to delete entries from a DB via a php web page. I know the SQL syntax on *how* to delete a row of data within a SQL database, just not how to create a php array where I can do multiple delete commands at once. For example, if I have a PostgreSQL database with the following rows: database1=# SELECT * FROM table1; cid | home_location | asking_price ----+---------------------+----------------- 1 123 Main Street 200000 2 345 First Ave 210000 3 456 Frontage Rd 199900 4 678 5th Street 205000 5 1001 Elm Street 225000 I would like to display the results of this SELECT ALL query onto a php web page with checkboxes next to each row, giving me the ability to check multiple rows and then delete them from the database. The php code to display the selections looks something like this: <?php // Connecting to the database server $dbconnect = pg_connect("host=aaa.bbb.ccc.ddd dbname=database1 user=user1 password=password1") or die("Could not connect: " . pg_last_error()); //Performing the SQL query $removequery = sprintf("DELETE FROM table1 WHERE CID="?"); How would you suggest that i put all the desired queries together to be able to delete various ones at the same time? I assume that I need to create some sort of array and then be able to delete them all at once, just not sure of how to go about coding that to work.

That did it! THANKS!!! I had to use "pg_escape_string" instead of "mysql_real_escape_string" since I am using postgres, but other than that its similar. Besides string data, do they make escape methods for other types of data, such as integers, floats, etc? Maybe those types aren't suseptable to exploit? That would make sense to me, as commands aren't numbers but strings of words.

Thanks for the info about the SQL injection, I will take that into account. So you are suggesting that I change my code to something like this, right?: ======================= $query = sprintf("INSERT INTO inventory VALUES ('%s','%s','%s','%s', '%s','%s','%s','%s','%s','%s')";, mysql_real_escape_string($CID), mysql_real_escape_string($ImageFile), mysql_real_escape_string($ItemTitle), mysql_real_escape_string($ItemNo), mysql_real_escape_string($Barcode), mysql_real_escape_string($Description), mysql_real_escape_string($Dept), mysql_real_escape_string($Price), mysql_real_escape_string($Quantity), mysql_real_escape_string($Shipping)); mysql_query($query); =======================

I can't do an INSERT via a web query. Can you look at my syntax and see if I have a typo below?: ------------------------------------- <?php $CID = $_POST['CID']; $ImageFile = $_POST['ImageFile']; $ItemTitle = $_POST['ItemTitle']; $ItemNo = $_POST['ItemNo']; $Barcode = $_POST['Barcode']; $Description = $_POST['Description']; $Dept = $_POST['Dept']; $Price = $_POST['Price']; $Quantity = $_POST['Quantity']; $Shipping = $_POST['Shipping']; . . . $query = 'INSERT INTO inventory (cid, image_pic, item_title, item_no, barcode, description, dept, price, quantity, ship_rate) VALUES ('$CID','$ImageFile','$ItemTitle','$ItemNo', '$Barcode','$Description','$Dept','$Price','$Quantity','$Shipping')'; ------------------------------------- This is what I get back when I try to submit the query (Line 20 is the query line posted above.): Parse error: syntax error, unexpected T_VARIABLE in /perform_insert.php on line 20